NTFS: Difference between revisions
| [unchecked revision] | [unchecked revision] |
mNo edit summary |
(Added a link to the Windows NT page.) |
||
| (23 intermediate revisions by 16 users not shown) | |||
| Line 1: | Line 1: | ||
{{Filesystems}} |
|||
NTFS is the native filesystem of WindowsNT. it supports security features in the filesystem such as access control. Since WindowsNT is entirly unicode, NTFS is a unicode filesystem, each "character" being 16bits wide. |
|||
NTFS ('''New Technology File System''') is [[Windows NT]]'s native file system. It is not only based on [[HPFS]], but also supports security features such as access control. Since Windows NT is entirely unicode, NTFS is a unicode filesystem, with each character (e.g. in names) being 16-bits instead of 8-bits. |
|||
== About NTFS (New Technology Filesystem) == |
|||
== About == |
|||
NTFS adds quite a bit more to [[HPFS]] than just security features, though. First, it adds quite a bit of builtin redundancy -- with HPFS, wiping out one sector in the wrong place can render an entire volume inaccessible. Second, it adds support for multiple hard-links to a file (up 'til now, the only easy access has been via the POSIX subsystem, but NT 5/Win2K adds this to Win32 as well). Third, it supports an arbitrary number of file forks a la MacOS (except MacOS always has exactly 2 forks per file). Fourth, [[HPFS]] decrees that a cluster is always 512 bytes, and a cluster is always one sector. For the sake of performance and compatibility with some (especially Japanese) machines, NTFS allows sectors of other sizes. It also supports clusters of more than one sector, which tends to help performance a little. |
|||
NTFS doesn't only add security features to [[HPFS]]. In NTFS, there is a lot more built-in redundancy. For example: in [[HPFS]], wiping out a sector in the wrong place can render the entire volume inaccessible. Support for multiple hard-links to a file (before NTFS, the only easy access was through the POSIX subsystem, but Windows 2000 (NT 5) added this to Win32 as well) was also added. |
|||
NTFS supports an arbitrary number of file forks (much like Mac OS, except Mac OS always has exactly 2 forks for each file). |
|||
NTFS is probably one of the most difficult file system to deal with, especially because of the lack of hacking experience and reliable documents about it. A read-only stable driver is in Linux source code base since kernel 2.4, while an experimental read-write driver is coming with linux 2.6. |
|||
[[HPFS]] decrees that a cluster is always 512 bytes long and a cluster is always one sector. For the sake of performance and compatibility with some (especially Japanese) machines, NTFS allows sectors of different sizes. It also supports clusters of more than one sector, which can be beneficial on performance. |
|||
The NTFS-3G project apparently has a Read/Write implementation for Linux/FreeBSD/BeOS that is considered by some as adequate. |
|||
In short, NTFS' most significant changes: |
|||
== Links == |
|||
* Better and more security. |
|||
* Multiple hard-links to one file. |
|||
* An arbitrary number of forks. |
|||
* Variable cluster and sectors sizes (usually resulting in better performance). |
|||
== Implementation == |
|||
* [http://www.linux-ntfs.org/ The Linux NTFS project.] |
|||
NTFS is probably one of the most difficult file system to deal with, especially because of the lack of hacking experience and reliable documents. A read-only stable driver can be found in the Linux source code base since kernel 2.4, while an experimental read-write driver is coming with linux 2.6. |
|||
* [http://www.ntfs-3g.org/ NTFS-3G Read/Write Drivers For Linux/FreeBSD/BeOS] |
|||
The NTFS-3G project apparently has a read/write implementation for Linux/FreeBSD/BeOS that is currently in '''beta''' development status. |
|||
== Structure == |
|||
The NTFS format is built around "file" tables that allow both pre-defined and custom attributes to be stored and read by the operating system. |
|||
The NTFS boot sector is similar to other file systems, like FAT. |
|||
{| {{wikitable}} |
|||
! Field |
|||
! Type |
|||
|- |
|||
|JMP || int8_t[3] |
|||
|- |
|||
|OEM System || char[8] |
|||
|- |
|||
|Bytes Per Sector || uint16_t |
|||
|- |
|||
|Sectors Per Cluster || int8_t |
|||
|- |
|||
|Reserved Sector Count || uint16_t |
|||
|- |
|||
|Table Count || int8_t |
|||
|- |
|||
|Root Entry Count || uint16_t |
|||
|- |
|||
|Sector Count || uint16_t |
|||
|- |
|||
|Media Type || int8_t |
|||
|- |
|||
|Sectors Per Table || uint16_t |
|||
|- |
|||
|Sectors Per Track || uint16_t |
|||
|- |
|||
|Heads || uint16_t |
|||
|- |
|||
|Hidden Sector Count || uint32_t |
|||
|- |
|||
|Sector Count (32-bit) || uint32_t |
|||
|- |
|||
|Reserved || uint32_t |
|||
|- |
|||
|Sector Count (64-bit) || uint64_t |
|||
|} |
|||
This is followed immediately by a NTFS specific header. |
|||
{| {{wikitable}} |
|||
!Field |
|||
!Type |
|||
|- |
|||
|Master File Table Cluster || uint64_t |
|||
|- |
|||
|Master File Table Mirror Cluster || uint64_t |
|||
|- |
|||
|Clusters Per Record || int8_t |
|||
|- |
|||
|Reserved || int8_t[3] |
|||
|- |
|||
|Clusters Per Index Buffer || int8_t |
|||
|- |
|||
|Reserved || int8_t[3] |
|||
|- |
|||
|Serial Number || uint64_t |
|||
|- |
|||
|Checksum || uint32_t |
|||
|} |
|||
Using the "Master File Table Cluster" and "Sectors Per Cluster" values, you can find the Master File Table. This table contains entries for every object in the file system, including files, folders, and the tables themselves. The size of each record in the Master File Table can be calculated using the "Clusters Per Record" and "Sectors Per Cluster" fields from the boot sector. |
|||
Each record starts with the same header structure. |
|||
{| {{wikitable}} |
|||
! Field |
|||
! Type |
|||
|- |
|||
|Record Type || char[4] |
|||
|- |
|||
|Update Sequence Offset || uint16_t |
|||
|- |
|||
|Update Sequence Length || uint16_t |
|||
|- |
|||
|Log File Sequence Number || uint64_t |
|||
|- |
|||
|Record Sequence Number || uint16_t |
|||
|- |
|||
|Hard Link Count || uint16_t |
|||
|- |
|||
|Attributes Offset || uint16_t |
|||
|- |
|||
|Flags || uint16_t |
|||
|- |
|||
|Bytes In Use || uint32_t |
|||
|- |
|||
|Bytes Allocated || uint32_t |
|||
|- |
|||
|Parent Record Number || uint64_t |
|||
|- |
|||
|Next Attribute Index || uint32_t |
|||
|- |
|||
|Reserved || uint32_t |
|||
|- |
|||
|Record Number || uint64_t |
|||
|} |
|||
The remainder of the file record contains additional tables and data for this record. The "Attributes Offset" field contains the byte offset (from the start of the record) of the beginning of the attribute list for this record. |
|||
Attributes have a variable length, but always start with the same sequence. |
|||
{| {{wikitable}} |
|||
! Field |
|||
! Type |
|||
|- |
|||
| Attribute Type || uint32_t |
|||
|} |
|||
If the "Attribute Type" field contains the value 0xffffffff, this marks the end of the attribute list. Otherwise, the attribute sequence continues with the length of the attribute "record". |
|||
{| {{wikitable}} |
|||
! Field |
|||
! Type |
|||
|- |
|||
| Attribute Length || uint32_t |
|||
|} |
|||
This length value defines the total length of the attribute record, including the "Attribute Type" and "Attribute Length" fields. |
|||
== See Also == |
|||
=== External Links === |
|||
* [https://web.archive.org/web/20210922203602/https://flatcap.org/linux-ntfs/ntfs/index.html Guide to NTFS] |
|||
* [https://www.writeblocked.org/resources/NTFS_CHEAT_SHEETS.pdf Cheat sheet] |
|||
* [http://www.linux-ntfs.org/ The Linux NTFS project] |
|||
* [http://www.ntfs-3g.org/ NTFS-3G Read/Write Drivers For Linux/FreeBSD/BeOS] |
|||
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=tree;f=fs/ntfs;hb=HEAD Linux fs/ntfs tree] |
|||
* [http://www.opensource.apple.com/source/ntfs/ Apple Open Source NTFS site] |
|||
* [https://github.com/libyal/libfsntfs/blob/main/documentation/New%20Technologies%20File%20System%20(NTFS).asciidoc#attribute_chains libfsntfs library documentation] |
|||
[[Category:Filesystems]] |
[[Category:Filesystems]] |
||
[[de:NTFS]] |
|||
Latest revision as of 18:15, 10 October 2023
| Filesystems |
|---|
| Virtual Filesystems |
| Disk Filesystems |
| CD/DVD Filesystems |
| Network Filesystems |
| Flash Filesystems |
NTFS (New Technology File System) is Windows NT's native file system. It is not only based on HPFS, but also supports security features such as access control. Since Windows NT is entirely unicode, NTFS is a unicode filesystem, with each character (e.g. in names) being 16-bits instead of 8-bits.
About
NTFS doesn't only add security features to HPFS. In NTFS, there is a lot more built-in redundancy. For example: in HPFS, wiping out a sector in the wrong place can render the entire volume inaccessible. Support for multiple hard-links to a file (before NTFS, the only easy access was through the POSIX subsystem, but Windows 2000 (NT 5) added this to Win32 as well) was also added.
NTFS supports an arbitrary number of file forks (much like Mac OS, except Mac OS always has exactly 2 forks for each file).
HPFS decrees that a cluster is always 512 bytes long and a cluster is always one sector. For the sake of performance and compatibility with some (especially Japanese) machines, NTFS allows sectors of different sizes. It also supports clusters of more than one sector, which can be beneficial on performance.
In short, NTFS' most significant changes:
- Better and more security.
- Multiple hard-links to one file.
- An arbitrary number of forks.
- Variable cluster and sectors sizes (usually resulting in better performance).
Implementation
NTFS is probably one of the most difficult file system to deal with, especially because of the lack of hacking experience and reliable documents. A read-only stable driver can be found in the Linux source code base since kernel 2.4, while an experimental read-write driver is coming with linux 2.6.
The NTFS-3G project apparently has a read/write implementation for Linux/FreeBSD/BeOS that is currently in beta development status.
Structure
The NTFS format is built around "file" tables that allow both pre-defined and custom attributes to be stored and read by the operating system.
The NTFS boot sector is similar to other file systems, like FAT.
| Field | Type |
|---|---|
| JMP | int8_t[3] |
| OEM System | char[8] |
| Bytes Per Sector | uint16_t |
| Sectors Per Cluster | int8_t |
| Reserved Sector Count | uint16_t |
| Table Count | int8_t |
| Root Entry Count | uint16_t |
| Sector Count | uint16_t |
| Media Type | int8_t |
| Sectors Per Table | uint16_t |
| Sectors Per Track | uint16_t |
| Heads | uint16_t |
| Hidden Sector Count | uint32_t |
| Sector Count (32-bit) | uint32_t |
| Reserved | uint32_t |
| Sector Count (64-bit) | uint64_t |
This is followed immediately by a NTFS specific header.
| Field | Type |
|---|---|
| Master File Table Cluster | uint64_t |
| Master File Table Mirror Cluster | uint64_t |
| Clusters Per Record | int8_t |
| Reserved | int8_t[3] |
| Clusters Per Index Buffer | int8_t |
| Reserved | int8_t[3] |
| Serial Number | uint64_t |
| Checksum | uint32_t |
Using the "Master File Table Cluster" and "Sectors Per Cluster" values, you can find the Master File Table. This table contains entries for every object in the file system, including files, folders, and the tables themselves. The size of each record in the Master File Table can be calculated using the "Clusters Per Record" and "Sectors Per Cluster" fields from the boot sector.
Each record starts with the same header structure.
| Field | Type |
|---|---|
| Record Type | char[4] |
| Update Sequence Offset | uint16_t |
| Update Sequence Length | uint16_t |
| Log File Sequence Number | uint64_t |
| Record Sequence Number | uint16_t |
| Hard Link Count | uint16_t |
| Attributes Offset | uint16_t |
| Flags | uint16_t |
| Bytes In Use | uint32_t |
| Bytes Allocated | uint32_t |
| Parent Record Number | uint64_t |
| Next Attribute Index | uint32_t |
| Reserved | uint32_t |
| Record Number | uint64_t |
The remainder of the file record contains additional tables and data for this record. The "Attributes Offset" field contains the byte offset (from the start of the record) of the beginning of the attribute list for this record.
Attributes have a variable length, but always start with the same sequence.
| Field | Type |
|---|---|
| Attribute Type | uint32_t |
If the "Attribute Type" field contains the value 0xffffffff, this marks the end of the attribute list. Otherwise, the attribute sequence continues with the length of the attribute "record".
| Field | Type |
|---|---|
| Attribute Length | uint32_t |
This length value defines the total length of the attribute record, including the "Attribute Type" and "Attribute Length" fields.