NTFS: Difference between revisions
| [unchecked revision] | [unchecked revision] |
| Line 81: | Line 81: | ||
<tr><td>Record Number</td><td>unsigned int</td><td>4</td></tr> |
<tr><td>Record Number</td><td>unsigned int</td><td>4</td></tr> |
||
</table> |
</table> |
||
The remainder of the file record contains additional tables and data for this record. The "Attributes Offset" field contains the byte offset (from the start of the record) of the beginning of the attribute list for this record. |
|||
Attributes have a variable length, but always start with the same sequence. |
|||
<table border=1> |
|||
<tr><th>Field</th><th>Type</th><th>Length</th></tr> |
|||
<tr><td>Attribute Type</td><td>unsigned int</td><td>4</td></tr> |
|||
</table> |
|||
If the "Attribute Type" field contains the value 0xffffffff, this marks the end of the attribute list. Otherwise, the attribute sequence continues with the length of the attribute table. |
|||
<table border=1> |
|||
<tr><th>Field</th><th>Type</th><th>Length</th></tr> |
|||
<tr><td>Attribute Length</td><td>unsigned int</td><td>4</td></tr> |
|||
</table> |
|||
This length value defines the total length of the attribute record, including the "Attribute Type" and "Attribute Length" fields. |
|||
== Links == |
== Links == |
||
Revision as of 05:50, 21 March 2011
| Filesystems |
|---|
| Virtual Filesystems |
| Disk Filesystems |
| CD/DVD Filesystems |
| Network Filesystems |
| Flash Filesystems |
NTFS (New Technology File System) is Windows NT's native file system. It is not only based on HPFS, but also supports security features such as access control. Since Windows NT is entirely unicode, NTFS is a unicode filesystem, with each character (e.g. in names) being 16-bits instead of 8-bits.
About
NTFS doesn't only add security features to HPFS. In NTFS, there is a lot more built-in redundancy. For example: in HPFS, wiping out a sector in the wrong place can render the entire volume inaccessible. Support for multiple hard-links to a file (before NTFS, the only easy access was through the POSIX subsystem, but Windows 2000 (NT 5) added this to Win32 as well) was also added.
NTFS supports an arbitrary number of file forks (much like Mac OS, except Mac OS always has exactly 2 forks for each file).
HPFS decrees that a cluster is always 512 bytes long and a cluster is always one sector. For the sake of performance and compatibility with some (especially Japanese) machines, NTFS allows sectors of different sizes. It also supports clusters of more than one sector, which can be beneficial on performance.
In short, NTFS' most significant changes:
- Better and more security.
- Multiple hard-links to one file.
- An arbitrary number of forks.
- Variable cluster and sectors sizes (usually resulting in better performance).
Implementation
NTFS is probably one of the most difficult file system to deal with, especially because of the lack of hacking experience and reliable documents. A read-only stable driver can be found in the Linux source code base since kernel 2.4, while an experimental read-write driver is coming with linux 2.6.
The NTFS-3G project apparently has a read/write implementation for Linux/FreeBSD/BeOS that is currently in beta development status.
Structure
The NTFS format is built around "file" tables that allow both pre-defined and custom attributes to be stored and read by the operating system.
The NTFS boot sector is similar to other file systems, like FAT.
| Field | Type | Length |
|---|---|---|
| JMP | byte[3] | 3 |
| OEM System | char[8] | 8 |
| Bytes Per Sector | unsigned short | 2 |
| Sectors Per Cluster | byte | 1 |
| Reserved Sector Count | unsigned short | 2 |
| Table Count | byte | 1 |
| Root Entry Count | unsigned short | 2 |
| Sector Count | unsigned short | 2 |
| Media Type | byte | 1 |
| Sectors Per Table | unsigned short | 2 |
| Sectors Per Track | unsigned short | 2 |
| Hidden Sector Count | unsigned int | 4 |
| Sector Count (32-bit) | unsigned int | 4 |
| Reserved | unsigned int | 4 |
| Total Sectors (64-bit) | unsigned long | 8 |
This is followed immediately by a NTFS specific header.
| Field | Type | Length |
|---|---|---|
| Master File Table Cluster | unsigned long | 8 |
| Master File Table Mirror Cluster | unsigned long | 8 |
| Clusters Per Record | signed byte | 1 |
| Reserved | byte[3] | 3 |
| Clusters Per Index Buffer | signed byte | 1 |
| Reserved | byte[3] | 3 |
| Serial Number | unsigned int | 4 |
| Checksum | unsigned short | 2 |
Using the "Master File Table Cluster" and "Sectors Per Cluster" values, you can find the Master File Table. This table contains entries for every object in the file system, including files, folders, and the tables themselves. The size of each record in the Master File Table can be calculated using the "Clusters Per Record" and "Sectors Per Cluster" fields from the boot sector.
Each record starts with the same header structure.
| Field | Type | Length |
|---|---|---|
| Record Type | char[4] | 4 |
| Update Sequence Offset | unsigned short | 2 |
| Update Sequence Length | unsigned short | 2 |
| Log File Sequence Number | unsigned long | 8 |
| Record Sequence Number | unsigned short | 2 |
| Hard Link Count | unsigned short | 2 |
| Attributes Offset | unsigned short | 2 |
| Flags | unsigned short | 2 |
| Bytes In Use | unsigned int | 4 |
| Bytes Allocated | unsigned int | 4 |
| Parent Record Number | unsigned long | 8 |
| Next Attribute Index | unsigned short | 2 |
| Reserved | unsigned short | 2 |
| Record Number | unsigned int | 4 |
The remainder of the file record contains additional tables and data for this record. The "Attributes Offset" field contains the byte offset (from the start of the record) of the beginning of the attribute list for this record.
Attributes have a variable length, but always start with the same sequence.
| Field | Type | Length |
|---|---|---|
| Attribute Type | unsigned int | 4 |
If the "Attribute Type" field contains the value 0xffffffff, this marks the end of the attribute list. Otherwise, the attribute sequence continues with the length of the attribute table.
| Field | Type | Length |
|---|---|---|
| Attribute Length | unsigned int | 4 |
This length value defines the total length of the attribute record, including the "Attribute Type" and "Attribute Length" fields.