Event ID 157 "Disk # has been surprise removed"

Hello my name is Bob Golding and I would like to share information on a new error you may see in the system event log. It is Event ID 157 "Disk <n> has been surprise removed" with Source: disk.  This error indicates that the CLASSPNP driver has received a “surprise removal” request from the plug and play manager (PNP) for a non-removable disk.

 

What does this error mean?

The PNP manager does what is called enumerations.  An enumeration is a request sent to a driver that controls a bus, such as PCI, to take an inventory of devices on the bus and report back a list of the devices.  The SCSI bus is enumerated in a similar manner, as are devices on the IDE bus.

 

These enumerations can happen for a number of reasons.  For example, hardware can request an enumeration when it detects a change in configuration.  Also a user can initiate an enumeration by selecting “scan for new devices” in device manager.  

 

When an enumeration request is received, the bus driver will rescan the bus for all devices.  It will issue commands to the existing devices as though it was looking for new ones.  If these commands fail on an existing unit, the driver will mark the device as “missing”.  When the device is marked “missing”, it will not be reported back to PNP in the inventory.  When PNP determines that the device is not in the inventory it will send a surprise removal request to the bus driver so the bus driver can remove the device object.

 

Since the CLASSPNP driver sits in the device stack and receives requests that are destined for disks, it sees the surprise removal request and logs an event if the disk is supposed to be non-removable.  An example of a non-removable disk is a hard drive on a SCSI or IDE bus.  An example of a removable disk is a USB thumb drive.

 

Previously nothing was logged when a non-removable disk was removed, as a result disks would disappear from the system with no indication.  The event id 157 error was implemented in Windows 8.1 and Windows Server 2012 R2 to log a record of a disk disappearing.

 

Why does this error happen?

These errors are most often caused when something disrupts the system’s communication with a disk, such as a SAN fabric error or a SCSI bus problem.  The errors can also be caused by a disk that fails, or when a user unplugs a disk while the system is running.  An administrator that sees these errors needs to verify the heath of the disk subsystem.

 

Event ID 157 Example:

 

Comments

  • Anonymous
    December 31, 2013
    This error is recorded even VHD/VHDX I mounted. Why'm not removable. [The VHD code does a surprise remove, but it does a dismount first.  This error can be ignored in that scenario.]

  • Anonymous
    January 15, 2014
    I have started seeing this error just recently on my Dell laptop with an SSD drive. It seems to happen after I wake it from sleep mode. It comes out of sleep, then all of a sudden it reboots.

  • Anonymous
    January 21, 2014
    The comment has been removed

  • Anonymous
    February 21, 2014
    On a recently deployed 2012 R2 system it looks like these warnings were generated during (or immediately after) a "Windows Server Backup". I noticed that the backups are stored in VHD's. Also, the disk numbers the error refers to (2 and 3) do not exist when I examine the Disk Manager. I assume this is normal behavior and can be ignored, correct??? [This message may be generated with a VHD is removed.  We are aware of customer feedback regarding this message and it's applicability for VHDs.]

  • Anonymous
    February 24, 2014
    I get this error multiple times every time a backup is run on my Windows Server 2012R2 Hyper-V host and it seems to be referencing a VSS drive (Disk 3 and my system only has three drives, 0, 1 and 2). About once every couple of weeks the system blue screens and reboots right after one of those errors. [This occurs may occur when removing a VHD drive, however it is not expected when unmouning a VSS snapshot.  If the system is blue screening immediately after an event 157 that may indicate a hardware problem with a disk.]

  • Anonymous
    March 11, 2014
    The comment has been removed

  • Anonymous
    March 27, 2014
    So I have noticed this too and there's no VHD being removed. The drive in question is my external usb drive, and it's plugged in all during the backup.  This even occurs right as the backup begins. There's no problem with the hardware, I've used this hardware with older operating systems with no issues. How about I open a bug on this because I think you guys have a bug that's not been squashed. [Most likely you are experiencing an intermittent hardware failure.  This message is new, which is why you do not see it on older platforms.  In older platforms the surprise remove would occur but the user was not informed of the problem.]

  • Anonymous
    April 06, 2014
    Ever since my upgrade to Server 2012 R2 I too am logging this error.  It is always in the 0430AM time frame daily since the upgrade.  I do not have a Disk 4 that the error keeps referencing.  This is definitely a bug. Log Name:      System Source:        disk Date:          3/31/2014 4:30:48 AM Event ID:      157 Task Category: None Level:         Warning Keywords:      Classic User:          N/A Computer:      Master1.beti.us Description: Disk 4 has been surprise removed. Event Xml: <Event xmlns="" rel="nofollow" target="_new">schemas.microsoft.com/.../event">  <System>    <Provider Name="disk" />    <EventID Qualifiers="32772">157</EventID>    <Level>3</Level>    <Task>0</Task>    <Keywords>0x80000000000000</Keywords>    <TimeCreated SystemTime="2014-03-31T08:30:48.613931100Z" />    <EventRecordID>3486889</EventRecordID>    <Channel>System</Channel>    <Computer>Master1.beti.us</Computer>    <Security />  </System>  <EventData>    <Data>DeviceHarddisk4DR10</Data>    <Data>4</Data>    <Binary>0000000002003000000000009D000480000000000000000000000000000000000000000000000000</Binary>  </EventData> </Event>   [We are aware of a scenario where this error may be erroneously reported when a vhd drive is removed.  Perhaps a vhd is being used by your backup software at 4:30.]

  • Anonymous
    April 21, 2014
    Win 8.1 PC with USB 3.0 external drives backing up using Win image copy, Shadow Protect, Acronis (yes, I completely removed Acronis from my PC before installing Shadow Protect). After things run fine for 2-3 weeks, I get the Event 157 error on any 3.0 external drive I try to use 4 TB Hitachi; Drobo 5D RAID; etc and backups fail. If I install a new backup program or drive, all is well for a while, then error returns and backups fail. So, this is unlikely to be either my hardware or backup program. Please stop blaming hardware and look into either the USB or the surprise removal code. [We are aware of erroneous 157 errors when doing a backup that uses a .vhd file (image backups may use this).  Note that plug and play surprise removals are not new, logging them with an event 157 is the new addition. We are unable to perform in depth 1:1 troubleshooting through this blog, if you would like to work with a Microsoft engineer on this issue please open a support incident.  You can find more information about opening an incident at http://support.microsoft.com/gp/microsoft-support-options.]

  • Anonymous
    June 23, 2014
    What is the format of the raw data associated with the event? [There is no value in the raw data except for the path to the disk.]

  • Anonymous
    November 09, 2014
    The comment has been removed

  • Anonymous
    January 05, 2015
    a year later and still nothing to resolve bogus errors...?????!!!! how about Microsoft doing something to resolve it instead of telling us what we need to do to work around it or ignore them....I don't want to ignore warnings or errors in my event logs...if they can be ignored...they shouldn't be there [We eliminated the extraneous log entries when dismounting a vhd file in the May 2014 rollup.  http://support.microsoft.com/kb/2955164 ]

  • Anonymous
    January 06, 2015
    FYI - I use CA-ArcServer UDP. So I had their tech support backup my final conclusion that the "surprise disk" warning can be ignored. If you use ArcServer, the event that coincides with 157 can also be disregarded. Applies to 2008 - 2012R2. This is VSS reporting a warning. The warning is caused by the backup process used by Windows Backup or ArcServer (and others). Please note that this is a "warning" only, no resolution needed. You can turn off shadow copies to make the warning go away, but be forewarned you will cause system instability by doing this.

  • Anonymous
    January 25, 2015
    The comment has been removed

  • Anonymous
    September 02, 2015
    Concerning 157 occuring in Hyper-V guest at host server backup time see Ben Armstrong’s Virtualization Blog for an explanation and a proposed solution that does not fulfill... "know that you can safely ignore this message if it is happening when a virtual machine backup is happening" (blogs.msdn.com/.../hyper-v-and-quot-event-id-157-disk-x-has-been-surprise-removed-quot.aspx) [Thanks for sharing this.  As Ben pointed out, and as we have previously mentioned here, the extraneous event 157 entries were corrected after an update.]

  • Anonymous
    December 08, 2015
    I was getting these on my HP DV-7 laptop. Was due to the fact that I had an external drive connected via E-sata port.  Makes for a quick external drive, but throws up these errors when the drive drops into low power usage mode. I just have to live with it unfortunately.