Cloudy Happy

Authoreric   Category Related Resource   Comments0   Post Time 2007-10-25 21:25:11 -0400

Chapter 3. NTFS Files
1. Overview
Everything on an NTFS volume is a file. There are two categories: Metadata and Normal. The Metadata files contain information about the volume and the Normal files contain your data.

1.1.    Layout of the Volume
Below is a table of files found on a Win2K volume (Key).

Table 3.1. Layout of files on the Volume

 Inode Filename OS Description
 0 $MFT  Master File Table - An index of every file
 1 $MFTMirr  A backup copy of the first 4 records of the MFT
 2 $LogFile  Transactional logging file
 3 $Volume  Serial number, creation time, dirty flag
 4 $AttrDef  Attribute definitions
 5 .(dot)  Root directory of the disk
 6 $Bitmap  Contains volume's cluster map (in-use vs. free)
 7 $Boot  Boot record of the volume
 8 $BadClus  Lists bad clusters on the volume
 9 $Quota NT Quota information
 Security descriptors used by the volume
 10 $UpCase  Table of uppercase characters used for collating
 11 $Extend 2K A directory: $ObjId, $Quota, $Reparse, $UsnJrnl
 12-15 <Unused>
  Marked as in use but empty
 16-23 <Unused>  Marked as unused
 Any $ObjId 2K Unique Ids given to every file
 Any $Quota 2K Quota information
 Any $Reparse 2K Reparse point information
 Any $UsnJrnl 2K Journalling of Encryption
 >24 A_File  An ordinary file

 An ordinary directory


1.2. Notes
1.2.1. Unused Inodes
On a freshly formatted volume, inodes 0x0B to 0x0F are marked asin use, but empty. Inodes 0x10 to 0x17 are marked as free and not used. This doesn't change until the volume is under a lot of stress.

When the $MFT becomes very fragmented it won't fit into one FILE Record and an extension record is needed. If a new record was simply allocated at the end of the $MFT then we encounter a problem. The $DATA Attribute describing the location of the new record is in the new record.
The new records are therefore allocated from inode 0x0F, onwards. The $MFT is always a minimum of 16 FILE Records long, therefore always exists. After inodes 0x0F to 0x17 are used up, higher, unreserved, inodes are used.

This effect may not be limited to the $MFT, but more evidence is needed.

1.2.2. Other Information
For some reason $ObjId, $Quota, $Reparse and $UsnJrnl don't have inode numbers below 24, like the rest of the Metadata files.

Also, the sequence number for each of the system files is always sequel to their MFT record number and it is never modified.

We here just want to prove one standpoint: everything in NTFS is a file including MFT itself. Hence, the MFT will record everything including itself. In this Chapter, you will see our standpoint everywhere. Please remember, everything in NTFS is a file.

Trackback URL Trackback: http://blog.easeus.com/action.php?action=tb&id=79

Tags Tags: windows,NTFS,xp,ntfs,files

Comments List

Post a Comment

  • Name:
  • Email:
  • HomePage:
  • Comment:
  • Question:

Home | Solution | About Company | Contacts | Resource | Blog | Forum | Directory | Links | Sitemap

Copyright © 2005-2008 CHENGDU YIWO Tech Development Co., Ltd. ALL RIGHTS RESERVED.

Privacy Policy | License | Legal Counsel