Then I noticed that there were a ton of errors in the System Event Log. Most from the Ntfs source, firing Event ID 57:
"The system failed to flush data to the transaction log. Corruption may occur."
That can't be good. I also noticed that these errors were coming in every 5 seconds or so. Not something you want to leave alone.
The error didn't really tell me what the issue was with. After some digging, I ran "mountvol" to show a listing of mount points. One volume in particular showed ***NO MOUNT POINTS***. The guid for that phantom volume (let's call it GUID-PV) wasn't terribly useful, so I tried mounting it (to U:). It mounted, but I couldn't read anything at that mount point. However the Event ID 57 errors above changed their text to include the U: drive being the issue. I think I'm on to something now. Also, in addition to the Event ID 57, I was now also getting Event ID 55 errors saying:
"The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \\?\Volume{GUID-PV}."Ok, at least I know where the issue is.
After more googling I found this post. It pointed me to the WinObj tool from the fine folks at SysInternals (now Microsoft). WinObj showed me that the GUID-PV pointed to "\Device\Harddisk0\Partition6". Strangely that is what Windows showed as the 4th partition on my primary drive, the same partition which hosted my NTFS partition that I was currently running Windows from (as C:).
I looked into the HKLM\System\MountedDevices key and noticed that the entry for "\\?\Volume{GUID-PV}" had the binary payload of "Volume{GUID-WTF}" in it. After a bunch of registry searching for the GUID-WTF guid, I concluded that this was infact some kind of symbolic pointer (or ??) to at least some GPT partition and not a phantom USB drive or other unmounted disk.
At this point I started to question the Paragon HFS+ drivers I had installed. I uninstalled them, rebooted, and magically all the errors went away. I ran "mountvol /r" from an elevated command prompt and the erroneous "\\?\Volume{GUID-PV}" entry in MountedDevices vanished. Sweet.
Unfortunately when I reinstalled Paragon, the same errors and crazy MountedDevices entries returned. The PhantomVolume guid was different, but what it pointed to (the GUID-WTF) was the same. After a couple uninstall / install cycles of Paragon, and watching how the registry changed, I decided to look at what was getting loaded.
I pulled down DriverViewer. Great tool, feels like a SysInternals Tool but they didn't seem to have an equivalent.
I noticed that after Paragon was installed, it loaded a bunch of drivers:
apmwin.sys Apple Partition Map Driver
gpt_loader.sys GUID Partition Table Support Driver
hfsplus.sys HFS+ File System Driver
hfsplusrec.sys HFS+ File System Recognizer
mounthlp.sys HFS+ Mounter Helper Driver
However, the core Apple drivers from Bootcamp were still loading:
AppleHFS.sys Apple HFS
AppleMNT.sys Apple Mount Manager
Most the blog posts said to just rename the driver files to something like AppleHFS.sys.old. That seemed hacky to me, so I dug into how Windows knows to load drivers via the HKLM\System\CurrentControlSet\Services keys.
I set the "Start" key (which was set to 0x0 for "Boot") to 0x4 for "Disabled" for both AppleHFS and AppleMNT drivers in HKLM\System\CurrentControlSet\Services. After I set both of these drivers to disabled (I left the drivers on disk on purpose) and restarted Windows they didn't load. I reinstalled Paragon HFS+ drivers again, rebooted, and the error in the System log has not reappeared, the Apple drivers are not loading, and the mysterious volume is no longer appearing.
Hopefully I'm out of the woods. Let's see how Paragon holds up...
No comments:
Post a Comment