I attempted the backup again and saw the same error message again. I had backed up the system a few days previously without seeing that error message. I was attempting the backup today because I had just installed Windows operating system updates from Microsoft and also updates to Apple software on the system. I had rebooted the system afterwards and then ran the system image backup program.
It took me quite some time to resolve the problem, which seemed to be related to the USB port on the computer to which the external drive I was using for backups was attached, since moving the cable from a front USB port on the computer to a port in the back allowed me to successfully complete the backup.
To try to determine the cause of the problem, since the Windows backup program
creates Event Trace Reports, .etl files, in
C:\Windows\Logs\WindowsBackup, I started by looking at the most
recent .etl file. The etl files can be viewed with the
tracerpt command.
C:\>tracerpt /?
Microsoft r TraceRpt.Exe (6.1.7601.18869)
Usage:
tracerpt <[-l] <value [value [...]]>|-rt <session_name [session_name [...]]>>
[options]
Options:
-? Displays context sensitive help.
-config <filename> Settings file containing command options.
-y Answer yes to all questions without prompting.
-f <XML|HTML> Report format.
-of <CSV|EVTX|XML> Dump format, the default is XML.
-en <ANSI|Unicode> Output file encoding. Only allowed with CSV
output format.
-df <filename> Microsoft specific counting/reporting schema
file.
-import <filename [filename [...]]> Event Schema import file.
-int <filename> Dump interpreted event structure into
specified file.
-rts Report raw timestamp in event trace header.
Can only be used with -o, not -report or
-summary.
-tmf <filename> Trace Message Format definition file
-tp <value> TMF file search path. Multiple paths can be
used, separated with ';'.
-i <value> Specifies the provider image path. The
matching PDB will be located in the Symbol
Server. Multiple paths can be used,
separated with ';'.
-pdb <value> Specifies the symbol server path. Multiple
paths can be used, separated with ';'.
-gmt Convert WPP payload timestamps to GMT time
-rl <value> System Report Level from 1 to 5, the default
value is 1.
-summary [filename] Summary report text file. Default is
summary.txt.
-o [filename] Text output file. Default is dumpfile.xml.
-report [filename] Text output report file. Default is
workload.xml.
-lr Less restrictive; use best effort for events
not matching event schema.
-export [filename] Event Schema export file. Default is
schema.man.
[-l] <value [value [...]]> Event Trace log file to process.
-rt <session_name [session_name [...]]> Real-time Event Trace Session data
source.
Examples:
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report log
rpt.xml
tracerpt logfile1.etl logfile2.etl -o -report
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
tracerpt -rt "NT Kernel Logger" -o logfile.csv -of CSV
C:\>Note: don't assume files with a larger number at the end, eg. ".4.etl" are later ones than ones with a lower number, e.g., ".1.etl"
C:\Users\Administrator\Documents>dir c:\WIndows\Logs\WindowsBackup\*.etl
Volume in drive C has no label.
Volume Serial Number is 9420-A68C
Directory of c:\WIndows\Logs\WindowsBackup
12/29/2015 11:39 AM 1,507,328 SystemImage.1.etl
12/29/2015 11:23 AM 2,293,760 SystemImage.2.etl
03/21/2012 03:58 PM 524,288 SystemImage.3.etl
03/11/2012 03:12 PM 524,288 SystemImage.4.etl
12/28/2015 03:27 PM 10,354,688 SystemImage.etl
12/15/2015 09:58 PM 61,440 Wbadmin.0.etl
12/15/2015 09:58 PM 30,720 Wbadmin.1.etl
12/15/2015 09:57 PM 30,720 Wbadmin.2.etl
12/15/2015 09:56 PM 30,720 Wbadmin.3.etl
9 File(s) 15,357,952 bytes
0 Dir(s) 61,411,504,128 bytes freeYou can produce a text file from the etl file that you can read with a text
editor, such as Windows
Notepad , by
specifying the name of the input file after tracerpt followed by
-o. If you don't include an output file name after the
-o, the output file will be named dumpile.xml by
default and placed in the directory from which the command was run. E.g.:
C:\Users\Administrator\Documents>tracerpt C:\Windows\Logs\WindowsBackup\SystemImage.1.etl -o
Input
----------------
File(s):
C:\Windows\Logs\WindowsBackup\SystemImage.1.etl
100.00%
Output
----------------
DumpFile: dumpfile.xml
The command completed successfully.
C:\Users\Administrator\Documents>Though, when I examined that file, I could not find the cause of the
error message by searching for any instances of "error", "fail", or "find" in
the file. So I tried creating a report file, instead. The default output
file for that option is workload.xml, if you don't specify an
output file name.
C:\Users\Administrator\Documents>tracerpt C:\Windows\Logs\WindowsBackup\SystemImage.1.etl -report
Input
----------------
File(s):
C:\Windows\Logs\WindowsBackup\SystemImage.1.etl
100.00%
Output
----------------
Report: workload.xml
The command completed successfully.
C:\Users\Administrator\Documents>That file was much smaller than dumpfile.xml; I didn't see the
cause of the error in that file, either, though.
C:\Users\Administrator\Documents> dir *.xml
Volume in drive C has no label.
Volume Serial Number is 9420-A68C
Directory of C:\Users\Administrator\Documents
12/29/2015 11:55 AM 5,404,207 dumpfile.xml
12/29/2015 12:03 PM 410,166 workload.xml
2 File(s) 5,814,373 bytes
0 Dir(s) 61,417,390,080 bytes freeThe .etl files can also be viewed in the Windows
Event Viewer,
which is accessible on a Windows 7 system by clicking on the
Start button and then typing Event Viewer in the
"search programs and files" field and hitting Enter. Click on
Open Saved Log and browse to the location of the .etl file you wish
to view. You may see a message stating "Classic, Analytic and Debug logs
are easier to navigate and manipulate when converted to the new event log
format. Would you like to create a new event log copy now?" You can click on
the Yes button.
It was easier to scroll through the 4,853 events recorded with the Event Viewer, but when I looked for any entries marked as errors or failures, I didn't see any, only ones marked with a level of "Information".
So viewing the backup log file by that method wasn't helpful to me, either. However, when I used the Event Viewer to view the system event log, instead, I did see error and warning entries in that log during times consistent with the times I had attempted the system image backup.
You can see details on an entry by double-clicking on it. I saw an event 14 error entry which stated "The shadow copies of volume E: were aborted because of an IO failure on volume E:" and a warning entry immediately after it, event 51, that "An error was detected on device \Device\Harddisk1\DR6 during a paging operation".
To determine what drive was Harddisk1, I issued the command
wmic diskdrive list brief /format: list at a command prompt.
C:\>wmic diskdrive list brief /format:list Caption=ST2000DL001-9VT156 ATA Device DeviceID=\\.\PHYSICALDRIVE0 Model=ST2000DL001-9VT156 ATA Device Partitions=3 Size=2000396321280 Caption=TOSHIBA 259EP25NT USB Device DeviceID=\\.\PHYSICALDRIVE1 Model=TOSHIBA 259EP25NT USB Device Partitions=1 Size=0 Caption=USB2.0 CardReader CF USB Device DeviceID=\\.\PHYSICALDRIVE2 Model=USB2.0 CardReader CF USB Device Partitions=0 Size= Caption=USB2.0 CardReader MS USB Device DeviceID=\\.\PHYSICALDRIVE4 Model=USB2.0 CardReader MS USB Device Partitions=0 Size= Caption=USB2.0 CardReader SD USB Device DeviceID=\\.\PHYSICALDRIVE5 Model=USB2.0 CardReader SD USB Device Partitions=0 Size= Caption=USB2.0 CardReader SM XD USB Device DeviceID=\\.\PHYSICALDRIVE3 Model=USB2.0 CardReader SM XD USB Device Partitions=0 Size= C:\Users\Administrator\Documents>
So it appeared that the error message referencing "Harddisk1" was referring to the USB-attached drive I was using for the backup, for which the system was using drive E: as the drive letter.
At the Microsoft Community site, I found a
Windows 7 Backup Error 0x80070002 posting where a Microsoft employee,
Soudamini [MSFT],
noted the problem can sometimes be fixed, i.e., if there are bad sectors
on a disk, by running chkdsk /r on a drive.
For the error 80070002, we have seen couple of issues on the external hard disk and solved the problems for few customers.
1) one of the reasons we have found is an issue with the USB controller on the machine. Installing the hotfix from http://support.microsoft.com/kb/976972 would help.
2) We’ve recently seen issues where reading a bad sector returns “file not found” error. If you run chkdsk /R on the target, it detects such bad sector(s) then backup will ignore those automatically.
Since I was including
both the C and D drives on the system in the backup, I ran chkdsk on drive D
first with chkdsk /r d:. I had to wait several hours for
the chkdsk scan of drive D to complete. It did not find any errors.
While chkdsk was running on drive D, I searched through the
dumpfile.xml file again, this time for the word "found".
There were quite a few lines where I saw "No Format Information found".
When I searched the System event log for events with an id of 14, I saw the
following:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Unknown" />
<EventID>14</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2015-12-29T11:23:29.562476700Z" />
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
<Execution ProcessID="5708" ThreadID="5092" ProcessorID="2" KernelTime="0" UserTime="0" />
<Channel />
<Computer />
</System>
<DebugData>
<SequenceNumber>0</SequenceNumber>
<FlagsName></FlagsName>
<LevelName></LevelName>
<Component></Component>
<SubComponent></SubComponent>
<FileLine> 14</FileLine>
<Function></Function>
<Message>GUID=9dfccb2b-9d4a-bfff-5169-ab893cea210b (No Format Information found).</Message>
</DebugData>
<RenderingInfo Culture="en-US">
<Opcode> 14</Opcode>
</RenderingInfo>
<ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
<EventGuid>{9dfccb2b-9d4a-bfff-5169-ab893cea210b}</EventGuid>
</ExtendedTracingInfo>
</Event>But I also saw other event ids associated with "No Format Information found". E.g., event ids 49 and 51:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Unknown" />
<EventID>51</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2015-12-29T11:24:00.015314300Z" />
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
<Execution ProcessID="5708" ThreadID="5092" ProcessorID="3" KernelTime="0" UserTime="0" />
<Channel />
<Computer />
</System>
<DebugData>
<SequenceNumber>0</SequenceNumber>
<FlagsName></FlagsName>
<LevelName></LevelName>
<Component></Component>
<SubComponent></SubComponent>
<FileLine> 51</FileLine>
<Function></Function>
<Message>GUID=54a9f494-5dd2-7723-4f8f-46590c4fbe77 (No Format Information found).</Message>
</DebugData>
<RenderingInfo Culture="en-US">
<Opcode> 51</Opcode>
</RenderingInfo>
<ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
<EventGuid>{54a9f494-5dd2-7723-4f8f-46590c4fbe77}</EventGuid>
</ExtendedTracingInfo>
</Event>After completion of the chkdsk scan of drive D, I scanned drive E with the following results:
C:\Users\Administrator\Documents>chkdsk e: The type of the file system is RAW. CHKDSK is not available for RAW drives. C:\Users\Administrator\Documents>
After reseating the USB cable between the computer and external disk drive,
I was able to run chkdsk successfully without the /r repair
option.
I tried ejecting the drive, but saw a message that "This device is currently in use. Close any programs or windows that might be using the device, and then try again.
The message occurred even after I closed all the windows I had open with various applications, so I rebooted the system again. When I attempted another image backup, it still failed with the same 0x80070002 error code. When I went to the Action Center within System and Security in the Control Panel, I saw a maintenance message stating "The last backup did not complete successfully."
When I clicked on the More information button, I saw a message stating "The system cannot find the file specified", but there was no information on the specific file that could not be found.
I ran chkdsk c: /r, which required a reboot so the drive
check could be performed at Windows boot time. After it completed and I
logged in, I tried completing a system image backup again, but it again
failed to successfully completed. I then ran chkdsk on the Toshiba 1 TB
USB-attached disk drive (Model MQ01ABD100) on which I had been attempting to
store the backup, which was drive E: in the system. That check failed.
C:\Users\Administrator>chkdsk e: /r The type of the file system is NTFS. Volume label is New Volume. CHKDSK is verifying files (stage 1 of 5)... 256 file records processed. File verification completed. 0 large file records processed. 0 bad file records processed. 0 EA records processed. 0 reparse records processed. CHKDSK is verifying indexes (stage 2 of 5)... 300 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 5)... 256 file SDs/SIDs processed. Security descriptor verification completed. 22 data files processed. CHKDSK is verifying file data (stage 4 of 5)... 10 percent complete. (26 of 240 files processed) The disk does not have enough space to replace bad clusters detected in file 43 of name . 10 percent complete. (27 of 240 files processed) An unspecified error occurred (6e74667363686b2e b34).
I had another drive of the same model, so I attached it, instead. I formatted it with the NTFS file system as I had done with the other drive and attempted another backup. It too failed with the same error message "The system cannot find the file specified. (ox80070002)" and no indication of what file caused the problem.
Condisering the possibility that the problem still might be related to the USB connection, I moved the USB cable connection at the computer end from a USB port on the front of the computer to the back of the computer, since I thought I likely connected the drive to a port in the back of the computer when I had been successful at creating a system image backup a few weeks ago. This time I saw the message "The backup completed successfully."
And when I used the wbadmin command to check on the successful backups completed by the Microsoft-provided backup and restore program, I saw the following:
C:\Users\Administrator>wbadmin get versions
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
Backup time: 3/11/2012 4:07 AM
Backup location: DVD labeled GIGABYTE-PC 3/11/2012 1:07 AM 1,GIGABYTE-PC 3/11/2
012 1:07 AM 2
Version identifier: 03/11/2012-09:07
Can recover: Volume(s), Bare Metal Recovery
Backup time: 3/11/2012 11:18 AM
Backup location: DVD labeled GIGABYTE-PC 3/11/2012 9:18 AM 1,GIGABYTE-PC 3/11/2
012 9:18 AM 2
Version identifier: 03/11/2012-16:18
Can recover: Volume(s), Bare Metal Recovery
Backup time: 3/11/2012 3:12 PM
Backup location: DVD labeled GIGABYTE-PC 3/11/2012 1:12 PM 1,GIGABYTE-PC 3/11/2
012 1:12 PM 2
Version identifier: 03/11/2012-20:12
Can recover: Volume(s), Bare Metal Recovery
Backup time: 3/21/2012 12:00 PM
Backup location: DVD labeled GIGABYTE-PC 3/21/2012 10:00 AM 1,GIGABYTE-PC 3/21/
2012 10:00 AM 2
Version identifier: 03/21/2012-17:00
Can recover: Volume(s), Bare Metal Recovery
Backup time: 3/21/2012 2:30 PM
Backup location: DVD labeled GIGABYTE-PC 3/21/2012 12:30 PM 1,GIGABYTE-PC 3/21/
2012 12:30 PM 2
Version identifier: 03/21/2012-19:30
Can recover: Volume(s)
Backup time: 3/21/2012 4:00 PM
Backup location: DVD labeled GIGABYTE-PC 3/21/2012 2:00 PM 1,GIGABYTE-PC 3/21/2
012 2:00 PM 2
Version identifier: 03/21/2012-21:00
Can recover: Volume(s), Bare Metal Recovery
Backup time: 12/15/2015 10:32 AM
Backup target: 1394/USB Disk labeled New Volume(E:)
Version identifier: 12/15/2015-15:32
Can recover: Volume(s), File(s), Application(s), Bare Metal Recovery, System Sta
te
Snapshot ID: {df7c9340-0bcc-4711-aecf-f97b11f14d17}
Backup time: 12/30/2015 12:37 PM
Backup target: 1394/USB Disk labeled Spirit Backup(E:)
Version identifier: 12/30/2015-17:37
Can recover: Volume(s), File(s), Application(s), Bare Metal Recovery, System Sta
te
Snapshot ID: {820bee82-4ba2-4df8-8b9a-20b141a8b416}
C:\Users\AdministratorReferences:
Created: Wednesday December 30, 2015