How do I determine what file occupies a given sector?
Try nfi.exe - Windows NT File System (NTFS) File Sector Information Utility. Download from Microsoft OEM Support Tools Phase 3 SR2.
> nfi.exe
Dumps information about an NTFS volume, and optionally determines
which volume and file contains a particular sector.
Usage: nfi drive-letter [logical-sector-number]
Drive-letter can be a single character or a character followed
by a colon (i.e., C or C: are acceptable).
Logical-sector-number is a decimal or 0x-prefixed hex
number, specifying a sector number relative to the volume
whose drive letter is given by drive-letter. If not
specified, then information about every file on the volume
is dumped.
nfi NT-device-path physical-sector-number
Determines which volume a given physical sector on a drive is
within, and then which file on the volume it is in.
NT-device-path is the NT-style path to a physical device.
It must not include a partition specification.
Physical-sector-number is a decimal or 0x-prefixed hex
number, specifying a sector number relative to the physical
drive whose device path is given by NT-device-path.
nfi full-win32-path
Dumps information about a particular file. full-win32-path
must start with a drive letter and a colon.
Note you must omit the "\?" prefix of the block device path. Example:
C:\Users\admin\Downloads>nfi \Device\Harddisk0\DR0 28521816
NTFS File Sector Information Utility.
Copyright (C) Microsoft Corporation 1999. All rights reserved.
***Physical sector 28521816 (0x1b33558) is in file number 5766 on drive C.
\IMAGES\win7HDD.vhd
$DATA (nonresident)
physical sectors 32863720-34098663 (0x1f575e8-0x2084de7)
physical sectors 28519912-32863719 (0x1b32de8-0x1f575e7)
physical sectors 25727944-26291143 (0x18893c8-0x1912bc7)
physical sectors 95163976-115106143 (0x5ac1648-0x6dc615f)
Here's the process using WinHex, a handy hex editor that can examine and edit drives directly. Be very careful; this tool can damage your system if used inappropriately. Open disks read-only whenever possible.
-
Since you have the bad sector locations already, you can open the drive in WinHex directly ("Open Disk" toolbar button) and then navigate to the sector to view the data ("Go to Sector" toolbar button). Assuming your sector locations are physical sector addresses, you need to open your physical drive in this step.
This won't identify the file directly, but the left-hand pane should identify the partition that contains this sector and its corresponding relative sector address.
-
If the partition you've identified is an NTFS or FAT partition, we can open the partition directly ("Open Disk" again). This will open the partition in a new tab, so you can switch back and forth as needed. In the partition tab, use the "Go to Sector" function again, but this time input the translated sector (the "relative sector" identified in the drive view).
Now, in the left-hand pane, you should see a section on "Alloc. of visible drive space". Under this is the cluster #, physical sector #, logical (relative) sector #, and the filename if this sector actually belongs to a file.
If these steps don't give you an immediate answer, your bad sectors may not be in use. If the results are unclear, you may have to do some more digging to find your answer.