With transaction logging and recovery, NTFS ensures that the volume structure will not be corrupted, so all metadata files remain available after a system crash. However, user data and metadata can become at risk because of a system crash or a bad sector.
NTFS implements a recovery technique named cluster remapping. When hardware returns a bad sector error to the file system, NTFS dynamically replaces the cluster that contains the bad sector and allocates a new cluster for the data. If the error occurs during a read, NTFS returns a read error to the calling program, and the data is lost. When the error occurs during a write, NTFS writes the data to the new cluster, and no data is lost. The bad sector is recorded and not reused again.
Chkdsk activity has five phases. The first three are major passes during which Chkdsk examines all the metadata on the volume; the fourth pass, checking for bad sectors, is optional and has two phases.
First Pass: Files and Folders
During its first pass, Chkdsk examines each file record segment in the volume's MFT and displays the percent of verification that is complete.
A specific file record segment in the MFT uniquely identifies every file and folder on an NTFS volume. Chkdsk examines each file record segment for internal consistency and builds two bitmaps, one that represents the file record segments that are in use and another that represents the clusters on the volume that are in use.
At the end of this phase, Chkdsk has identified the space that is in use and the space that is available, both in the MFT and on the volume as a whole. NTFS keeps track of this information in bitmaps of its own, which are stored on the disk. Chkdsk compares its results with the bitmaps that NTFS keeps. If Chkdsk finds discrepancies, the discrepancies are noted in the Chkdsk output. For example, if Chkdsk finds that a file record segment that was in use is corrupted, it marks the disk clusters that were associated with that file record segment as “available” in the Chkdsk bitmap. However, because the same clusters are marked as “in use” in the NTFS bitmap, Chkdsk replaces the NTFS bitmap with the one that it generates.
Second Pass: Indexes
During its second pass, Chkdsk examines each of the indexes on the volume and displays the percent of verification that is complete.
Indexes are basically NTFS directories. The percent complete is the percent of the volume's folders and the objects in those folders that Chkdsk has checked.
During this pass, Chkdsk checks for internal consistency and verifies that every file and folder that is represented by a file record segment in the MFT is referenced by at least one directory. In each one of these directories Chkdsk then confirms that every subfolder or file that is referenced actually exists as a valid file record segment in the MFT and also checks for circular directory references. Finally, Chkdsk confirms that the time stamps and file size information for the files are up to date in the directory listings for those files.
At the end of this phase, Chkdsk has achieved two objectives:
It has made sure that there are no “orphaned” files (that is, files for which there are legitimate file record segments but for which there are no listings in any folder). An orphaned file frequently can be restored to its correct folder if that folder still exists. If the folder no longer exists, Chkdsk creates a folder in the root directory and places the file there.
It has made sure that all directory listings are for legitimate files. If Chkdsk finds directory listings for file record segments that are no longer in use, or for file record segments that are in use but that do not correspond to the file that is listed in the directory, Chkdsk removes the directory entry for the file record segment.
Third Pass: Security Descriptors
During its third pass, Chkdsk verifies security descriptors. Chkdsk examines each security descriptor that is stored in the $Secure metadata file for each file's associations with files or folders that are on the volume.
Security descriptors contain information about ownership of a file or folder, NTFS permissions for the file or folder, and auditing for the file or folder. The percent complete is the percent of the volume's files and folders that Chkdsk has checked. Chkdsk verifies that each security descriptor structure is well formed and is internally consistent. If they are not, Chkdsk sets the permissions on the files or folders back to the default settings. Chkdsk does not verify the actual existence of the users or groups that are listed or the appropriateness of the permissions that are granted.
Fourth Pass: Sectors
The fourth pass of Chkdsk occurs only if the /r command-line switch is used. If the /r option is used, Chkdsk runs a two-stage pass to look for bad sectors in the volume's free space. Chkdsk tries to read every sector on the volume to confirm that the sector is usable. Chkdsk always reads sectors that are associated with the critical metadata files to validate them, even without the /r option. Sectors that are associated with user data are read during earlier phases of Chkdsk if the /r command-line option is specified.
Stage 1: Verifying file data. In this stage, Chkdsk tries to read all the user data. If a read on a cluster fails, Chkdsk allocates a fresh cluster in place of the bad cluster and adds the bad cluster to the list of bad clusters.
Stage 2: Verifying free space. In this stage, Chkdsk sends a command to the controller to verify the free sectors on the disk. Chkdsk adds clusters that contain bad sectors to the bad cluster list.
If you use a software fault-tolerant disk, NTFS recovers data from the bad clusters and writes the data to the newly allocated cluster. If you are not using a software fault-tolerant disk, the new cluster is filled with a pattern of 0xFF bytes. Hardware fault-tolerant disk solutions are frequently able to remap the bad sectors, in which case NTFS does not have to also remap them.
If NTFS finds unreadable sectors during the course of typical operation, NTFS remaps the sectors in the same way that it does when Chkdsk runs. Therefore, using the /r command-line switch is typically not necessary. However, using the /r option is a convenient way to scan the whole volume if you suspect that a disk may have bad sectors.