Hello my name is Bob Golding and I would like to share information on a new error you may see in the system event log. It is Event ID 157 "Disk <n> has been surprise removed" with Source: disk. This error indicates that the CLASSPNP driver has received a “surprise removal” request from the plug and play manager (PNP) for a non-removable disk.
What does this error mean?
The PNP manager does what is called enumerations. An enumeration is a request sent to a driver that controls a bus, such as PCI, to take an inventory of devices on the bus and report back a list of the devices. The SCSI bus is enumerated in a similar manner, as are devices on the IDE bus.
These enumerations can happen for a number of reasons. For example, hardware can request an enumeration when it detects a change in configuration. Also a user can initiate an enumeration by selecting “scan for new devices” in device manager.
When an enumeration request is received, the bus driver will rescan the bus for all devices. It will issue commands to the existing devices as though it was looking for new ones. If these commands fail on an existing unit, the driver will mark the device as “missing”. When the device is marked “missing”, it will not be reported back to PNP in the inventory. When PNP determines that the device is not in the inventory it will send a surprise removal request to the bus driver so the bus driver can remove the device object.
Since the CLASSPNP driver sits in the device stack and receives requests that are destined for disks, it sees the surprise removal request and logs an event if the disk is supposed to be non-removable. An example of a non-removable disk is a hard drive on a SCSI or IDE bus. An example of a removable disk is a USB thumb drive.
Previously nothing was logged when a non-removable disk was removed, as a result disks would disappear from the system with no indication. The event id 157 error was implemented in Windows 8.1 and Windows Server 2012 R2 to log a record of a disk disappearing.
Why does this error happen?
These errors are most often caused when something disrupts the system’s communication with a disk, such as a SAN fabric error or a SCSI bus problem. The errors can also be caused by a disk that fails, or when a user unplugs a disk while the system is running. An administrator that sees these errors needs to verify the heath of the disk subsystem.
Event ID 157 Example:
This error is recorded even VHD/VHDX I mounted.
Why'm not removable.
[The VHD code does a surprise remove, but it does a dismount first. This error can be ignored in that scenario.]
I have started seeing this error just recently on my Dell laptop with an SSD drive. It seems to happen after I wake it from sleep mode. It comes out of sleep, then all of a sudden it reboots.
On a recently deployed 2012 R2 system it looks like these warnings were generated during (or immediately after) a "Windows Server Backup". I noticed that the backups are stored in VHD's. Also, the disk numbers the error refers to (2 and 3) do not exist when I examine the Disk Manager. I assume this is normal behavior and can be ignored, correct???
[This message may be generated with a VHD is removed. We are aware of customer feedback regarding this message and it's applicability for VHDs.]
I get this error multiple times every time a backup is run on my Windows Server 2012R2 Hyper-V host and it seems to be referencing a VSS drive (Disk 3 and my system only has three drives, 0, 1 and 2). About once every couple of weeks the system blue screens and reboots right after one of those errors.
[This occurs may occur when removing a VHD drive, however it is not expected when unmouning a VSS snapshot. If the system is blue screening immediately after an event 157 that may indicate a hardware problem with a disk.]
OK, so I'm a simple user (have been for nearly 30 years) and while I appreciate the non-explanation above, it only points out what "could cause" the problem.
My experience with this matter is that ever since I "upgraded" to WIN 8 my external HDs continuously surprise me (disconnects and immediately reconnects) and logs a 157 event - when it reconnects, it opens a window that will not allow any other action in other programs, so if I'm typing I must stop and close the window or click back onto my work.
It seems to happen randomly, with no action from me at all - I have 3 PCs, all running WIN 8.1 and all have the same issue. 2 PCs are upgrades from WIN 7 and one is a brand new (Xmas present) with native WIN 8.1. I have 3 external backup HDs (Seagate GoFlex, 2 WD MyBooks), all with latest drivers installed.
The dreaded SURPRISE REMOVE occurs an average of 20 times/HOUR - needless to say my backups can NOT be scheduled since my current operating mode is to disconnect the drives physically in order to do any work.
Bottom line for me: All external HDs surprise me constantly since the move to WIN 8.X (4 times since I have been typing this comment). I am heavily invested in MS/WIN/HP/Intel and really don't want to change, but I may have to - by the way, my MAC is rapidly becoming my "go to" computer. HELP!!!!!!
Please provide some real answers AND fix (not workarounds but FIX).
Thanks for your patience, mine's all but run out!
[As suggested in the article, this error indicates the drive was removed from the system. If this error is occurring with external hard drives then there is a problem with the hardware that is causing the drives to lose connection to the system.]
So I have noticed this too and there's no VHD being removed. The drive in question is my external usb drive, and it's plugged in all during the backup. This even occurs right as the backup begins.
There's no problem with the hardware, I've used this hardware with older operating systems with no issues.
How about I open a bug on this because I think you guys have a bug that's not been squashed.
[Most likely you are experiencing an intermittent hardware failure. This message is new, which is why you do not see it on older platforms. In older platforms the surprise remove would occur but the user was not informed of the problem.]
Ever since my upgrade to Server 2012 R2 I too am logging this error. It is always in the 0430AM time frame daily since the upgrade. I do not have a Disk 4 that the error keeps referencing. This is definitely a bug.
Log Name: System
Date: 3/31/2014 4:30:48 AM
Event ID: 157
Task Category: None
Disk 4 has been surprise removed.
<Event xmlns="" rel="nofollow" target="_new">schemas.microsoft.com/.../event">
<Provider Name="disk" />
<TimeCreated SystemTime="2014-03-31T08:30:48.613931100Z" />
[We are aware of a scenario where this error may be erroneously reported when a vhd drive is removed. Perhaps a vhd is being used by your backup software at 4:30.]
Win 8.1 PC with USB 3.0 external drives backing up using Win image copy, Shadow Protect, Acronis (yes, I completely removed Acronis from my PC before installing Shadow Protect). After things run fine for 2-3 weeks, I get the Event 157 error on any 3.0 external drive I try to use 4 TB Hitachi; Drobo 5D RAID; etc and backups fail. If I install a new backup program or drive, all is well for a while, then error returns and backups fail. So, this is unlikely to be either my hardware or backup program. Please stop blaming hardware and look into either the USB or the surprise removal code.
[We are aware of erroneous 157 errors when doing a backup that uses a .vhd file (image backups may use this). Note that plug and play surprise removals are not new, logging them with an event 157 is the new addition.
We are unable to perform in depth 1:1 troubleshooting through this blog, if you would like to work with a Microsoft engineer on this issue please open a support incident. You can find more information about opening an incident at http://support.microsoft.com/gp/microsoft-support-options.]
What is the format of the raw data associated with the event?
[There is no value in the raw data except for the path to the disk.]
This happened to me while running a cluster validation test on a Windows server 2012 R2 Hyper-V host. The disk being reported ‘ has been surprise removed.’ is a VHD on which the AD DC VM is running on. The DC would become unresponsive for a little while; the OS tries to reboot itself in attempt to recover the system but would eventually fail and hung at PXE looking for a booting device at which point I manually shut it down at VMM and start it back on.
BTW; when I run the cluster validation test; there was no cluster configured yet; it was more of a pre-scan (inventory) of resources in preparation of an actual Hyper-Cluster via SMB 3. I’m not sure though as to why the VHD disk is taken over by the PNP manager during an inventory/enumeration process as supposed to just report it, may be, with some king of access violation (denied). I thought it’s a bit of an aggressive action for a merely ‘validation test’ causing a server (DC/GC) to fail.
[Hi MTM. Unfortunately we are not able to provide 1:1 support through this blog. The issue reported does not seem to match a known issue. You can obtain 1:1 support through http://support.microsoft.com/.]
a year later and still nothing to resolve bogus errors...?????!!!! how about Microsoft doing something to resolve it instead of telling us what we need to do to work around it or ignore them....I don't want to ignore warnings or errors in my event logs...if they can be ignored...they shouldn't be there
[We eliminated the extraneous log entries when dismounting a vhd file in the May 2014 rollup. http://support.microsoft.com/kb/2955164 ]
FYI - I use CA-ArcServer UDP. So I had their tech support backup my final conclusion that the "surprise disk" warning can be ignored.
If you use ArcServer, the event that coincides with 157 can also be disregarded. Applies to 2008 - 2012R2.
This is VSS reporting a warning. The warning is caused by the backup process used by Windows Backup or ArcServer (and others).
Please note that this is a "warning" only, no resolution needed. You can turn off shadow copies to make the warning go away, but be forewarned you will cause system instability by doing this.