"disk 3 Has Been Surprise Removed."

So about 20 minutes ago, I opened a folder to look at some image files I'd downloaded off the internet for an article I'm writing and I got a pop-up notification from Windows 10 that disappeared the moment I clicked on something in the folder. Usually when something like that happens it gets logged in the action center (or whatever it's called, where notifications live), but it did not.

It was something about needing to wait to access a file because it had to be scanned, I think? It went by so fast I barely got time to ingest what it said.

My first point of business was to see if it got logged in Windows Security, but it did not. Protection history returns nothing except complaining about Tamper Protection and "Check apps and files" being turned off.

The next step is to see if it got logged in the Event Viewer. It did not. But what I did notice is a strange event that's been logged three times over the last 7 hours:

Code:

Log Name:      System
Source:        disk
Date:          10/2/2019 4:39:54 AM
Event ID:      157
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      Pray4Mojo
Description:
Disk 3 has been surprise removed.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="disk" />
    <EventID Qualifiers="32772">157</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-10-02T11:39:54.298308900Z" />
    <EventRecordID>3735</EventRecordID>
    <Channel>System</Channel>
    <Computer>Pray4Mojo</Computer>
    <Security />
  </System>
  <EventData>
    <Data>\Device\Harddisk3\DR9</Data>
    <Data>3</Data>
    <Binary>0000000002003000000000009D000480000000000000000000000000000000000000000000000000</Binary>
  </EventData>
</Event>

That sounds kind of scary, so I did some googling and a lot of info seems to be about this error coming up in relation to USB HDDs, of which I have none plugged in. Outside of this mysterious Windows security pop-up that vanished, I have had no visible issues with my computer's performance and none of my actual hard disks have gone anywhere.

I'm also not clear on exactly what "Disk 3" is. I have two physical, platter HDDs -- one is 500gb and contains C:\ (Windows) and E:\ (an old back up of personal files). The other is 2tb, which I put in just a few months ago, and is where all my Steam games and video capture lives (for my Youtube channel). That's D:\ drive.

There is no third disk. If we go by partitions, Disk 3 could mean D:\ drive, which would be a bummer, but I understand that, since the drive is new (and hopefully under warranty). It could also mean E:\ drive, I guess, since that's the last drive letter, but that drive's only a year and a half old and hasn't shown any problems yet.

The thing is, at boot up, Windows obviously logs events where it does basic HDD scans. And when it does that, it says I have five (!) drives. C:, D:, E: and two other drives without letters attached to them (presumably some kind of recovery partitions Windows itself makes).

Going by the Event Viewer, they are labeled:

C: = HarddiskVolume2
D: = HarddiskVolume5
E: = HarddiskVolume4

And then the other two (which are giant strings of letters and numbers) are HarddiskVolume1 and 3, respectively. It says all of them are healthy. Windows Security's device health also says everything is healthy.

Now, in this process I noticed that the original event says Harddisk3 and the closest any of these get to that is HarddiskVolume3, and I'm willing to bet there's a reason for that. Googling around, somebody says you can find out the name/number of a disk in the Device Manager, so I pop that open and have a look around.

The Device Manager lists I have seven (?!) disk drives! The two physical (500gb + 2tb) and five more labeled "Xvd." A little bit of Googling on that suggests the "Xvd" drives are a weird thing Microsoft is doing with their new Xbox Game Pass for PC games where they store them on phantom disk drives that don't exist as a DRM measure, or whatever.

And, scrolling further down in to the Event Viewer, I ended up stumbling on something from two days ago, where a big batch of these Disk events happened, claiming Disks 3, 6, 5, 4 and 2 were suddenly "surprise removed." all about four seconds apart. I definitely don't have that many partitions that I know of.

Filtering down to just Event 157, "surprise removed" events have been happening on my system practically since August -- starting at Disk 2 and going up to Disk 7.

I'd consider this mystery solved and that these were just related to the Xvd drives in use by Game Pass PC, but:

1. There aren't seven Xvd drives, there's only five. Six drives are mentioned in the event viewer, but that's still more than is listed in the Device Manager.

2. I'd say maybe the "drives" were taken offline while the games updated, but I can find no evidence of any Windows update or game update taking place to coincide with the times of these "surprise removed" warnings.

I'd really like any advice here, because I feel in over my head and I'm lost. I think I have it mostly nailed down, but I just want to make sure I'm not digging myself in deeper.

About the only thing I do know is where that Windows Security notification came from. Digging in the event viewer for more info, I found the Windows Defender operational logs. In short, an indie game executable that was present in the same folder as those images was flagged as suspicious and Windows sent it off for further testing (surprisingly, the file listed was one I myself made, so I know it's safe). It just ended up a super weird coincidence that it happened at the exact same time as one of these "surprise removed" warnings.

General info:

OS: Windows 10 (Build 1903)
CPU: Intel Core i5-4690K
GPU: mSI GeForce GTX 1060 (6gb)
RAM: 16gb DD3 Ripjaws (8gbx2)
HDD1: WD40EFRX-68N32N0 (500gb)
HDD2: WD5000AAKX-75U6A (2tb)

I also have a paid version of Daemon Tools Lite installed, if that matters.

 

Well, for what it's worth, I decided to uninstall one of my Game Pass games -- Gears of War 5 -- just to see what would happen.

The Event Viewer just gave me another rash of "surprise removed" warnings, but now instead of issuing the warning for Disks 2, 3, 4, 5, 6 and 7, it stopped at Disk 6, suggesting there is now one less disk, which coincides with the uninstallation of Gears 5. That does suggest this could be something funny going on with Game Pass and those phantom Xvd drives in the Device Manager. We'll have to wait and see whether or not it ever references a Disk 7 again.