Forum Discussion

superware's avatar
superware
Copper Contributor
Dec 28, 2020

Upgrading Windows 10 Pro to 20H2 corrupts data partition

Hello,   Upgrading Windows 10 Pro on a Dell Latitude E5570 to version 20H2 results in data partition D becoming inaccessible after upgrade rebooted, showing as RAW partition. Rolling back the upgra...
superware's avatar
superware
Copper Contributor
Dec 29, 2020

New information, looks like this might have something to do with the Crucial MX300 SSD.

 

The first entries in Windows Logs -> System after the upgrade show (relevant entries only):

 

  • The operating system started at system time ‎2020‎-‎12‎-‎23T11:14:03.
  • 11:14:05|EnhancedStorage-EhStorTcgDrv|The following informational event has occurred (0x0, 0x5, 0x0, 0x0). D0Entry
  • 11:14:05|EnhancedStorage-EhStorTcgDrv|A TCG Command has returned an error. Desc: AuthenticateSession Param1: 0x1 Param2: 0x60000001C Param3: 0x900000006 Param4: 0x0 Status: 0x12
  • 11:14:05|EnhancedStorage-EhStorTcgDrv|A TCG Silo has returned the capabilities value of 0x7.
  • 11:14:06|EnhancedStorage-EhStorTcgDrv|The following informational event has occurred (0x0, 0x0, 0x0, 0x0). DeviceStart
  • 11:14:08|Ntfs|Volume 😧 (\Device\HarddiskVolume5) is healthy. No action is needed.
  • 11:14:49|Ntfs|The file system structure on volume 😧 has now been repaired.
  • 11:14:49|Ntfs|Volume 😧 (\Device\HarddiskVolume5) requires an Online Scan. An Online Scan will automatically run as part of the next scheduled maintenance task. Alternatively you may run "CHKDSK /SCAN" locally via the command line, or run "REPAIR-VOLUME <drive:> -SCAN" locally or remotely via PowerShell.
  • 11:14:53|Ntfs|A corruption was discovered in the file system structure on volume D:. The Master File Table (MFT) contains a corrupted file record. The file reference number is 0x1000000000024. The name of the file is "<unable to determine file name>".

It seems that due to the 20H2 upgrade, the SSD changed it's internal security protocol/mode to TCG OPAL, causing all partition data to be undecrypted or alternatively decrypted wrongly.

 

I've attached a file with the complete log entries.

 

Any ideas?

  • Piotr1955's avatar
    Piotr1955
    Copper Contributor
    Jan 15, 2021
    Checking!
    • superware's avatar
      superware
      Copper Contributor
      Jan 16, 2021

      Piotr1955 thank you!

       

      Turns out these TCG errors have also appeared in the System logs of the previous Windows version (C:\Windows.old\Windows\System32\winevt\Logs), after every power cycle/reboot. So they might be related to this incident, but not the direct cause/indication since data partition D was healthy and accessible before the upgrade.

       

      After further investigation of installation and System logs, I think I found the exact moment of the incident (logs attached in a zip):

       

      • 11:14:04 - first upgrade reboot.
      • 11:14:05 - Applications and Services Logs -> Microsoft -> Windows -> NTFS -> WHC shows "NTFS global corruption action state is now 0."
      • 11:14:08 - System log shows "Volume 😧 (\Device\HarddiskVolume5) is healthy. No action is needed."
      • 11:14:21 - setupact.log shows the current partition table, with D as NTFS, Bitlocker disabled.
      • 11:14:46 - upgrade is shrinking the OS partition C and creating a new recovery partition.
      • 11:14:46 - Applications and Services Logs -> Microsoft -> Windows -> Partition -> Diagnostic shows the new partition table with 6 partitions.
      • 11:14:49 - Applications and Services Logs -> Microsoft -> Windows -> NTFS -> WHC shows "NTFS global corruption action state is now 1."
      • 11:14:49 - System log shows "Volume 😧 (\Device\HarddiskVolume5) requires an Online Scan. An Online Scan will automatically run as part of the next scheduled maintenance task. Alternatively you may run "CHKDSK /SCAN" locally via the command line, or run "REPAIR-VOLUME <drive:> -SCAN" locally or remotely via PowerShell."
      • 11:14:49 - Application log shows "Chkdsk was executed in verify mode on a volume snapshot. Checking file system on \Device\HarddiskVolume5"
      • 11:14:53 - System log shows "A corruption was discovered in the file system structure on volume D:. The Master File Table (MFT) contains a corrupted file record. The file reference number is 0x1000000000024. The name of the file is "<unable to determine file name>"."
      • 11:15:02 - Applications and Services Logs -> Microsoft -> Windows -> NTFS -> WHC shows "NTFS global corruption action state is now 3."

      After this, the original recovery partition (#4) and data partition (#5) are both RAW (data looks totally encrypted, on both partitions - first and last sector are identical indicating NTFS, drive has Opal active, but not locked), the new recovery partition pushed them in the partition table (making them #5 and #6).

       

      My guess is that this change in partitions has caused Windows to take some action involving the drive's TCG Opal system, maybe taking ownership/activating it, or when initializing the new partition table - drop ownership/deactivating it and stop providing necessary decryption credentials.

       

      To conclude, partition D is healthy and accessible, and 2 seconds after the partitions change - it turns RAW and the NTFS service is erroring and trying to recover/chkdsk.

       

      Please advise, I must understand what happened in this upgrade bug, and possibly recover the data. Note I have not yet rolled back the upgrade since I don't want to cause more damage and reach a totally unrecoverable situation. If the issue is finally investigated and cause is found, then there might be an indication rolling back will help.

       

      Thank you!

Resources