NTFS partition mysteriously lost free space.

healer

Distinguished
Nov 27, 2011
16
0
18,510
My problem could be the same as http://www.tomshardware.com/forum/270323-32-disk-management-windows-explorer-show-partition-sizes. However I am not too sure what the protocol is, whether I should start a new thread or continue with that one. That thread is marked solved but I can't see where the solution is.

I have two hard discs on one of the computer for testing purpose. One of them has multiple partitions are dedicated separately to Windows 7, Windows Vista, Windows 2008 and Windows 2003 as well as two partitions for data and images respectively. The other disc has only Windows 7 parition. They had been working fine for some time. All of the sudden the capacities of all the partitions from 20G to 90G shrunk to 500M when viewed from 7, vista or 2008. From 2003 it is fine. I have done chkdsk /r and chkntfs and none of them has problem.

From the Windows 7 partition of the disc that has multiple partitions even indicate that its own partition and the other two partitions for data and images has zero byte free. These inconsistencies indicate on Window Explorer and top part of the Disk Management in Computer Management whereas the bottom part of the Disk Management in Computer Management is correct.

I am getting desperate so I need to look to more resources.
 
Solution
You have given the symptoms of many different types of virus, the reporting of the incorrect size of partitions is a new one to me but the other symptoms are only to familiar on computers with viruses. I think that it is time to reinstall your systems, as modern viruses are designed to be very difficult to remove and it is often easier just to reinstall. One thing to watch out for is that you don't reinfect your self with the virus again from the other partitions when you reinstall the operating system.
One thing you can do to stop one operating system from infecting another is to make the partition with the other systems on invisible to the operating system that you are on. Try this registry hack to make a partition invisible (were E...

healer

Distinguished
Nov 27, 2011
16
0
18,510


I guess you are asking whether the partitions in question have an option of "Extend Volume" available.

Only the two Windows 7 partitions have such option available. The same option of all other partitions are all dimmed out and disabled.
 

healer

Distinguished
Nov 27, 2011
16
0
18,510


You could save my day. I must have been too panicky. I have never thought of safe mode. I didn't think safe mode could make any difference. Anyway, I found safe mode does show correct capacity on Windows 7 and Windows Vista and one Windows 2008 while there are some problems with the other two Windows 2008 server. Well, at least I am making some progress. I thank you very much. I would have to start to do clean-boot and narrow down where the problem is.
 
I would be interested to know which program was causing Windows to report the incorrect capacities of the hard drives, obviously it is a program that is not installed on 2003. I take it that as a first step that you will be using MSCONFIG to disable all startup programs on Windows7.
 

healer

Distinguished
Nov 27, 2011
16
0
18,510


I took one Windows 7 partition to start with. When I did a clean boot, disabled all the service and startup, it still wouldn't fix the problem. When I disabled all services, I found three services wouldn't get disabled. They were Group Policy Client, RPC Endpoint Mapper, Task Scheduler.

Moreover, when the system re-started the services and the startup items that had been disabled seemed to have all been enabled (ticked/checked) for some reason. I was not too sure if this was an illusion or by design while they were actually disabled. I compared with my work Windows 7 system, they remained unticked/uncecked. Please confirm my understanding. If my understanding was correct, that meaned something wrong with that particular Windows 7 system where services couldn't be disabled except the safe mode was selected from Advanced Boot Options. When I set the boot options in msconfig to safe boot, it would not work either as it simply boot up in normal mode.

I am doing some virus scan at the moment though chances are very low that there is virus on all latest operating systems at the same time. In fact, I hardly used the Windows Vista system but it still exhibits the same symptoms.
 
Some services cannot be disabled as they are required for Windows to work. I think that the possibility that you have a root virus is quite likely. I suggest that you scan the other partitions from your working 2003 partition using Malwarebytes anti virus free version.
As for the safe mode boot option not working when selected in Msconfig, this is very wrong unless you are not using Msconfig correctly. In the general tab of Msconfig I take it that you have selected "selected startup" and in that section "Use modified BOOT.INI" should be selected for it to boot in safe mode.
 

healer

Distinguished
Nov 27, 2011
16
0
18,510


The Malwarebytes' Anti-Malware took more than 10 hours overnight to scan all the partitions and found two instances of virus PUM.Hijack.StartMenu and they have since been removed but problems remain.

Definitely something wrong with the Windows 7 system I am working on. The "sfc /scannow" doesn't work. I couldn't write anything to the hard disk where it indicates zero space left. The security center reports the Windows Update is not turned on though it is already set to automatically downloaded and installed. The Microsoft Security Essentials wouldn't start. I can't install any new application but I could remove some. I can't do a backup as the system thinks I don't have enough space at the target destination.

To verify, I have booted into the safe mode again on two computers with Windows 7 systems side by side so that I can compare. Definitely what I do on msconfig is correct. It then proves something wrong with the Windows 7 system in question.

In fact I don't mind to re-install all the operating systems. However, will it fix all the problems? In the meantime, I am also interested to know what is the cause of the problem.
 
You have given the symptoms of many different types of virus, the reporting of the incorrect size of partitions is a new one to me but the other symptoms are only to familiar on computers with viruses. I think that it is time to reinstall your systems, as modern viruses are designed to be very difficult to remove and it is often easier just to reinstall. One thing to watch out for is that you don't reinfect your self with the virus again from the other partitions when you reinstall the operating system.
One thing you can do to stop one operating system from infecting another is to make the partition with the other systems on invisible to the operating system that you are on. Try this registry hack to make a partition invisible (were E: is the partition that is invisible)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\offline]
"\\dosdevices\\e:"=dword:00000001




 
Solution

healer

Distinguished
Nov 27, 2011
16
0
18,510


Yes, I will have to re-install them. However I just want to know how the different systems and partitions get cross-infected while one partition is immune. In addition to Malwarebytes' Anti-Malware, I have run Spybot - Search & Destroy and Advanced SystemCare 4 as well as Dr Web CureIt but problem remains.

So you are saying, merely re-install one system will somehow get re-infected from other infected partitions. How could that happen?

Presently, the drive letters keep changing all depends on what operating system I boot up. The booted up one is always "C" drive.

I suppose the registry hack would only take effect after the system reboot. I will be doing fresh install, not in-place upgrade. I would like a squeaky-clean system. That means I shall be booting up with an install disk. How would I know the drive letters of the partitions to be suppressed?
 
Presently, the drive letters keep changing all depends on what operating system I boot up. The booted up one is always "C" drive.

This is normal, after Windows XP all Microsoft operating systems behave like this.

So you are saying, merely re-install one system will somehow get re-infected from other infected partitions. How could that happen?

If you install a new operating system on one partition, and you boot up an infected operating system, then the infected operating system can reinfect the new clean operating system.

Yes, I will have to re-install them. However I just want to know how the different systems and partitions get cross-infected while one partition is immune. In addition to Malwarebytes' Anti-Malware, I have run Spybot - Search & Destroy and Advanced SystemCare 4 as well as Dr Web CureIt but problem remains.

Maybe the virus does not work on that operating system, or its not a virus but a Trojan and you have not installed the infected program on that operating system. As I have said before changing the size of the partitions is a new virus behavior to me, someone has to be first to get these things, perhaps the virus definitions have not caught up jet.

Making the other operating sytem partitions content invisible is not a bad idea to stop this type of thing happening again and only keep the data partitions common to all of the operating systems.
To undo the registry hack to make the contents of the partition visible simply change the dword:00000001 to dword:00000000

 

healer

Distinguished
Nov 27, 2011
16
0
18,510
Thank you for the quick response.

Since I boot up with an install disk, so it should not be a problem. I suppose as long as I don't boot up any of the other systems, except Windows 2003, the clean one should not be infected.

I suppose your suggestion of hiding other partitions is not meant to happen in the course of re-installation but for normal usage.

I am curious how the viruses jump across the boundary of partitions. In fact all these partitions, except the Windows 7's have only Windows programs installed. What Windows 7 has other than Microsoft's are some malware scanner programs only.

Perhaps I simply delete or re-format all those bad partition first so that there will be no chance to re-infect. As to the data partition and image parition, they should be all right, shouldn't they?
 

Jonny9781

Distinguished
Jan 18, 2010
15
0
18,510
Hi, I'm wondering if this is the same issue as I'm having.

Last night my laptop froze, blank screen, I hit the power and rebooted.
I'm guessing it was then that the data loss occurred

(is there a way of telling? I see app.event logs cited elsewhere, looking now (although last night at a glance the only info I could see in event viewer was post-power-off warnings... maybe verbose error reporting is disabled, lots of tweaking..)

I don't know what caused the crash. Prior to this, I'd just finished (I thought!) successfully defragging and boot defragging my C partition, which is a native VHD win7ULTIMATEx64 install... (on barebones).

So G has disappeared (50 gig, almost full of audio samples and some huge installs and ... I wish I knew)...

This isn't a proposed solution, hope that's ok.

Thanks, Jonny
 

Jonny9781

Distinguished
Jan 18, 2010
15
0
18,510
Found this

24/01/2014 02:18:01 PDAgent 0 PerfectDisk Scheduler started.
24/01/2014 02:12:46 PDAgent 66 StealthPatrol schedule suspended on drive G:\ : System activity (disk I/O) .
24/01/2014 02:06:55 PDEngine 28 Free Space Consolidation starting for Drive G:\.
24/01/2014 02:06:55 PDAgent 65 StealthPatrol started on drive G:\.
24/01/2014 02:06:42 PDAgent 67 StealthPatrol schedule resumed on drive D:\ .
24/01/2014 00:37:17 PDEngine 17 Optimization was canceled due to the loss of AC power.
24/01/2014 00:37:16 PDEngine 30 Free Space Consolidation was stopped on Drive D:\.
23/01/2014 23:03:39 PDAgent 66 StealthPatrol schedule suspended on drive D:\ : System activity (disk I/O) .
23/01/2014 22:59:48 PDAgent 67 StealthPatrol schedule resumed on drive D:\ .
23/01/2014 22:49:11 PDAgent 66 StealthPatrol schedule suspended on drive D:\ : System activity (disk I/O) .
23/01/2014 22:45:16 PDEngine 28 Free Space Consolidation starting for Drive D:\.
23/01/2014 22:45:16 PDAgent 65 StealthPatrol started on drive D:\.
23/01/2014 19:03:54 PDAgent 0 Drive C:\LocalBigStore\ Will be protected by OptiWrite
Will run StealthPatrol
23/01/2014 19:03:54 PDAgent 0 Drive G:\ Will be protected by OptiWrite
Will run StealthPatrol
23/01/2014 19:03:53 PDAgent 0 Drive L:\ Will be protected by OptiWrite
Will run StealthPatrol
23/01/2014 19:03:52 PDAgent 0 Drive C:\ Will be protected by OptiWrite
Will run StealthPatrol
23/01/2014 19:03:51 PDAgent 0 Drive D:\ Will be protected by OptiWrite
...

so it was trying to smart defrag on a schedule (I didn't know :(

This appears to be the cause, have downloaded active partition recovery to try and recover, already had remo (running now) and a search tells me recuva is on ubcd4win... any advice on how to proceed?

Thanks!!!
 

Mark Foote

Reputable
Feb 24, 2014
3
1
4,510
see this article:

http://blog.jstudios.us/post/2010/07/02/I-Expanded-the-Disk-in-Disk-Manager-but-It-Doesne28099t-Show-in-Windows-Explorer.aspx

I right-clicked on the console option to open as administrator, then did the commands in the article to resolve difference in c-disk size shown in disk management and in windows explorer (windows 7):

"At a command prompt you need to enter the following:

C:\ > DISKPART
DISKPART> List Volume
DISKPART> select volume # (this is the number of the volume listed by the above ‘List Volume’ command)
DISKPART> extend filesystem
DISKPART> exit

Now Windows Explorer shows the new expanded size of the disk."