Windows CMD: chkdsk

Topic

New Reply

In looking at the details of the Windows CMD chkdsk, it seems that the results of any run gets written into the Event Log with two different IDs:

Source: Wininit
Event ID: 1001

Source: Chkdsk
Event ID: 26214

Initially I thought that when chkdsk was run by Wininit that it was the result of the OS seeing a dirty drive, and when ID’d as Chkdsk that it was run by an admin user.

But after multiple tests this does not hold up. Another idea was that chkdsk run on the boot drive would have the Source marked as Wininit, and on any data drive as Chkdsk. Alas, that is not the case either.

Does anyone have any info that would shed some light on why there are two different Source/Event IDs for the same command?

Reply | Quote

Replies

PS:

In case it matters, here is some additional info:

Edition: Windows 10 Pro, v.22H2
OS build: 19045.2364
Experience: Windows Feature Experience Pack 120.2212.4190.0

Reply | Quote

[Bob99]

If you look in the Task Scheduler for Windows (Start menu>Windows Administrative Tools>Task Scheduler) you’ll more than likely see an entry for Chkdsk with a little folder-looking icon next to it. Clicking on that will reveal that it’s a scheduled task that runs a proactive periodic scan. That’s probably what you’re seeing in your Event log.

In case you need a reminder, the listing for Chkdsk can be found in Task Scheduler under Task Scheduler Library (click on the little arrow next to it to expand it)>Microsoft (click arrow to expand)>Windows(click arrow to expand)>Chkdsk.

If, due to seeing the Event log entries, you’re worried that your disk might indeed have a flaky file structure, you can always run the chkdsk /F command from an elevated (with Admin privileges) command prompt.

• This reply was modified 2 years, 2 months ago by Bob99.

Reply | Quote

Hey Bob, thank you for your extended response. Your comments opened up an additional avenue to investigate. And, I do see that there are scheduled tasks for the following related commands:

chkdsk
chkntfs
autochk

However, that is not what I’m attempting to figure out. I run chkdsk as a matter of routine about every 2 or 3 weeks. I found all of my runs listed in the Event Viewer, for each time I ran it.

But sometimes it is listed as a Wininit/1001 and other times as chkdsk/26214

What started me down this rabbit hole, is my newbee attempts to write a PowerShell script to retrieve and log the output of those chkdsk runs. So far the script works, but I have to filter for both events, 1001 and 26214. And of course that lead me to wonder why are there two different entries for the same admin user action.

bc

Reply | Quote

Bartels Juice wrote:

…But sometimes it is listed as a Wininit/1001 and other times as chkdsk/26214…

Hi Bartels Juice:

From Option 1 (Read Logs in Event Viewer) / Step # 3 of Brink’s TenForums tutorial How to Read Event Viewer Log for Chkdsk (Check Disk) in Windows 10 :

That suggests it has something to do with the way that the ChkDsk scan is launched, although I’m not exactly clear on the distinction between a “bootup” and “manual” ChkDsk scan.
———–
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2364 * Firefox v108.0.1 * Microsoft Defender v4.18.2211.5-1.1.19900.2 * Malwarebytes Premium v4.5.19.229-1.0.1860 * Macrium Reflect Free v8.0.7175

Reply | Quote