none
Handles to Transactional NTFS files blocking external USB drive removal! RRS feed

  • Question

  • Hello,

    I am using Windows 7 Ultimate x64 SP1.

    Sometimes I am unable to remove safely a USB external drive because the System process (PID 4) has open handles to several of the Transactional NTFS files that are stored in the hidden system directory \$Extend\$RmMetadata on the external disk.

    I do not know what program or system services initiate the use of these files, the disk is configured for "Quick Removal" in the Hardware Properties sheet. There is no consistency in what program usage will provoke the problem.

    I always use the "Safely Remove Hardware" procedure to remove external disks, even when configured for "Quick Removal"; when these transactional NTFS handles are open, that procedure always fails with the error message that some program is preventing removal.

    The only ways to safely remove the external USB disk are either (a) to shut down the computer, or (b) use the Disk Manager to set the disk "offline" (I then have to use the Disk Manager the next time I plug in the disk to set it back "online", since setting offline status sets a persistent policy for that particular disk).

    Is there any way to solve this problem? Is it some kind of bug in Windows 7? Or a bug in programs? Or is it a problem buried in the standard Windows USB drivers that don't correctly distinguish between fixed and removable drives? Or a BIOS problem of my notebook, where the USB ports (which are "fixed") somehow confuse things?

    Here is a dump of configuration information (via Uwe Sieber's ListUsbDrives.exe) from one of my external USB drives (they all exhibit this locked handle problem from time to time):

    MountPoint        = H:\
    Volume Label      = BACKUP
    Volume Size       = 320 GB (NTFS)
    Volume Serial     = FA19-4DE7
    Partition Type    =
    Disk Size         = 320 GB
    Volume Name       = \\?\Volume{46d2071e-7e53-11e0-9fcd-00247e685552}\
    Partition Name    = \Device\Harddisk2\Partition1
    Bus Type          = USB
    Drive Type        = fixed
    Device Types      = ---
    Volume DevID      = STORAGE\VOLUME\{46D2071C-7E53-11E0-9FCD-00247E685552}#0000000000100000
    Drive DevID       = USBSTOR\DISK&VEN_ST932042&PROD_1ASG&REV_\50ECE3FFFFFF&0
    Ctrl  DevID       = USB\VID_152D&PID_2329\50ECE3FFFFFF
    Host Ctrl DevID   = PCI\VEN_8086&DEV_293A&SUBSYS_20F117AA&REV_03\3&E89B380&0&EF
    Host Ctrl Name    = Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293A
    Volume DosDevName = \Device\HarddiskVolume10
    Disk DosDevNames  = \Device\Harddisk2\DR7, \Device\0000009b
    Removal Policy    = surprise removal ('Optimize for quick removal')
    Partition Number  = 1 of 1
    Friendly Name     = ST932042 1ASG
    Requested Power   = 2 mA (self powered)
    USB Version       = 2.0 (High-Speed)
    USB.ID Name       = JMicron Technology Corp. / JMicron USA Technology Corp. - transcend storejet 25P

    USB Friendl. Name = JMicron USB to ATA/ATAPI bridge
    USB Serial        = 50ECE3FFFFFF
    USB Port Name     = 7-1

    All of my removable USB disk drives get marked as "Fixed" by ListUsbDrives.exe, while flash drives are always marked "Removable"--the tool is getting this information directly from the hardware part of the Windows registry.



    OS: Windows 7 X64 Ultimate SP1 and all current recommended Windows Updates. Hardware: Intel Core2Duo T9400, 8GB, Mobile Intel GM45 Express Chipset, Switchable Graphics (GMA 4500MHD/ATI FireGL V5700).
    Tuesday, May 17, 2011 3:57 PM

Answers

  • Thank you, Ketan and Aaron, your answers have lead me to a root cause: the Lenovo "TVT Backup Service" (rrservice.exe) is started each time the Lenovo backup program starts. This rrservice.exe service process uses many handles with "Harddisk" in the name that reference the external USB harddisk:

    http://i860.photobucket.com/albums/ab164/insertrealname/Screen%20captures/DARKMATTER_2011-06-04_12-46-45-ProcessExplorerSearch.jpg

    But stopping the service releases these handles, and then the external USB can be removed using the usual notification area icon.

    I have always disabled the shadow storage on external USB drives by using the "system Protection" settings sheet in System Settings.

    I also ensure that the external disk cannot have contents indexed by removing that option on the disk's property sheet.

    So, the provisional answer appears to be that this problem is nothing to do with handles to Transactional NTFS files blocking the USB removal, but rather the handles of the Lenovo backup process blocking the removal.

    I'll have to attempt to get some support from Lenovo; meanwhile, I've set up a UAC elevated desktop shortcut to C:\Windows\System32\cmd.exe /K C:\Windows\System32\sc.exe stop "TVT Backup Service"


    OS: Windows 7 X64 Ultimate SP1 and all current recommended Windows Updates. Hardware: Intel Core2Duo T9400, 8GB, Mobile Intel GM45 Express Chipset, Switchable Graphics (GMA 4500MHD/ATI FireGL V5700).
    • Marked as answer by No Name Yet Saturday, June 4, 2011 6:01 PM
    Saturday, June 4, 2011 5:48 PM

All replies

  • Hi,

     

    It seems the issue is related to the type of USB devices. The problematic USB drive will be marked as fixed.

     

    First, check if the issue persists in Clean Boot. http://support.microsoft.com/kb/929135

     

    Also, go to check if SuperFetch service is started, if so, stop it and check the results.

     

    Check SuperFetch service

    ----------------------------------------

    1. Click Start, type Services.msc in Start Search bar, and then press Enter.

    2. In the right pane, double-click Security Center.

    3. In the Startup type list, click Disable, click Apply, click Stop, and then click OK.

    4. Restart the computer.

     

    If the issue persists, try to reset the explorer.exe process and check the result.

     

    1. Go to 'Task Manager' ->  select the <Processes> tab -> end the explorer.exe process. It is normal that the background goes into blank.

    2. Go to the 'File' menu of 'Task Manager' and select 'New Task (Run...)' -> in the box that opens up, just type in explorer and then click OK .

    3. Now try the 'Green Safe Removal' icon at the bottom right of screen - this should respond successfully nearly immediately.

     

    If the issue persists, check if the following article is helpful.

     

    http://safelyremove.com/forum/viewtopic.php?t=179

     

    http://forums.techarena.in/operating-systems/1329623.htm

     

    Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Best Regards,

    Niki


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, May 19, 2011 10:07 AM
    Moderator
  • Niki,

     

    Thanks for the detailed advice. I have tried most of it already, before posting in the forum.

    I should have been emphasized that the problem does not occur all the time and I have not found a way of consistently reproducing it.

    The link to the forums.techarena.in discussion thread had not turned up in one of my many Google searches, so I shall try the procedures using fsutil.exe explained there when I next run into the problem. Likewise your idea of stopping the Superfetch service, although I'm a little surprised that Superfetch would use NTFS transactions--it's just reading data from the disk, after all.

     

    Thank you;  I won't mark your reply as an answer, however, since none of those procedures work. Keep this thread open until I've tried other things.

     

    Thank you.


    OS: Windows 7 X64 Ultimate SP1 and all current recommended Windows Updates. Hardware: Intel Core2Duo T9400, 8GB, Mobile Intel GM45 Express Chipset, Switchable Graphics (GMA 4500MHD/ATI FireGL V5700).
    Thursday, May 19, 2011 2:10 PM
  • Well, I can more-or-less consistently reproduce the problem after using a backup program that uses the volume shadow copy service and backs-up to the USB disk that becomes unremovable due to System handles to the hidden transactional NTFS files on the disk. But I'm pretty sure other programs also provoke the problem, i.e. VSS may not be the cause.

    The only solution that removes those handles is to take the disk offline via the Disk manager GUI or diskpart.exe (and then take the disk online again when next plugged in--welcome to PnP follies).

    I'm not going to pay money to get Microsoft's attention to report this system bug. More Internet searches show me that this unremovable USB disk & transactional NTFS handles problem has been reported many times since Vista--by now, it's safe to say Microsoft is not interested to determine the cause(s) and fix it.


    OS: Windows 7 X64 Ultimate SP1 and all current recommended Windows Updates. Hardware: Intel Core2Duo T9400, 8GB, Mobile Intel GM45 Express Chipset, Switchable Graphics (GMA 4500MHD/ATI FireGL V5700).
    Friday, May 20, 2011 5:43 PM
  • Hi,

     

    Try to reset the explorer.exe process and check the result.

     

    1. Go to 'Task Manager' ->  select the <Processes> tab -> end the explorer.exe process. It is normal that the background goes into blank.

    2. Go to the 'File' menu of 'Task Manager' and select 'New Task (Run...)' -> in the box that opens up, just type in explorer and then click OK .

    3. Now try the 'Green Safe Removal' icon at the bottom right of screen - this should respond successfully nearly immediately.

     

    Regards,

    Niki


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, May 24, 2011 9:56 AM
    Moderator
  • I'll try that procedure the next time I have an unremovable USB drive, and add my experience to this thread (keep it unanswered!).
    OS: Windows 7 X64 Ultimate SP1 and all current recommended Windows Updates. Hardware: Intel Core2Duo T9400, 8GB, Mobile Intel GM45 Express Chipset, Switchable Graphics (GMA 4500MHD/ATI FireGL V5700).
    Tuesday, May 24, 2011 11:56 AM
  • OK, tried your explorer.exe reset procedure when the problem occurred after doing my backup this morning--it did not solve it, the transactional NTFS handles remained open in the System process (PID 4).

    I tried force closing them using the context menu in an elevated instance of MS Sysinternals Process Explorer--no dice, Process Explorer displayed a dialog that the handles were invalid or did not exist (even though I used the context menu!).

    The only resolution remains setting the disk offline in Disk Manager.

    The problem occurs when using either Windows 7's Complete Backup or other third-party programs that use the Volume Shadow Copy feature of Windows, but there may be other things involved as well, I'm not sure.

     


    OS: Windows 7 X64 Ultimate SP1 and all current recommended Windows Updates. Hardware: Intel Core2Duo T9400, 8GB, Mobile Intel GM45 Express Chipset, Switchable Graphics (GMA 4500MHD/ATI FireGL V5700).
    Wednesday, May 25, 2011 5:20 PM
  • We have seen an issue where this can occur due to NTFS differences between XP/Vista and Windows 7. Therefore if the drive was formatted in earlier OS I would recommend.

    Copying all data from the external drive
    Format the drive (quick format is fine)
    Test again to see if the problem still occurs


    Ketan Thakkar | Microsoft Online Community Support
    Friday, May 27, 2011 2:13 PM
    Moderator
  • I tried your procedure yesterday evening and this morning: I did a quick format of one of my external USB drives using the Windows 7 Disk manager GUI, and then used Lenovo Backup & Restore (which is a VSS enabled full machine backup application) twice: 1) base backup (125GB written, machine auto-shutdown at the end, I couldn't wait to check at the end), and then this morning 2) daily backup (1.6GB written).

    Unfortunately, the daily backup left open handles to the hidden Transactional NTFS files

    F:\$Extend\$RmMetadata\$Txf

    F:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf

    F:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001

    F:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002

    from the System process (PID 4).

    The Microsoft Windows 7 Complete Backup and Restore application also consistently showed this problem (I use the Files part of that application, not the system image part) in the past, on an external USB disk I formatted using Windows 7, so I don't think the problem is the Lenovo backup application itself. Nevertheless, later this week I'll go through the reformatting/re-backup process with that as well.

    As a home user of Windows 7, is there any way to start a formal support case without spending money?


    OS: Windows 7 X64 Ultimate SP1 and all current recommended Windows Updates. Hardware: Intel Core2Duo T9400, 8GB, Mobile Intel GM45 Express Chipset, Switchable Graphics (GMA 4500MHD/ATI FireGL V5700).
    Wednesday, June 1, 2011 5:19 PM
  • Based on my experience, there may be some third-party backup/ Anti-virus software block the usb from removal. Please perform the following steps when the issue reoccurs.

    Close all opened windows.

    Disable antivirus software temporarily and stop the service.

    Kill alll related backup process in Task Management and stop the backup service.

    (The backup software like MozyPro might also prevent the usb device from removal. You can type tasklist -svc in command line to check the current process.)

    Refresh Windows(Press F5), and check if this time the usb device can be safe removal.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, June 3, 2011 9:22 AM
  • Thank you, Aaron, for further advice in tracking down the actual cause of the problem with the transactional NTFS handles.

    I'll try it on my next backup with the Lenovo software.

    (Yesterday I did a files-only backup with the Windows 7 backup app and there were *no* handles blocking the USB disk removal; I have no idea if VSS was used by the backup app or not. I should explain that I use one large capacity USB disk to do complete disk bare-metal backups with the Lenovo software, and I use the Windows 7 app to just backup files on another smaller USB disk--there is not enough space for an additional disk image. This use of two programs is actually a good thing, I think, since if one kind of backup gets corrupted, I always have the other to fall back on.)


    OS: Windows 7 X64 Ultimate SP1 and all current recommended Windows Updates. Hardware: Intel Core2Duo T9400, 8GB, Mobile Intel GM45 Express Chipset, Switchable Graphics (GMA 4500MHD/ATI FireGL V5700).
    Friday, June 3, 2011 4:05 PM
  • Let’s try moving the shadow storage to a different local drive, say the C: drive.

     Vssadmin delete shadows /all

    Vssadmin resize shadowstorage /for=f: /on=c:

    That will remove all current shadows, and change the storage for F: to C:


    Ketan Thakkar | Microsoft Online Community Support
    Saturday, June 4, 2011 12:43 PM
    Moderator
  • Hi. I ever received feedback that preventing usb deivce from removal is caused by the third-party backup software handling the $Extend\$RmMetadata and system volume information folder. The system volume information mainly handle the vss backup function.

    I advise when the usb device can't be removal next time, please kill the lenovo backup software related process, and stop related services.

    and try to eject the usb device again. This will help isolate the root cause.

    (The process for lenovo rescue and recovery is rnr_simple.exe, service: TVT Backup Service but not exactly).


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Saturday, June 4, 2011 4:05 PM
  • Thank you, Ketan and Aaron, your answers have lead me to a root cause: the Lenovo "TVT Backup Service" (rrservice.exe) is started each time the Lenovo backup program starts. This rrservice.exe service process uses many handles with "Harddisk" in the name that reference the external USB harddisk:

    http://i860.photobucket.com/albums/ab164/insertrealname/Screen%20captures/DARKMATTER_2011-06-04_12-46-45-ProcessExplorerSearch.jpg

    But stopping the service releases these handles, and then the external USB can be removed using the usual notification area icon.

    I have always disabled the shadow storage on external USB drives by using the "system Protection" settings sheet in System Settings.

    I also ensure that the external disk cannot have contents indexed by removing that option on the disk's property sheet.

    So, the provisional answer appears to be that this problem is nothing to do with handles to Transactional NTFS files blocking the USB removal, but rather the handles of the Lenovo backup process blocking the removal.

    I'll have to attempt to get some support from Lenovo; meanwhile, I've set up a UAC elevated desktop shortcut to C:\Windows\System32\cmd.exe /K C:\Windows\System32\sc.exe stop "TVT Backup Service"


    OS: Windows 7 X64 Ultimate SP1 and all current recommended Windows Updates. Hardware: Intel Core2Duo T9400, 8GB, Mobile Intel GM45 Express Chipset, Switchable Graphics (GMA 4500MHD/ATI FireGL V5700).
    • Marked as answer by No Name Yet Saturday, June 4, 2011 6:01 PM
    Saturday, June 4, 2011 5:48 PM
  • I've had the same problem, and I've recently discovered that restarting the "Server" service (which will generally require Windows to also restart the dependent "Computer Browser" service and possibly the "HomeGroup Listener" service at the same time) has allowed me to then safely remove the drive. I don't know if this is actually "safe" to do or not, but it does work in a pinch.
    Tuesday, June 4, 2013 8:36 AM
  • This did not work for me. Same issue, but using a 1.5tb Seagate USB drive (FreeAgent Desk). I don't have the Lenovo backup program, but I use Acronis True Image. The only way I can safely remove this drive is to completely shut down. I even tried in disk manager to change drive letters (and remove drive letter). Tried restarting explorer. No luck here.

    The purpose of technology is to give us the information we crave faster.

    Monday, August 12, 2013 12:46 AM
  • The only way I can safely remove this drive is to completely shut down. ...

    Excuse the reviving this old topic, but as it is still an ongoing issue I would like to offer some general ways to resolve the process that is blocking the usb drive stopping (ejecting). First you will need these tools:

    • Microsoft / Sysinternals Process Explorer - Procexp.exe
    • Nirsoft DriveLetterView.exe
    • Microsoft / Sysinternals handle closer - handle.exe (optional)

    Investigate handles open on drive typically the problem is with a handle using "devicepath" name, so run DriveLetterView.exe and get drive's "devicepath". For example lets assume you find drive G: "devicepath" is "\Device\HarddiskVolume5". Use procexp.exe "find handle+dll" menu item find any "G:" entries; use the PID to identify the process. Repeat find for the device name, in this example, \Device\HarddiskVolume5. For each process id (PID) you found select it in procexp.exe and find out what the task is for and how best to restart or close that process (eg restart a service, close an editor etc) that should clear the open file or handle. If it is not possible to close/restart (eg other processes depend on this) decide if you want to force the release of a specific handle. For force closing select PID in procexp.exe and set "lower pane" menu item to "handles or DLL" highlight the matching handle, and use "close handle" menu item. Drive G: will then accept stopping (ejecting) if you resolve all the handle issues.

    For example a third party AntiVirus background service has a drive handle open but no file activity on drive is active,  the AV service would not restart properly due to inter-dependencies, so close by this method was the only way to allow G: USB drive to be stopped. Assess the risk on case by case basis. (handle.exe is useful if you want to use the command line and/or make a script to close a handle or make log file of open handles).




    • Edited by Scott_R_ Wednesday, September 18, 2019 7:00 AM
    Wednesday, September 18, 2019 6:51 AM