Home
  •  

Unable to write a shadowed header for the file.

Unable_to_write_a_shadowed_header_for_the_file (Rule)

Knowledge Base article:

Summary

If the Exchange server database service is denied write access to its own database files (*.edb) or to the checkpoint file (*.chk), errors similar to the following may be seen: MSExchangeIS (xxxx) Unable to write a shadowed header for file [path\filename].

Causes

Common causes of this issue include:

Another process is using the file. Antivirus software may mistakenly quarantine a file, or a backup process may temporarily deny access. In this case, you may see error 1032 in the Description section of event 439. Error 1032 is equivalent to Jet_errFileAccessDenied, in which the file is locked or in use.

A disk or controller failure has occurred, and access to the entire drive has been lost, sometimes temporarily. Check the System Log for I/O or drive errors near the time of the 439 event. In this case, you may see error 1022 in the description of event 4399. Error 1022 is a Jet_errDiskIO, or disk I/O error. The 1022 error is a generic error that appears whenever a disk input/output (I/O) problem prevents Exchange from gaining access to a requested page in the database or to a transaction log.

Permissions have been removed from the folder where the file resides.

The file has been marked read-only. This is most likely to happen to a checkpoint file.

The folder containing the file has been renamed or deleted. This is also mostly likely to happen to a checkpoint file.

Resolutions

Check for alerts related to full disks and resolve as necessary.

To troubleshoot such errors, you must determine what has suddenly blocked the database service from accessing its files. In many cases, restarting the affected server reverses the lock if you cannot find another way to fix the problem.

Confirm that there is sufficient access to the disks.

If the database is still running, you may have to use the Move Mailbox or ExMerge tools to move the mailboxes to another server.

If the database will not mount, you may need to restore from online backup. If there is no valid backup, as a last resort, you may need to repair the database with eseutil /P, run isinteg -fix until all fixes are removed, and then mount the database and use ExMerge to merge to a new, blank database.

External

For more information about ESE event 439, see:

Element properties:

TargetMicrosoft.Exchange.Databases
CategoryEventCollection
EnabledTrue
Event_ID439
Event SourceESE
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
Unable to write a shadowed header for the file.
{0}
Event LogApplication

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Unable_to_write_a_shadowed_header_for_the_file" Enabled="onEssentialMonitoring" Target="Exch2003Core!Microsoft.Exchange.Databases" ConfirmDelivery="false" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>.</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>Channel</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>Application</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>439</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>ESE</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertOwner>$Data/PublisherName$</AlertOwner>

      <AlertMessageId>$MPElement[Name="Unable_to_write_a_shadowed_header_for_the_file.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>