4. Attribute - $FILE_NAME (0x30)
属性-$文件名属性
4.1. Overview
概览
This Attribute stores the name of the file attribute anl is always resident.
As defined in $AttrDef, this attribute has a minimum size of 68 bytes and a maximum of 578 bytes. This
equates to a maximum filename length of 255 Unicode characters.
这个属性保存了文件名并且始终是常驻属性。
正如在属性定义中所定义的一样,这个属性的最小值为68个字节最大值为578个字节。
这和文件名长度为255个unicode字符正好一致。
4.2. Layout of the Attribute (Resident)
属性结构(常驻)
Table 2.5. Layout of the $FILE_NAME (0x30) attribute
文件名属性结构表
NTFS Attributes
NTFS属性
11
Offset Size Description
偏移 大小 描述
~ ~ Standard Attribute Header
标准属性头
0x00 8 File reference to the parent directory.
父目录的文件参考号
0x08 8 C Time - File Creation
文件创建时间
0x10 8 A Time - File Altered
文件修改时间
0x18 8 M Time - MFT Changed
MFT修改时间
0x20 8 R Time - File Read
文件访问时间
0x28 8 Allocated size of the file
文件的分配大小
0x30 8 Real size of the file
文件的实际大小
0x38 4 Flags, e.g. Directory, compressed, hidden
标记 如 目录 压缩 隐藏
0x3c 4 Used by EAs and Reparse
安全描述和重解析使用
0x40 1 Filename length in characters (L)
文件名长度
0x41 1 Filename namespace 0x42 2L File name in Unicode (not null terminated)
unicode文件名(不是以空字符结束)
4.2.1. File Reference
文件参考
This is a File Reference to the base record of the parent directory.
这是一个父目录的基本记录参考。
4.2.2. File Size
文件大小
The allocated size of a file is the amount of disk space the file is taking up. It will be a multiple of the
cluster size. The real size of the file is the size of the unnamed data attribute. This is the number that will
appear in a directory listing.
N.B. The Real Size is only present if the Starting VCN is zero. See the Standard Attribute Header for
more information.
这个分配大小是指文件所占用的磁盘空间大小。它是簇大小的乘积。实际大小是指未命名数据流属性的大小。这是目录列表中所列出来的数字。
4.2.3. Flags
标记
Table 2.6. File Flags
文件标志标
Flag Description
标记 描述
0x0001 Read-Only
只读
0x0002 Hidden
隐藏
0x0004 System
系统
0x0020 Archive
存档
0x0040 Device
设备
0x0080 Normal
通用
0x0100 Temporary
临时
0x0200 Sparse File
稀疏文件
0x0400 Reparse Point
重解析点
0x0800 Compressed
压缩
0x1000 Offline
离线
0x2000 Not Content Indexed
内容未索引
0x4000 Encrypted
加密
NTFS Attributes
NTFS 属性
12
Flag Description
标记 描述
0x10000000 Directory (copy from corresponding bit in MFT record)
目录
0x20000000 Index View (copy from corresponding bit in MFT record)
索引查看
4.3. Notes
注释
4.3.1. Other Information
其他信息
NTFS implements POSIX-style Hard Links by creating a file with several Filename Attributes. Each Filename
Attribute has its own details and parent. When a Hard Linked file is deleted, its filename is removed
from the MFT Record. When the last link is removed, then the file is really deleted.
NTFS通过创建文件名的文件名属性实现POSIX类型的硬链接。每一个文件名属性都有它的细节和祖先。当一个硬链接的文件被删除,它的文件名从MFT记录中删除。当最后一个硬链接被删除,文件才被真正删除了
N.B. All fields, except the parent directory, are only updated when the filename is changed. Until then,
they just become out of date. $STANDARD_INFORMATION Attribute, however, will always be kept
up-to-date.
N.B. If the file has EAs (Extended Attributes), then the EA Field will contain the size of buffer needed.
N.B. If the file is a Reparse Point, then the Reparse Field will give its type.