5.2. Layout of the Attribute
Table 2.7. Layout of the $OBJECT_ID (0x40) attribute

Offset	Size	Name	Description
		Standard AttributeHeader
0x00	16	GUID Object Id	Unique Id assigned to file
0x10	16	GUID Birth Volume Id	Volume where file was created
0x20	16	GUID Birth Object Id	Original Object Id of file
0x30	16	GUID Domain Id	Domain in which object was created

5.2.1. Birth Volume Id
Birth Volume Id is the Object Id of the Volume on which the Object Id was allocated. It never has been changed.

5.2.2. Birth Object Id
Birth Object Id is the first Object Id that was ever assigned to this MFT Record. I.e. If the Object Id is changed for some reason, this field will reflect the original value of the Object Id.

5.2.3. Domain Id
Domain Id is currently unused but it is intended to be used in a network environment where the local machine is part of a Windows2000 Domain. This may be used in a Windows 2000 Advanced Server managed domain.

5.3. Notes
5.3.1. Other Information
This Attribute may be just 16 bytes long (the size of one GUID).

Even if the Birth Volume, Birth Object and Domain Ids are not used, they may be present, but one or more may be zero.

Need examples where all the fields are used.

We believed that the $OBJECT_ID has more attributes. ID is an important structure in the Microsoft Architectonics. Hence, we suspect there might be some cryptic attributes which we didn’t find. We hope whoever found these attributes will contact us. The assistance would be appreciated.

6. Attribute -$SECURITY_DESCRIPTOR (0x50)
6.1. Overview
Standard Attribute Header?
  The security descriptor can be summarized as:
  A header (may be flags), followed by one or two ACLs and twoSIDs.
  The first ACL contains auditing information and may be absent.
  The second ACL contains permissions (who can do what).
  Each ACL contains one or many ACEs.
  Each ACE contains a SID.
The last two SIDs show the owner of the object (User and Group)

Trackback: http://blog.easeus.com/action.php?action=tb&id=46

Tags: windows,NTFS,xp,ntfs,attribute