Interpretation of NTFS (1)

Source: Internet
Author: User
NTFS is a much more complex file system than fat. Let's work together to fully interpret it.
The NTFS boot sector also completes the boot and defines the partition parameters. Unlike the FAT partition, if the Boot Record of the FAT partition is normal, no partition error is displayed, even if the file is incorrect, the boot of the NTFS partition is not a sufficient condition for the partition. It requires that the partition can be accessed normally only after the system records in the MFT, such as $ MFT, are normal. The BPB parameters are shown in the following table.

Significance of common bytes offset length values
0x0b word 0x0002 bytes per sector
0x0d bytes 0x08 Number of sectors per cluster
0x0000 reserved slice
0x10 3 bytes 0x000000 total 0
0x13 characters 0x0000 NTFS not used, 0
0x15 bytes 0 x F8 media description
0x16 words 0x0000 total 0
0x18 characters 0x3f00 per disk sector
0x1a character 0xff00 head count
0x1c double-character 0x3f000000 hidden sector
0x20 double words 0x00000000 NTFS not used, 0
0x28 8 bytes 0x4af57f0000000000 sector count
0x30 8 bytes 0x0400000000000000 $ MFT logical cluster number
0x38 8 bytes 0x54ff070000000000 $ mftmirr logical cluster number
0x40 dual-character 0xf6000000 number of records per MFT
0x44 double words 0x01000000 number of clusters per index
0x48 8 bytes 0x14a51b74c91b741c volume label
0x50 dual-word 0x00000000 check

The file record size in MFT is generally fixed, regardless of the cluster size, it is 1 kb. The file records are physically consecutive in the MFT file record array and numbered from 0. Therefore, NTFS is a predefined file system. MFT is only used by the system's organization and architecture file system. In NTFS, it is called metadata (metadata), which is stored on a volume that supports File System Format management. It cannot be accessed by applications and can only provide services for the system ). The most basic first 16 records are very important metadata files used by the operating system. These metadata files start with "$", so they are hidden files. in Windows 2000/XP, you cannot use the Dir command (or even add the/AH parameter) to list them like normal files. With NFI. EXE in winhex, you can use this tool to display the correspondence between these records and files.

These metadata files are required by the system driver to manage volumes. A drive letter assigned to each partition by Windows 2000/XP does not indicate that the partition contains a file system format that Windows 2000/XP can recognize. If the primary file table is corrupted, the partition cannot be read in Windows 2000/XP. To enable the partition to be recognized in Windows 2000/XP, you must first create a file system format that Windows 2000/XP can recognize, that is, the primary file table, this process can be completed by formatting the partition in advanced mode. Windows uses the cluster number to locate the storage location of files on the disk. In the fat format file system, the pointer to the cluster number is included in the fat table, in NTFS, the pointer to the cluster number is included in the $ MFT and $ mftmirr files.

NTFS uses logical cluster number (lcn) and virtual cluster number (VCN) to locate the cluster. Lcn is a simple number for all the clusters in the entire volume from start to end. By multiplying the volume factor by lcn, NTFS can get the physical byte offset of the volume to obtain the physical disk address. VCN indicates the number of clusters in a specific file from start to end, so as to reference data in the file. VCN can be mapped to lcn without requiring physical continuity.

On an NTFS Volume, an extended BPB is formed based on the data fields following the BPB. The data in these fields enables ntldr to find the Master File Table MFT (master file tabl) during startup ). On an NTFS Volume, MFT is not placed in a predefined sector, just as on a fat 16 volume and FAT 32 volume. For this reason, if there is a bad sector in the normal position of the MTF, you can move the MFT to another location. However, if the data is damaged, the location of the MFT cannot be found. Windows 2000 assumes that the volume is not formatted.
Therefore, if an NTFS Volume prompt is not formatted and the MFT may not be damaged, the BPB can be rebuilt based on the BPB fields.

NTFS default cluster size

Volume size: the default cluster size for each slice.
Less than or equal to 512 MB 1 512 bytes
513mb ~ 1024 MB (1 GB) 2 1024 bytes (1 KB)
1025mb ~ 2048 MB (2 GB) 4 2048 bytes (2 KB)
Greater than or equal to 2049 MB 8 4kb

It can be seen from the above that, no matter how large the drive NTFS cluster size will not exceed 4 kb

NTFS document: Document Property Definition

Each document attribute consists of the following parts:

An important byte sequence consisting of the actual values of this attribute, called "stream", allows metadata to access the stream.

Each file attribute in the file may have a name: in this case, you can use the syntax "File Name: attribute name to access the stream (this is why ":" cannot be used in the file name ). Windows NT & reg; use the following file attribute list pre-defined in the metadata file $ attrdef (generally there is an unnamed stream, which is the default stream, and only one unnamed stream can exist, there can be multiple life celebrities, and NTFS supports multi-Stream files ):

10 $ standard_information (standard information)

20 $ attribute_list (attribute list)

30 $ file_name (file name)

40 $ volume_version (volume Version)

50 $ security_descriptor (Security Descriptor)

60 $ volume_name (volume name)

70 $ volume_information (volume information)

80 $ data)

90 $ index_root (index root)

A0 $ index_allocation (index allocation)

B0 $ Bitmap (Bitmap)

C0 $ symbolic_link (symbolic link)

D0 $ ea_information (? Information)

E0 $ EA

Attribute stream Structure

Each file attribute is divided into two parts: although these two attributes are recorded in reverse order in the file record attribute list, to better understand it, let's introduce them in the following order:

Content section:

Its structure always starts with the attribute name (n Bytes long) and defines whether the attribute is a resident attribute after the attribute name. When the data stream of the file attribute is stored after its attribute name, it is a resident attribute. In this way, the file attributes with small and non-increasing streams can provide better access times. If a file property is not resident, its stream is stored in one or more extensions or called running. Running is a continuous area on the logical cluster number. To access these operations, NTFS immediately stores a table named "Run List" after the file attribute name.

Header:

Description of the Offset length starting from the header:

0 4 Type)

4 4 Length)

8 1 non-resident flag (unusual logo)

9 1 n = Name Length (File Name Length)

A 2 offset to the content part (offset value of the relative content part)

C 2 compressed flag (compression flag)

E 2 identificator (identifier)

File Name Length:

00 indicates that the file property is not named.

Compression MARK: In NTFS, data compression is implemented at the file attribute level, which means that you will not release a lot of data in case of exceptions. In this way, although only the file is compressed, the compressed file also means that its attribute data is also compressed. From now on, the arrangement of its header depends on the resident attributes of the file:

For a resident attribute, the offset starting from the header is described as follows:

10 4 length of the stream (Stream length)

14 2 offset to the stream (Stream offset)

16 2 indexed flag (index flag)

Index flag:

File attributes are indexed through an index entry.

For a very resident file attribute, the offset starting from the header is described as follows:

10 8 starting VCN (Starting VCN)

18 8 last VCN (end VCN)

20 2 offset to the runlist (run list offset)

22 2? Number of compression engine? (Compression engine number)

28 8 allocated size of the stream (unit size allocated for the Stream)

30 8 real size of the stream (actual stream size)

38 8 initialized data size of the stream (the stream size has been initialized)

VCN: the acronyms of virtual cluster number. VCN is a concept associated with a non-resident attribute. VCN is numbered from the first running cluster (VCN 0) of the file attribute stream to the last running cluster. When a running list is very large and file attributes cannot be placed in a file record, the file attributes of the description file are stored in several file records, and the running list is also divided into several small pieces. Both the starting VCN domain and the ending VCN domain are used to locate their file record instructions-that is, the run list-to run the specified VCN.

Note: If the attribute can be stored in a file record, the end VCN domain (which is not used in this case) may be "00 00 00 00 00 00 ".

Number of compression engines:

To achieve the best compression ratio, NTFS can use different compression engines based on different types of data. The current compression engine value is 04.

The unit size allocated to the stream: it is several times the allocated space used to store the File Attribute stream on the volume.

If the stream is not compressed, it is several times the actual size of the cluster space. On the contrary, it is relatively small.

Actual stream size:
The size of the file attribute stream before compression.
Stream initialization size:
This is the compressed size of the file attribute stream (always lower than the allocated size ). If the stream is not compressed, it is the actual size.
Note:
The attributes of resident files are never compressed (and the engine number domain is not compressed) because the stream is too small.

The information is sufficient: The Offset Value of the Name Length + content section = the offset value to the stream (resident attribute) or the offset value to the running list (very resident repentance ).

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.