Scribd
Upload
139 views

Ntfs

The document discusses the basic design and implementation of the NTFS file system used in Windows. It covers topics like the structure of disk volumes, file records, attributes, indexes and how they are used to represent files and metadata.

Uploaded by

api-3697915
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
139 views

Ntfs

The document discusses the basic design and implementation of the NTFS file system used in Windows. It covers topics like the structure of disk volumes, file records, attributes, indexes and how they are used to represent files and metadata.

Uploaded by

api-3697915
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Windows Kernel Internals

NTFS
David B. Probert, Ph.D.
Windows Kernel Development
Microsoft Corporation

© Microsoft Corporation 1
Basic Design Points

• Aries Logging
• Meta-data via Cache Manager
• Self describing meta-data
• B-trees for fast index lookup
• Multiple user data streams

© Microsoft Corporation 2
Disk Basics
• Volume exported via device object
• Addressed by byte offset and length
• Enforced on sector boundaries
• NTFS allocation unit - clusters
• Round size down to clusters

© Microsoft Corporation 3
NTFS Knows Files

• Partition is collection of files


• Common routines for all meta-data
• Utilizes MM and Cache Manager
• No specific on-disk locations

© Microsoft Corporation 4
Some System Files
• $Bitmap
• $BadClus
• $Boot
• . (root directory)
• $Logfile
• $Volume

© Microsoft Corporation 5
MFT File
• Data is entirely File Records
• File Records are fixed size
• Every file on volume has a File Record
• File records are recycled
• Reserved area for system files

© Microsoft Corporation 6
File Records

• ‘Base’ file record for each file


• Header followed by ‘Attributes’
• Additional file records as needed
• Update Sequence Array
• ID by offset and sequence number

© Microsoft Corporation 7
File D:¥Letters (File ID 0x200)

ABCDEFGHIJKLMNOPQRSTUV

File ¥$Mft
100 200 280
200 0 200

JK LM NO ABCDEFGHI PQRST UV

Physical Disk

PQRST GHI LM UV ABCDEF JK NO


© Microsoft Corporation 8
File Basics

• Timestamps
• File attributes (DOS + NTFS)
• Filename (+ hard links)
• Data streams
• ACL
• Indexes

© Microsoft Corporation 9
File Building Blocks

• File Records
• Ntfs Attributes
• Allocated clusters

© Microsoft Corporation 10
File Record Header
• USA Header
• Sequence Number
• First Attribute Offset
• First Free Byte and Size
• Base File Record
• IN_USE bit

© Microsoft Corporation 11
NTFS Attributes
• Type code and optional name
• Resident or non-resident
• Header followed by value
• Sorted within file record
• Common code for operations

© Microsoft Corporation 12
MFT File Record

$STANDARD_INFORMATION
(Time Stamps, DOS Attributes)
$FILE_NAME - VeryLongFileName.Txt

$FILE_NAME - VERYLO~1.TXT

$DATA (Default Data Stream)

$DATA - “VeryLongFileName.Txt:A named stream”

$END (Available for attribute growth or new attribute)


© Microsoft Corporation 13
Attribute Header

• Length
• Form
• Name and name length
• Flags (Compressed, Encrypted, Sparse)

© Microsoft Corporation 14
Resident Attributes
• Data follows attribute header
• ‘Allocation Size’ on 8-byte boundary
• May grow or shrink
• Convert to non-resident

© Microsoft Corporation 15
Non-Resident Attributes

• Data stored in allocated disk clusters


• May describe sub-range of stream
• Sizes and stream properties
• Mapping pairs for on-disk runs

© Microsoft Corporation 16
Some Attribute Types
$STANDARD_INFORMATION
$FILE_NAME
$SECURITY_DESCRIPTOR
$DATA
$INDEX_ROOT
$INDEX_ALLOCATION
$BITMAP
$EA

© Microsoft Corporation 17
Mapping Pairs

• Stored in a byte optimal format


• Represents allocation and holes
• Each pair is relative to prior run
• Used to represent compression/sparse

© Microsoft Corporation 18
Indexes
• File name and view indexes
• Indexes are B-trees
• Entries stored at each level
• Intermediate nodes have down pointers
• $INDEX_ROOT
• $INDEX_ALLOCATION
• $BITMAP

© Microsoft Corporation 19
Index Implementation

• Top level - $INDEX_ROOT


• Index buckets - $INDEX_ALLOCATION
• Available buckets - $BITMAP

© Microsoft Corporation 20
$INDEX_ROOT

E J R end

ABC GI NPQ Z

$INDEX_ALLOCATION

unused GI ABC data Z NPQ

$BITMAP

0x36 (00110110)
© Microsoft Corporation 21
$ATTRIBUTE_LIST
• Needed for multi-file record file
• Entry for each attribute in file
• Resident or non-resident form
• Must be in base file record

© Microsoft Corporation 22
Attribute List (example)

• Base Record - • Aux Record -


0x200 0x180
• 0x10 - Standard • 0x30 - FileName
• 0x20 - Attribute List • 0x80 - Data “Author”
• 0x30 - FileName • 0x80 - Data0 “Owner”
• 0x80 - Default Data • 0x80 - Data “Writer”
• 0x80 - Data1 “Owner”

© Microsoft Corporation 23
Attribute List (example cont.)

Code FR VCN Name (Not Present)


0x10 0x200 $Standard
0x30 0x200 $Filename
0x30 0x180 $Filename
0x80 0x200 0 $Data
0x80 0x180 0 “Author” $Data
0x80 0x180 0 “Owner” $Data
0x80 0x200 40 “Owner” $Data
0x80 0x180 “Writer” $Data

© Microsoft Corporation 24
Discussion

© Microsoft Corporation 25

You might also like