.vdi file disappeared and is gone
.vdi file disappeared and is gone
I was running a Windows 10 environment on a Windows 10 host and encountered some AHCI write errors (portion of log file attached). When I restarted VirtualBox and attempted to restart the virtual environment, it couldn't because my .vdi file containing the guest OS was just gone from the directory on the host machine.
Any suggestions on recovery? I looked in my recycle bin and it wasn't there, and I tried using Windows File Recovery but that didn't recover anything. I'm baffled as to how the file could just disappear. Thanks in advance!
Any suggestions on recovery? I looked in my recycle bin and it wasn't there, and I tried using Windows File Recovery but that didn't recover anything. I'm baffled as to how the file could just disappear. Thanks in advance!
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: .vdi file disappeared and is gone
Please do not chop up logs for our consumption. You need to zip the entire log then attach the zip here.
<speculation>The fragment of log you provided shows "VERR_INVALID_HANDLE". So I'm going to assume that you have a removable drive and the drive was removed while the VM was running. That could certainly produce all of these effects if the timing was especially bad.</speculation>
Don't assume VirtualBox has magic powers: a VDI is just an ordinary file, albeit rather large, manipulated using normal host OS file I/O functions. Looking after the host filesystem is the defining responsibility of the host OS. There are no tools in VirtualBox for maintaining the host OS or its filesystem.
The only recovery option is to restore the VDI from your last backup. I have never known a "file recovery tool" to work on files of that size.
<speculation>The fragment of log you provided shows "VERR_INVALID_HANDLE". So I'm going to assume that you have a removable drive and the drive was removed while the VM was running. That could certainly produce all of these effects if the timing was especially bad.</speculation>
Don't assume VirtualBox has magic powers: a VDI is just an ordinary file, albeit rather large, manipulated using normal host OS file I/O functions. Looking after the host filesystem is the defining responsibility of the host OS. There are no tools in VirtualBox for maintaining the host OS or its filesystem.
The only recovery option is to restore the VDI from your last backup. I have never known a "file recovery tool" to work on files of that size.
Re: .vdi file disappeared and is gone
Thanks for your reply. I've attached the entire log file here.
The .vdi was on a desktop SSD, the same drive that's running the host OS, and was not physically removed (the errors occurred when I wasn't even at the computer). I was more surprised that the entire file was missing, I wouldn't have expected I/O errors to just corrupt that file rather than wipe it completely from existence without a trace.
The .vdi was on a desktop SSD, the same drive that's running the host OS, and was not physically removed (the errors occurred when I wasn't even at the computer). I was more surprised that the entire file was missing, I wouldn't have expected I/O errors to just corrupt that file rather than wipe it completely from existence without a trace.
- Attachments
-
- VBox.log.zip
- (72.84 KiB) Downloaded 22 times
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: .vdi file disappeared and is gone
SSDs can behave in strange ways because of how "trim" works, and especially so if the SSD is failing - and it seems likely that something is very wrong with that host SSD.
That said, you have two VDI files attached to this VM, but the errors seem to be confined to "Windows10.vdi". For some reason you seem to have no errors with "D-drive.vdi" despite it being seemingly located on the same host drive. With a mechanical drive I would suspect sector errors, but I don't know if that's even possible on an SSD. Total failure yes, but sector errors? Perhaps the VM simply wasn't writing to "D-drive" at the time.
Still, I'd suggest running thorough filesystem checks on the host drive (chkdsk). A colleague here also suggests that you try to find an official diagnostic tool from the drive manufacturer, and see what that can tell you.
However the fundamental position remains that file recovery is never a practical possibility with files of these sizes. You either have a backup or you have nothing.
That said, you have two VDI files attached to this VM, but the errors seem to be confined to "Windows10.vdi". For some reason you seem to have no errors with "D-drive.vdi" despite it being seemingly located on the same host drive. With a mechanical drive I would suspect sector errors, but I don't know if that's even possible on an SSD. Total failure yes, but sector errors? Perhaps the VM simply wasn't writing to "D-drive" at the time.
Still, I'd suggest running thorough filesystem checks on the host drive (chkdsk). A colleague here also suggests that you try to find an official diagnostic tool from the drive manufacturer, and see what that can tell you.
However the fundamental position remains that file recovery is never a practical possibility with files of these sizes. You either have a backup or you have nothing.
-
- Volunteer
- Posts: 5677
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: .vdi file disappeared and is gone
These are the first log messages indicating the problem. Win32 Error Codes 225 == 0x000000E1 == ERROR_VIRUS_INFECTED.VBox.log file wrote:182:27:27.012336 AssertLogRel F:\tinderbox\win-6.1\src\VBox\Runtime\win\RTErrConvertFromWin32.cpp(448) int __cdecl RTErrConvertFromWin32(unsigned int): <NULL> 182:27:27.012511 Unhandled error 225
AV-Software (on the host) and disappearing files would be a good match ...
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: .vdi file disappeared and is gone
ERROR_VIRUS_DETECTED doesn't make much sense to me. To be reported as an OS error it would have be caused by Defender, and would Defender ever just instantly delete a file it thinks has a virus inside it?
But John T, you can at least answer if you have Defender AV settings particularly high?
And I assume you were not specifically experimenting with malware inside this VM.
I would still do the disk checks I mentioned.
But John T, you can at least answer if you have Defender AV settings particularly high?
And I assume you were not specifically experimenting with malware inside this VM.
I would still do the disk checks I mentioned.
-
- Volunteer
- Posts: 5677
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: .vdi file disappeared and is gone
I guess that for an application like VirtualBox, Windows putting a file in quarantine and deleting a file should be undistinguishable.mpack wrote:ERROR_VIRUS_DETECTED doesn't make much sense to me. To be reported as an OS error it would have be caused by Defender, and would Defender ever just instantly delete a file it thinks has a virus inside it?
I don't know if it is Microsoft Defender or another AV software. When developing 64-bit Windows, Microsoft also took the opportunity to force AV software to use Microsoft-provided interfaces, to prevent the latter from using their own techniques too much (as was the case in 32-bit Windows). So I wouldn't be surprised if quarantining used a common mechanism provided by Microsoft.
Re: .vdi file disappeared and is gone
You guys are awesome! You are correct that Windows Defender was the cause (it was set at default settings). It looks like the VM picked up some malware but the host Defender (rather than the VM Defender) flagged it and initiated quarantine of the .vdi file. I was able to successfully restore the .vdi file from quarantine. A bit disturbing that this occurred, but I added my virtualbox file directory to the Defender whitelist to hopefully prevent this going forward.
Thanks again for helping on the recovery!
Thanks again for helping on the recovery!
-
- Volunteer
- Posts: 5677
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: .vdi file disappeared and is gone
You're welcome, and thanks for reporting back!
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: .vdi file disappeared and is gone
I was going to suggest that you look for the quarantined file, but it seems you are way ahead of me.
I discussed this case with our IT guy at work, because the options were sector errors on an SSD (which doesn't make sense), or Defender deleting files on its own authority and without saying anything (which doesn't make sense either). Our conclusion was that the file must have been moved to a quarantine location - though neither of us had personally experienced that behaviour ever. Weird. I'd like to know what was the Defender setting (default doesn't mean much to me, since I suspect it varies), and what was the nature of the threat that caused such dramatic action? I ask the latter because I thought that Defender didn't go in for that dumb pattern matching crap whereby any code included in malware is flagged as malware too (even though it's just the runtime library of the C compiler used) - so maybe Defender was pretty sure about what it found.
I discussed this case with our IT guy at work, because the options were sector errors on an SSD (which doesn't make sense), or Defender deleting files on its own authority and without saying anything (which doesn't make sense either). Our conclusion was that the file must have been moved to a quarantine location - though neither of us had personally experienced that behaviour ever. Weird. I'd like to know what was the Defender setting (default doesn't mean much to me, since I suspect it varies), and what was the nature of the threat that caused such dramatic action? I ask the latter because I thought that Defender didn't go in for that dumb pattern matching crap whereby any code included in malware is flagged as malware too (even though it's just the runtime library of the C compiler used) - so maybe Defender was pretty sure about what it found.
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: .vdi file disappeared and is gone
+1 to this. I always tell Defender (or other 3rd-party AV when Windows 7 was the host) to stay out of the Virtualbox VMs' folders, then I use AV within the VMs as needed to handle malware inside the VMs.John T wrote:I added my virtualbox file directory to the Defender whitelist to hopefully prevent this going forward.
Re: .vdi file disappeared and is gone
Screenshots of my host PC Defender settings and event logs are below. There wasn't any notification on the host PC of a malware detection event or quarantine.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: .vdi file disappeared and is gone
In my Defender settings that first option is enabled (Real-time protection), all of the others are turned off. "Cloud delivered protection" for faster (i.e. more glitchy) protection sounds especially unwelcome to me.
-
- Posts: 339
- Joined: 9. Jul 2007, 20:02
- Primary OS: MS Windows other
- VBox Version: OSE other
- Guest OSses: Windows and macOSes
- Location: An Ant Farm
- Contact:
Re: .vdi file disappeared and is gone
Same. I don't trust the clouds. I ran into this issue today as shown in my viewtopic.php?f=6&t=107094&p=523957 thread.mpack wrote:In my Defender settings that first option is enabled (Real-time protection), all of the others are turned off. "Cloud delivered protection" for faster (i.e. more glitchy) protection sounds especially unwelcome to me.