One mystery that has gone unsolved for the longest time
now is the dirty bit on hard drive volumes. Basically a dirty bit is
just a 1 hex value located somewhere hidden on the hard drive that
Microsoft has never reveal until recently. Windows will check the dirty
bit to determine if a volume can contain corrupted files due to hard
resetting your Windows computer with files that are still opened or when
you unplug a USB flash drive that is in the midst of copying a file.
When the computer boots up with the dirty bit enabled on a hard drive,
you will be asked to check the disk for consistency before Windows is
loaded. You can skip the disk checking by pressing any key but it will
come back again the next time you start up your computer. This will
usually keep happening until you let the drive be scanned or
alternatively you can tell Windows to stop checking the specific drive. This method doesn’t clear the dirty bit on the drive though and simply forces Windows not to scan a drive on boot.
As for a USB flash drive or portable hard drive with the dirty bit enabled, plugging the drive into a Windows 7 computer will prompt a window that asks:
Do you want to scan and fix Removable Disk (G:)?
There might be a problem with some files on this device or disc. This can happen if you remove the device or disc before all files have been written to it.
If you close the popup or select “Continue without scanning”, then this popup will continue to haunt you until you decided to click the recommended Scan and Fix option. There are guides on how to disable the scan and fix window by disabling the Shell Hardware Detection service but that really isn’t a viable solution since you’re telling Windows to ignore the problem rather than fixing the problem itself.
There is a tool called fsutil.exe in Windows which can be used to check if a volume is dirty and can even be used to manually set a drive as dirty which will force the requests to scan it, but weirdly it cannot be used to clear the dirty bit. Someone has already reverse engineered the fsutil.exe to confirm it.
So there seems to be 2 solutions to clear the dirty bit which is to trust the Microsoft disk checking utility by completing a check disk OR you can move the data away from the volume, format the drive and then move it back. Going with the first option would risk losing some of your files when the scan disk decides to turn them into CHK files. The second option is safer but takes a lot of time if you have a lot of files to move.
Here is a third method, and we’ve spent several hours locating the dirty bit on NTFS and FAT16/32 file systems so that we can manually reset or clear the dirty bit with a hex editor that supports disk editing. As we said earlier, the dirty bit is simply 1 hex value on the disc volume that needs to be reset and is easy to change again in future once you know how.
We’ve tried a total of 13 different hex editors which are wxHexEditor, HxD, 010 Editor, CI Hex Viewer, iBored, HexEdit Pro, Hackman Suite, DMDE, Hexprobe, FlexHEX, ADRC Hard Disk Hex Editor, WinHex and Hex Workshop. Only DMDE, WinHex and Hex Workshop were the editors able to write the data back to the disc but the last two are shareware tools. HxD is certainly one of the easiest tools to use and can make the needed changes but is a bit slower because it needs to manually search the drive for some values.
On Page 2 we’ll show how to clear the dirty bit for NTFS, FAT32, FAT16 and locked volumes.
Hey thanks,
I ran the chkntfs command in cmd to check all my hard disk drives and two of them proclaimed to be dirty which I believe is not true as I have ran the manufacturers diagnostic tools on them very recently.. anyway I followed the tutorial which works but I noticed I had to do it twice on each drive for it to actually change =S
Manufacturer diagnostic tools don’t really check the filesystem dirty bit, they check the SMART attributes and run a few other tests to check the integrity of the disk surface etc. The dirty bit is set and checked by Windows.
I had a couple of drives with the dirty bit set by Win 8.1, verified by fsutil, but DMDE could not find the string anywhere close to the beginning of the MFT. I tried both the Win7 and Win8 strings you gave, and I even searched just for “03 01″, but I couldn’t find the string before I aborted the search after five minutes and 50 million sectors. Is it possible that Win 8.1 has a completely different kind of string to look for?
Even if I have to fix the dirty bit the hard way, thanks for the article, and the great tip on DMDE, which is a great piece of freeware.
This is the only solution that seemed to work for me. Thank you so much for the help!
Hello,
I have find the sring with dirty bit in windows 7 in C: drive where OS is installed , but I am not able to save the changed string. Error of loss of data.
thnking you.
You can’t save changes to the C drive if that’s what you are booting from. Have you read the section “Changing the Dirty Bit on Locked/System volumes” on page 2?
Hello.
I have a machine with Windows XP Professional SP3 on a 250GB-SATA drive (NTFS). Two weeks ago, the machine had a read-error from the SATA drive (C:) while booting (hard reset was neccessary). Autochk.exe now loads CHKDSK at every windows boot. I tried hard to fix the problem, but no way… ‘chkntfs c:’ via CMD told me again and again that C: isn’t fine and every time before Windows starts it starts CHKDSK. I have taken a brandnew SATA drive and cloned the old drive (via Acronis) – result: same procedure as every day :((
Finally I found this excellent article here, but I can’t solve the problem. What I have done: I took a Hiren’s 13.1 and launched MiniXp. Then I launched HxD and opened C: without write protection and started a search for ‘ 03 01 01 00 00 00 00 00 80 00 00 00 18′. No results.
The next step was to start a search for ’03 01 00 00 00 00 00 00 80 00 00 00 18′. No results.
Finally I started to search for the pattern ’00 00 00 00 80 00 00 00 18′. Stepwise with F3 I had success on the beginning of the drive (Unfortunately I don’t remember the offset): ’03 01 01 40 00 00 00 00 80 00 00 00 18′ . I searched until offset 02 80 5A 9E A4 but had no further related search result.
How to go on now? Do I have to overwrite the ’03 01 01 40′ with ’03 01 00 00′ and see what happens? But why is the fourth bit 0×40 instead of 0×00?
Please give me advice or hints!
Best regards
Robert
exFAT has the dirty bit in the VBR (1st Sector), offset 106 (0x6a). Since there are 4 flags in this single byte: оffset 0 is Active FAT and indicates which FAT is active;
оffset 1 is Dirty Volume, 0=clean, 1=dirty;
оffset 2 is Media Failure, this indicates if there are ANY bad clusters on the volume;
оffset 3 is Clear to Zero (the spec does not indicate what this means)
It is truley a dirty bit, not a dirty byte.
Hello Everyone,
Just a note to say thanks for the info. I had wondered why I could no longer leave a flash-drive in while booting the computer. All was good until one day I happened to notice a chkdsk of my flash-drive was happening, and after that some of its data became “lost”. I had a backup for it but, sometimes even that is a pain to have to deal with.
I checked all my flash-drives with the method outlined and found two “dirty” little drives.
Fixed ‘em both with the Hex Editor as per the instructions.
WooHoo!! All is good.
I do want to share one thing.
One of my FAT 32 flash-drives showed 03 in offset 41 (5 down 2 across) instead of 01 (as is mentioned in the instructions).
I was confused at first and then I figured that XP may have written to it three times (due to my stupidity, I’m sure) and that would account for the change from 01 to 03.
So, I changed the 03 to 00 and gave it a go.
Worked like a charm.
Below is what the drive looked like before (w/ the 6 or 7 or 8 zeros omitted from the beginning of each line), if anyone is interested.
00: EB 58 90 4D-53 44 4F 53-35 2E 30 00-02 20 00 04
10: 02 00 00 00-00 F8 00 00-3F 00 80 00-80 1F 00 00
20: 80 AA E6 00-70 0E 00 00-00 00 00 00-02 00 00 00
30: 01 00 08 00-00 00 00 00-00 00 00 00-00 00 00 00
40: 00 03 29 E8-90 89 99 55-53 42 20 44-49 53 4B 20
50: 20 20 29 E8-90 89 99 55-53 42 20 44-49 53 4B 20
Thanks a bunch,
At step 4, when I pressed Alt+C, the cluster selection window came up with ’3′ preloaded as the start cluster. When I ran a search from that location for the bit string, it came up with a result at address 31DE0. Changing the appropriate bit at that address did nothing. (At least as far as dirty status! I changed it back in case it’s used for something else…)
I then went back and manually entered 0 in the cluster selection window to start at the beginning of the disk. Then when I searched it found a result at address 3DE0, which was the correct one. Changing the appropriate bit there changed the disk status to NOT dirty. (Also, the change took effect immediately, even on Windows XP, perhaps because I had booted in safe mode and/or because it was a data disk, not the system disk.)
Thanks for this.
Huh… may someone help me? i have windows xp professional and i’ ve done all steps except the last one. The chkdsk is checking local disk “E” (tipe NTFS) and it’s rather annoying (it does this at every start-up) so i tried these instructions. At the last step when i try to write the changes it says: “Could not lock unmarked volumes.” Furthermore forcing this will cause the loss of all used volume descriptors and ignoring may cause unpredictable result or write access may be denied. Damn it!
Some tips would solve this (i hope). Thanks,
Untitled
from Moon
Are you trying to run the Hex editor from the same E drive? That will cause the error you have.
If not, are you running a dual boot system? You can’t directly edit any partitions that contain boot files which might be on E and C.
Hello.
I have a double boot Win 8 / XP. I tried the whole thing, but it still doesn’t work.
I changed the dirty bit
03 01 01 01 00 00 00 00 80 00 00 00 18
into
03 01 01 01 00 00 00 00 80 00 00 00 18
Are you sure that “03 01 01 01 00 00 00 00 80 00 00 00 18″ is clean ?
Thx for the help, it is still a wonderful post.
“03 01 01 01 00 00 00 00 80 00 00 00 18″ is the dirty bit if it’s been set in windows 8, in XP it will be “03 01 01 00 00 00 00 00 80 00 00 00 18″.
To clear the dirty bit in either case, set it to:
“03 01 00 00 00 00 00 00 80 00 00 00 18″
Note there’s only one “01″ in the string to indicate the dirty bit isn’t set.
Thank you, Raymond, for explaining how to clear the dirty bit on my USB flash drive. CHKDSK never finishes running on my flash drive. It goes about 70% of the way, then mysteriously exits without any error message or explanation. This left me stuck in a loop until I manually cleared the dirty bit. Is the FAT32 filesystem corrupt? Maybe, maybe not. But since my only option was to keep answering NO to the “do you want to watch CHKDSK fail again?” question every time, this is definitely an improvement.
Thank you Raymond for this wonderful post – saved my bacon when a cloned drive wouldn’t boot due to Chkdsk-induced errors
I connected my target disk using a ATAPI/USB bridge (very convenient), and used FSUTIL dirty query g: to check the before and after ‘dirty’ status. I had a bit of a heart attack when I changed the dirty bit from 01 to 00 and then used FSUTIL – it still said the volume was dirty! Then I disconnected the drive from my PC, reconnected it and checked again – now it said NOT dirty – yay!!
Put it back in my laptop, and now it boots up fine – thank you thank you!!
Frank
GOOD ONE, REALLY HELPED
Just found this thread, thanks for the useful information.
USB flash drives are usually formatted as FAT32 so it’s just a matter of clearing 0×41 – I’ve just successfully done that to my flash drive and the command “fsutil dirty query f:” now confirms that volume is NOT dirty.
Hi Raymond, many thanks for your excellent research. Now I got a bunch of older FAT16 Sticks (1GB and 2GB ones) some of which also produce that “Scan and fix” dialog on Windows 7.
So I tried to locate that “dirty bit” on FAT16, and what should I say, I actually managed to find it: It’s located at offset 37 (decimal), which is 25 hex, respectively (counting from the beginning of the FAT16 boot sector).
In the FAT specifications, this byte is considered to be “unused”.
I found that it has the following meaning regarding the “dirty bit”:
00h = Not dirty
01h = Dirty
I hope this could help some folks also having FAT16 media which shows this problem. Maybe you can add this info to your article, feel free to do so!
Best regards from Germany,
Fabian
Hey, nice info.
Thank you , … i will try that the next time.
Raymond you are the Rainman!
This is a incredible good work, TWO days for one bit :-) Thanks for sharing