Frisk Software International - Technical note #1


                         Cross-linked files

"Cross-linked files" usually means that there is an internal inconsistency
in the allocation of clusters ... two files appear to "own" the same cluster.

This can happen in two different ways:

   Every file has a "starting cluster" field in its directory entry...if two
   files appear to have the same starting cluster, or if the "starting
   cluster" of one file has already been allocated to another file, you get
   the files reported as cross-linked.

   The FAT (File Allocation Table) basically contains a linked list of
   clusters allocated to each file....each cluster has one (12 or 16 bit)
   entry in the FAT, and the entry may indicate that the cluster is unused,
   bad (at least one sector in the cluster has read/write errors), the
   last cluster of a file or (and most important) the next cluster allocated
   to the file....and allocating the same cluster twice gives you
   cross-linked files.

In some cases the "cross-linking" is simply caused by FAT corruption.  For
example if the FAT is overwritten with garbage, one could easily expect files
to be randomly cross linked.  In this case, practically no program will
load or work properly - with the exception of those that fit it one cluster,
typically 8192 bytes, but can be smaller (down to 512 bytes) or bigger (32768
bytes for example) ... the cluster size depends on the size of the hard disk,
but the lower limit is determined by the fact that each DOS partition can only
have 64K clusters.

To determine if the FAT is totally corrupted, look at it with a disk editor
(my personal recommendation - version 4.5 of the Norton Utilities)  It should
(in FAT view mode) appear as lists of increasing numbers, with <EOF>s and 0s
in between.

If both copies of the FAT are indeed corrupted, the fastest way to recover
is to reformat and restore the last complete backup.  If no backup is
available, it might be possible to wipe the FAT, and re-build it from scratch.
Possible, but not easy.

Usually, however, the damage to the FAT is not extensive, maybe just a single
pair of files that is cross-linked.

In this case, it is most likely that one of the files is corrupted, but the
other one is OK.  If you can verify that this is the case, do the following:

Copy the file that is OK to a different file or directory, delete both
of the cross-linked files, and copy the file back.  The other file will have
to be restored from a backup.

Now, why do cross-linked files appear ?

There are several reasons - but the primary reason is of course that MS-DOS
is not a decent operating system.  If a flaky program overwrites a random 
location in memory, and this random location just happens to be in the middle
of a disk buffer that contains a part of the FAT that is about to be written
to the disk, you get FAT corruption and possibly cross-linked files.

Also, if a program crashes after a updated directory has been written to disk,
but before the updated FAT has been written, you may get cross-linking
later on.  This is why it is a good idea to run CHKDSK after every crash.

Viruses can cause cross-linking, but that happens very rarely.  It is a common
mis-conception that cross-linking is somehow associated with viruses, but
this is simply not true.  Unfortunately the VSUM hypertext program indicates
in many cases that various viruses cause cross-linking of files, but that is
quite simply incorrect.

There are a few malicious viruses (and Trojans) that corrupt the FAT, but there
is also a much more non-obvious method of a virus indirectly causing cross-
linking of files.

If a computer is infected with a full-stealth virus, such as Frodo, and the
user runs CHKDSK /F while the virus is active, CHKDSK may detect a mismatch in
the file allocation sizes - the number of clusters allocated to an infected
file might be larger that the number it would seem to require, considering
the size of the file.   This is, however, caused by the fact that the virus
subtracts its own size form the real file size.  If CHKDSK /F is allowed
to "fix" this, it will mark the extra clusters as "free", and they may later
be used by another file, causing cross-linking and various other problems.

Note that in this case, the damage is not really done by the virus, but rather
by CHKDSK.  One rule, therefore, should be to run a virus scanner...our own
recommended, of course :-)...before running CHKDSK /F.

