4

Something has malformed a bunch of files on my hard drive. The malformed files:

  • have theirs content replaced with NULL bytes,
  • are exactly the same size as before the malform happen,
  • modification time was not altered

I have at least 40 of those malformed files and are looking for other victims. Most of the files are part of Netbeans php project. Some were text files, some were images. None of them was modified lately. HDD Smart does not show anything worrying and AV software did not detect any viruses. My OS is Windows 7.

Any ideas what could cause this strange behaviour?

[EDIT] I have scanned the disk to find other malformed files, and the wierd thing is, there are no other "NULLed" files than those 40 I have found earlier. All the files belonged to the same Netbeans project. I have never seen something similar before.

| improve this question | |
  • Although you got the all clear from HDD Smart this really sounds like HDD corruption. Make sure you have a backup regardless. – rob Nov 26 '14 at 15:08
  • I do make daily backup with Duplicati, but those 40 files was used so rarely, that they made it unnoticed for at least two months, so they are malformed in my oldest backups. Fortunatelly, they also have remote copy on my development server (via upload on save in netbeans), and those copies were correct, so I have all the files. – SWilk Nov 26 '14 at 15:26
  • I think you need to create a new question to find a tool that will identify any file containing nothing but null bytes. – rob Nov 26 '14 at 15:39
  • 1
    Had similar issue on a production environment that host millions of files. We still don't know from where it came from. – tigrou Oct 24 '18 at 11:48
2

A discussion on the SyncTrayzor github shows that it might be related to windows update.

It has happened to me twice that the config.xml from SyncTrayzor was filled with null-bytes after a windows update and at least one other user had the same problem. Also some Firefox cache files were null-filled at about the same moment.

Searching for files with just null-bytes seem to indicate that they are mostly things like 'configuration' files, or cache files or something. My hypothesis is that these were kept open when the computer was forced to reboot as part of the windows update and were not synced correctly to the drive.

Edit: Checking restart history and update history indicates that

  • Almost all 100% null-byte files are created on the same day as a reboot. Only a few specific ones are not.
  • The majority of them were create on, or the day after, a 'Cumulative Update for Windows 10 Version 1803'. Maybe the reboot is occasionally postponed to the day after the install?

So it seems clear that the creation of null-bytes is triggered by reboots. Most reboots where probably because of an update, so unclear whether it can happen with any reboot or whether update-reboots are special in this regard.

I have not yet figured out how to get all the information in a machine readable form, so it's an inefficient manual investigation so far. Most of these screens I can't even copy-paste from, so this is very inefficient. I would be grateful if someone knows how to get this information into files:

  • File names and creation/modification dates of files with all bytes null.
  • Windows shutdown/startup dates. Edit: get-eventlog system | Where source -eq EventLog | Where InstanceID -like 214748965*
  • Windows update dates (specifically the ones requiring a reboot).

Edit: Reboot-hypothesis corroborated by https://stackoverflow.com/a/52751216/2097 . That answer only refers to unexpected reboots though.

Edit: Reboot-hypothesis corroborated by N++ team: https://notepad-plus-plus.org/community/topic/13302/fix-corrupted-txt-file-null

Possible recovery mechanism using Recuva: Recover file corrupted due to power cut off

| improve this answer | |

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.