It’s not often that new administrative tools for Windows come along, nor do they typically arrive in stealth. After reading about a “new” command line utility named StorDiag.exe on WinAero.com this morning, I dug in to find out when and how it popped up. According to Google, the earliest mention is an August 5 blog post from Mark Berry entitled “StorDiag Errors after Windows 10 Upgrade.” This post explores a class of events related to the Windows Storage Class PnP event log. In fact, StorDiag.exe captures such events in a file named “Microsoft-Windows-Storage-ClassPnp.evtx” when run. And like the original poster, I may also have issues with embedded SD card circuitry. Very interesting!
Help info for Stordiag.exe shows only a few switches and options.
Here’s more on those arguments:
– collectEtw: collects a 30-second long event log for each storage device. Uses Event Tracing for Windows (ETW).
– checkFSconsistency: runs chkdsk and fsutil tools against all registered storage devices
– out <PATH>: writes a raft of files to the directory specified after this argument (by default, files appear in %windir%:\Users\<user-account>\AppData\Local\Temp)
What does StorDiag.exe Do, What Files Does It Create?
This utility creates a whole slew of files in a target or default directory. Here’s a description with some numbers:
- LocalMetaData: a folder with 15 files, each related to event files it creates.
- ChkDsk<Drive-Letter>.txt: ChkDsk output for all recognized drives. For my system that means ChkDskC.txt through ChkDskR.txt. Letters N through O map to flash drives not present on the system (15 files)
- CDROM.reg, DiskDrive.reg, FileSystem.reg, HDC.reg, SCSIadapter.reg, VolMgr.reg, VolSnap.reg. Volume.reg: compilations of registry entries. These cover optical storage, disk drives, file systems, plus storage controllers and SCSI adapters present on the system, and entries for Windows 10 Volumes, its Volume Manager, and the Volume Snapshot facility (8 files)
- Microsoft-Windows-<event-class>.evtx: A collection of 15 event trace files, all viewable in Event Monitor. They feature internal labels: DataIntegrityScan-Admin, DataIntegrityScan-CrashRecovery, DisakDiagnostic, Ntfs, Partition, Storage-ATAP, Storage-ClassPnp, StorageManagement-Operational, StorageSpaces-Driver-Diagnostic, StorageSpaces-Driver-Operational, StorageSpaces-SpaceManager-Operational, Storage-Storport, Volume, VolumeSnapshot-Driver, and System. They cover most aspects of Windows system and storage performance plus data and crash integrity.
- PSLogs.txt: a complete summary log of all actions from the latest StorDiag.exe run with pointers to files created plus data, device, and object snapshots
- Volume <Drive-Letter> Corruption.txt: FSutil output for all recognized drives; for my system that means Volume C Corruption.txt through Volume R Corruption.txt. (15 files, 53 files total)
StorDiag.Exe: Interesting Output, But What Does It Tell Us?
In short, there are reams and reams of potentially interesting and useful stuff to be gleaned from the many files this utility spawns (11.3 MB worth, in the case of my production desktop). Thus, I’m hoping an enterprising Windows toolsmith builds a console to pluck the wheat from the chaff produced. It took me the better part of an hour to chew through those 50-odd files, with only a handful of errors and warnings worth further investigation. So while the StorDiag.exe utility is interesting and brings lots of potentially valuable information together, I’m not yet prepared to say that it’s also incredibly useful. Hopefully, we’ll see the aftermarket help out with this…