NTFS documents (7)

Drizzle Happy

Authoreric   Category Related Resource   Comments0   Post Time 2007-09-13 05:59:26 -0400

Table 2.4. Layout of the $ATTRIBUTE_LIST (0x20) attribute

 Offset Size Description
   Standard AttributeHeader
 0x00 4 Type
 0x04 2 Record length
 0x06 1 Name length (N)
 0x07 1 Offset to Name (a)
 0x08 8 Starting VCN (b)
 0x10 8 Base File Reference of the attribute
 0x18 2 Attribute Id (c)
 0x1A 2N Name in Unicode (if N >0)

(a) If the name doesn't exist, this point is still at the attribute or zero.
(b) Starting VCN, or zero if the attribute is resident
(c) Each attribute has a unique identifier
(d) it always points to where the name would be (0x1A)0x04 record allocation (8 byte alignment)(c) always seems to be zero, check(c) no it's only shown the first time for a given attribute type not sure about sorting by sequence number. 

3.3. Notes
3.3.1. $AttrDef
It can be either resident or non-resident. This attribute has a minimum or maximum size.

3.3.2. Other Information
The offset at 0x07 is just one byte long, unusual for an attribute.
If this attribute is non-resident, then the data runs must fit into one MFT record.
The $ATTRIBUTE_LIST may be needed if the file:
  Has a large number of hard links (lots of file name attributes present).
  Becomes very fragmented, so the data runs overflow the MFT record.
  Has a complex security descriptor (not applicable to NTFSv3.0+
  Have many named streams, e.g. data streams.

3.3.3. To Do
8 VCN lowest_vcn:
Lowest virtual cluster number of this portion of the attribute value is usually 0. It is non-zero for the case where one attribute does not fit into one MFT record and thus several MFT records are allocated to hold this attribute. In the latter case, each MFT record holds one extent of the attribute and there is one attribute list entry for each extent. NOTE: This is DEFINITELY a signed value! The windows driver uses CMP when comparing this, thus it treats it as signed.
24 __u16 instance:

If lowest_vcn = 0, the instance of the attribute being referenced; otherwise 0.

The attribute list is used in case where a file need extension FILE records in the MFT to be fully described, in order to find any file attribute of this file.

This file attribute may be non-resident because its stream is likely to grow.

The extents of one non-resident attribute (if present) immediately follow after the initial extent. They are ordered by lowest_vcn and have their instance set to zero.

There are other attributes in $ATTRIBUTE_LIST. Such as File Create Time, File Amend Time, MFT Variety Time, File Record Time etc. And there still are Owner ID, Security ID, and Upgrade SN etc. The reason why we didn’t expatiate is that there are a lot of varieties in these attributes. And these attributes are too hard to understand. But if you are very interested in them, you can find them in the internet.

We believed that the $ATTRIBUTE_LIST has more attributes, but we didn't write into this researching record. We have queried a lot of file with Microsoft's recorder. However, there also isn't a detail explanation about the $ATTRIBUTE_LIST attributes. If you have more questions about this, we suggest that you should contact our website for querying. However, almost of our product can support the $ATTRIBUTE_LIST attributes searching. Please don't be worried about this. Our website is: http://www.easeus.com

Trackback URL Trackback: http://blog.easeus.com/action.php?action=tb&id=41

Tags Tags: windows,NTFS,xp,ntfs,attribute

Comments List

Post a Comment

  • Name:
  • Email:
  • HomePage:
  • Comment:
  • Question:

Home | Solution | About Company | Contacts | Resource | Blog | Forum | Directory | Links | Sitemap

Copyright © 2005-2008 CHENGDU YIWO Tech Development Co., Ltd. ALL RIGHTS RESERVED.

Privacy Policy | License | Legal Counsel