NTFS DOCUMENTS (18)

Make your life easy!

Search:

07-09
30

eric Related Resource 0 2007-09-30 02:50:51 -0400

10. Attribute - $INDEX_ROOT (0x90)
10.1. Overview
This is the root node of the B+ tree that implements an index (e.g. a directory). This file attribute is always resident.

10.2. Layout of the Attribute
Link up below:

$INDEX_ROOT
Standard Attribute Header
Index Root
Index Header
Index Entry
Index Entry
...

10.2.1. Index Root
Table 2.24. Layout of the $INDEX_ROOT (0x90) attribute: an Index Root

Offset	Size	Description
~	~	Standard AttributeHeader
0x00	4	Attribute Type
0x04	4	Collation Rule
0x08	4	Size of Index Allocation Entry (bytes)
0x0C	1	Clusters per Index Record
0x0D	3	Padding (Align to 8 bytes)

10.2.2. Index Header
Table 2.25. Layout of the $INDEX_ROOT (0x90) attribute: an Index Header

Offset	Size	Description
0x00	4	Offset to first Index Entry
0x04	4	Total size of the Index Entries
0x08	4	Allocated size of the Index Entries
0x0C	1	Flags
0x0D	3	Padding (align to 8 bytes)

10.2.3. Flags
Table 2.26. Index flags

Flag	Description
0x00	Small Index (fits in Index Root)
0x01	Large index (Index Allocation needed)

Silly to have a flag of 0x00, remove the large index flag indicates whether the file attributes index allocation and bitmap are present (when the index is small enough to be stored completely in the root node, these two file attributes are missing).

10.3. Notes
10.3.1. Size
As defined in $AttrDef, this attribute has a no minimum or maximum size.

10.3.2. Sequence of index entries
This is a sequence of index entries that has a variable length. The sequence is terminated with a special index entry whose last entry flag is set. This is the header for indexes, describing the INDEX_ENTRY records, which follow the INDEX_HEADER.

Together the index header and the index entries make up a complete index. This is followed by a sequence of index entries (INDEX_ENTRY structures) as described by the index header.

When a directory is small enough to fit inside the index root then this is the only attribute describing the directory. When the directory is too large to fit in the index root, on the other hand, two additional attributes are present: an index allocation attribute, containing sub-nodes of the B+ directory tree (see below), and a bitmap attribute, describing which virtual cluster numbers (VCNs) in the index allocation attribute are in use by an index block.

NOTE: The root directory (FILE_$root) contains an entry for itself.

Struck
{ATTR_TYPES type; Type of the indexed attribute. Is $FILENAME for directories, zero for view indexes. No other values allowed. COLLATION_RULES collation_rule; Collation rule used to sort the index entries. If type is $FILENAME, this must be COLLATION_FILENAME. __u32 bytes_per_index_block; Byte size of each index block (in the index allocation attribute). __u8 clusters_per_index_block; Cluster size of each index block (in the index allocation attribute), when an index block is >= than a cluster, otherwise this will be the log of the size (like how the encoding of the MFT record size and the index record size found in the boot sector work). Have to be a power of 2. } INDEX_ROOT;

10.4. List of Common Indexes
Table 2.27. Common Indexes

Name	Index Of	Used By
$I30	Filenames	Directories
$SDH	SecurityDescriptors	$Secure
$SII	Security Ids	$Secure
$O	Object Ids	$ObjId
$O	Owner Ids	$Quota
$Q	Quotas	$Quota
$R	ReparsePoints	$Reparse

Which elements are shared between indexes? Not relevant for index root

There are more attributes in the $INDEX_ROOT (0x90). However, in index root, not only the structure but also the purpose should be researched. In Linux/Unix operating system, although the file system isn't same, there are some common attributes between the Linux/Unix and the Windows. Just like the index root attribute.

Microsoft didn't describe the attributes clearly. But in data recovery field, the index root attribute is very important to search the files. According to the index root, you can find the content of the files.