eric 
0 
2007-09-10 01:54:13 -0400Chapter 2 NTFS Attributes
1. Overview
Each MFT FILE Record is built up from Attributes. The list of possible Attributes is defined in $AttrDef.
Table 2.1 Standard NTFS Attributes
| Type | OS | Name |
| 0x10 | $STANDARD_INFORMATION | |
| 0x20 | &nbs; | $ATTRIBUTE_LIST |
| 0x30 | $FILE_NAME | |
| 0x40 | NT | $VOLUME_VERSION |
| 0x40 | 2K | $OBJECT_ID |
| 0x50 | $SECURITY_DESCRIPTOR | |
| 0x60 | $VOLUME_NAME | |
| 0x70 | $VOLUME_INFORMATION | |
| 0x80 | $DATA | |
| 0x90 | $INDEX_ROOT | |
| 0xA0 | $INDEX_ALLOCATION | |
| 0xB0 | $BITMAP | |
| 0xC0 | NT | $SYMBOLIC_LINK |
| 0xC0 | 2K | $REPARSE_POINT |
| 0xD0 | $EA_INFORMATION | |
| 0xE0 | $EA | |
| 0xF0 | NT | $PROPERTY_SET |
| 0x100 | 2K | $LOGGED_UTILITY_STREAM |
1.1. Notes
1.1.1. Other Information
$PROPERTY_SET, $SYMBOLIC_LINK and $VOLUME_VERSION existed in NTFS v1.2, but weren't used. They no longer exist in NTFS v3.0 (that used by Win2K).
Each MFT record has a Standard Header, followed by a list of attributes (in order of ascending Attribute Id) and an end marker. The end marker is just four bytes: 0xFFFFFFFF.
2. Attribute -$STANDARD_INFORMATION (0x10)
2.1. Overview
In old version of NTFS this Attribute contained little more than the DOS File Permissions and the file times.
Windows 2000 introduced four new fields which are used to reference Quota, Security, File Size and Logging information.
As defined in $AttrDef, this attribute has a minimum size of 48 bytes and a maximum of 72 bytes.
Trackback: http://blog.easeus.com/action.php?action=tb&id=36
Tags: windows,NTFS,xp,ntfs,MFT
