Skip to content

Instantly share code, notes, and snippets.

@andshrew

andshrew/readme.md

Created June 10, 2025 09:41
Show Gist options
  • Save andshrew/929dd523cf2012305c83cd69d2bdfa80 to your computer and use it in GitHub Desktop.
Save andshrew/929dd523cf2012305c83cd69d2bdfa80 to your computer and use it in GitHub Desktop.
Download ZIP
Finding which file occupies a bad NTFS sector
Raw
readme.md

Procedure completed using Windows 11 24H2

When recently cloning an NTFS formatted drive the program (Acronis) reported a number of unreadable sector errors.

I wanted to know which files were occupying these sectors, and in searching found many suggestions to use an old Microsoft utility called nfi.exe (NTFS File Sector Information Utility).

This was a program distributed as part of the OEM Support Tools. This is a Windows NT 4 / Windows 2000 era package which of course is no longer available directly from Microsoft's web site.

Web Archive to the rescue:
Download
KB253066

Extremely easy to use, you simply run with the drive letter and the sector (hex or decimal) which you want to query. For example:

.\nfi.exe D: 0x139B2BD4F

Which gives output like:

NTFS File Sector Information Utility.
Copyright (C) Microsoft Corporation 1999. All rights reserved.


***Logical sector 5262982479 (0x139b2bd4f) on drive D is in file number 529531.
\Data\Documents\lottery_winning_algorithm.bas
    $STANDARD_INFORMATION (resident)
    $FILE_NAME (resident)
    $DATA (nonresident)
        logical sectors 5262982424-5262982871 (0x139b2bd18-0x139b2bed7)

Since I had hundreds I need to query, I put together a quick and dirty list of commands that will dump the output from nfi.exe to a text file which can be run from PowerShell.

.\nfi.exe D: 0xF3BFF908 >> bad-sectors.log
.\nfi.exe D: 0xF3BFF998 >> bad-sectors.log
.\nfi.exe D: 0xF3BFF998 >> bad-sectors.log
.\nfi.exe D: 0xF3C01588 >> bad-sectors.log
...

Used a text editor with RegEx support (like VS Code) to parse bad-sectors.log to select all lines containing Logical sector and the following two lines:

(\bLogical sector\b.*$\n).*?$\n.*?$\n

AI assisted RegEx generation ┻━┻ ︵ \( °□° )/ ︵ ┻━┻

Now I have a simple file listing all of the actual files which were occupying those unreadable sectors, which are more than likely corrupt on disk:

***Logical sector 4089444616 (0xf3bff908) on drive D is in file number 781068.

\Downloads\Half_Life_3.zip
***Logical sector 4092589488 (0xf3eff5b0) on drive D is in file number 541474.

\VM\VMware\Windows9.vhd
...
...

Note on Acronis True Image

Based on Acronis True Image for SanDisk Version 2025

When using the Clone Disk tool a log file is written to the following location, this file lists all of the bad sectors which were encountered during the clone.
%PROGRAMDATA%\Acronis\SnapAPILogs\SnapAPI-*.log

Errors will look like:

[20250609-204625-782][SnapAPI][T] Snapshot 06AAF9B8: Read failure status=0x17
     Volume 06A28118, sectors [0xF3F0367D, 0x1], buffer size 0x200 bytes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment