学步园

网上看到ntfsdoc0.5 的中文版，觉得里面的内容不像是人工翻译的，而是用什么翻译软件转换了一下、再稍作修改，很多概念的表述很不清楚。

所以，准备自己边看边翻译，顺便复习一下英文。

 

NTFS Documentation   

Richard Russon

Yuval Fledel

 

 

NTFS Documentation

by Richard Russon and Yuval Fledel

Abstract

This is technical documentation, created to help the programmer.

It was originally written to complement the Linux NTFS driver [http://linux-ntfs.sourceforge.net/].

The latest version is available online at: http://linux-ntfs.sourceforge.net/ntfs/index.html and can be

downloaded from: http://sourceforge.net/project/showfiles.php?group_id=13956

We're confident that the information is correct. We think we know where there are gaps in our knowledge.

We may be wrong. Beware.

For simple answers to common questions, try reading the NTFS FAQ

[http://linux-ntfs.sourceforge.net/info/ntfs.html].

 

 

 

Table of Contents

1. Prologue ................................................................................................................ 1

1. NTFS Documentation Preface ............................................................................ 1

2. About the NTFS Documentation ......................................................................... 1

3. Tables Legend ................................................................................................. 3

4. Volume Layout ............................................................................................... 4

2. NTFS Attributes ...................................................................................................... 7

1. Overview ....................................................................................................... 7

2. Attribute - $STANDARD_INFORMATION (0x10) ............................................... 7

3. Attribute - $ATTRIBUTE_LIST (0x20) ............................................................... 9

4. Attribute - $FILE_NAME (0x30) ...................................................................... 11

5. Attribute - $OBJECT_ID (0x40) ....................................................................... 13

6. Attribute - $SECURITY_DESCRIPTOR (0x50) .................................................. 14

7. Attribute - $VOLUME_NAME (0x60) .............................................................. 22

8. Attribute - $VOLUME_INFORMATION (0x70) ................................................. 23

9. Attribute - $DATA (0x80) ............................................................................... 24

10. Attribute - $INDEX_ROOT (0x90) ................................................................. 25

11. Attribute - $INDEX_ALLOCATION (0xA0) .................................................... 28

12. Attribute - $BITMAP (0xB0) ......................................................................... 29

13. Attribute - $REPARSE_POINT (0xC0) ............................................................ 30

14. Attribute - $EA_INFORMATION (0xD0) ........................................................ 32

15. Attribute - $EA (0xE0) .................................................................................. 33

16. Attribute - $LOGGED_UTILITY_STREAM (0x100) ......................................... 34

3. NTFS Files ........................................................................................................... 35

1. Overview ..................................................................................................... 35

2. NTFS Files: $MFT (0) .................................................................................... 36

3. NTFS Files: $MFTMirr (1) .............................................................................. 37

4. NTFS Files: $LogFile (2) ................................................................................ 38

5. NTFS Files: $Volume (3) ................................................................................ 43

6. NTFS Files: $AttrDef (4) ................................................................................ 43

7. NTFS Files: . (Root Directory) (5) .................................................................... 46

8. NTFS Files: $Bitmap (6) ................................................................................. 47

9. NTFS Files: $Boot (7) .................................................................................... 48

10. NTFS Files: $BadClus (8) .............................................................................. 50

11. NTFS Files: $Secure (9) ................................................................................ 51

12. NTFS Files: $UpCase (10) ............................................................................. 54

13. NTFS Files: $Extend (11) .............................................................................. 55

14. NTFS Files: $ObjId (Any) ............................................................................. 55

15. NTFS Files: $Quota (NT:9, 2K:Any) ............................................................... 57

16. NTFS Files: $Reparse (Any) .......................................................................... 59

17. NTFS Files: $UsnJrnl (Any) ........................................................................... 60

4. NTFS Concepts ..................................................................................................... 64

1. Overview ..................................................................................................... 64

2. Concept - Attribute Header .............................................................................. 64

3. Concept - Attribute Id ..................................................................................... 68

4. Concept - B*Trees ......................................................................................... 68

5. Concept - Clusters .......................................................................................... 72

6. Concept - Collation ........................................................................................ 73

7. Concept - Compression ................................................................................... 74

8. Concept - Data Runs ...................................................................................... 77

9. Concept - Directory ........................................................................................ 84

10. Concept - File .............................................................................................. 86

11. Concept - File Record ................................................................................... 88

12. Concept - File Reference ............................................................................... 92

iv

13. Concept - Filename Namespace ...................................................................... 92

14. Concept - Fixup ........................................................................................... 93

15. Concept - Index Header ................................................................................. 96

16. Concept - Index Record ................................................................................. 97

17. Concept - Links ........................................................................................... 99

18. Concept - Restart ......................................................................................... 99

19. Concept - SID ............................................................................................. 99

20. Concept - Sparse ........................................................................................ 103

5. Epilogue ............................................................................................................ 104

1. ToDo ......................................................................................................... 104

2. Unanswered Questions .................................................................................. 105

3. History ...................................................................................................... 106

Appendix I. License ................................................................................................. 110

1. GNU Free Documentation License .................................................................. 110

Glossary ................................................................................................................ 115

 

List of Tables

1.1. Size fields table legend ........................................................................................... 3

1.2. An example for an index table ................................................................................. 4

1.3. NTFS volume versions for each OS .......................................................................... 4

1.4. Layout of a freshly formatted NTFS volume ............................................................... 4

2.1. Standard NTFS Attributes ....................................................................................... 7

2.2. Layout of the $STANDARD_INFORMATION (0x10) attribute ..................................... 8

2.3. File Permissions .................................................................................................... 8

2.4. Layout of the $ATTRIBUTE_LIST (0x20) attribute .................................................. 10

2.5. Layout of the $FILE_NAME (0x30) attribute ........................................................... 11

2.6. File Flags ........................................................................................................... 12

2.7. Layout of the $OBJECT_ID (0x40) attribute ............................................................ 13

2.8. Layout of the $SECURITY_DESCRIPTOR (0x50) attribute ....................................... 14

2.9. Layout of the $SECURITY_DESCRIPTOR (0x50) attribute header .............................. 15

2.10. Layout of an ACL .............................................................................................. 16

2.11. Layout of an ACE .............................................................................................. 16

2.12. ACE types ........................................................................................................ 16

2.13. ACE flags ........................................................................................................ 17

2.14. ACE audit flags ................................................................................................. 17

2.15. ACE access mask .............................................................................................. 17

2.16. SID contents ..................................................................................................... 18

2.17. SID example ..................................................................................................... 18

2.18. Security Descriptor Control Flags ......................................................................... 18

2.19. Layout of the $VOLUME_NAME (0x60) attribute .................................................. 22

2.20. Layout of the $VOLUME_INFORMATION (0x70) attribute ..................................... 23

2.21. Volume Flags ................................................................................................... 23

2.22. Volume Version Numbers ................................................................................... 24

2.23. Layout of the $DATA (0x80) attribute ................................................................... 24

2.24. Layout of the $INDEX_ROOT (0x90) attribute: an Index Root .................................. 26

2.25. Layout of the $INDEX_ROOT (0x90) attribute: an Index Header ............................... 26

2.26. Index flags ....................................................................................................... 26

2.27. Common Indexes ............................................................................................... 27

2.28. Layout of the $INDEX_ALLOCATION (0xA0) attribute .......................................... 28

2.29. Layout of a data entry in the $INDEX_ALLOCATION (0xA0) attribute ...................... 28

2.30. Data entry flags ................................................................................................. 29

2.31. Layout of the $BITMAP (0xB0) attribute ............................................................... 30

2.32. Layout of the $REPARSE_POINT (0xC0) attribute (Microsoft Reparse Point) .............. 30

2.33. Layout of the $REPARSE_POINT (0xC0) attribute (Third-Party Reparse Point) ........... 30

2.34. Symbolic Link Reparse Data ................................................................................ 31

2.35. Volume Link Reparse Data .................................................................................. 31

2.36. Reparse Tag Flags ............................................................................................. 31

2.37. Layout of the $EA_INFORMATION (0xD0) attribute .............................................. 33

2.38. Layout of the $EA (0xE0) attribute ....................................................................... 33

2.39. EA flags .......................................................................................................... 33

2.40. Layout of the $LOGGED_UTILITY_STREAM (0x100) attribute ............................... 34

3.1. Layout of files on the Volume ................................................................................ 35

3.2. $MFT Attributes ................................................................................................. 36

3.3. Sample records from the beginning of $MFT ............................................................ 36

3.4. $MFTMirr Attributes ........................................................................................... 37

3.5. Layout of $MFTMirr ........................................................................................... 38

3.6. $LogFile Attributes ............................................................................................. 38

3.7. $Volume Attributes ............................................................................................. 43

3.8. $AttrDef Attributes .............................................................................................. 43

3.9. Layout of $AttrDef .............................................................................................. 44

vi

3.10. $AttrDef Collation Rules .................................................................................... 44

3.11. $AttrDef Flags .................................................................................................. 45

3.12. $AttrDef example from Windows NT .................................................................... 45

3.13. $AttrDef example from Windows 2000/XP ............................................................ 46

3.14. Dot (.) Attributes ............................................................................................... 46

3.15. Layout of Dot (.) ............................................................................................... 47

3.16. $Bitmap Attributes ............................................................................................. 47

3.17. Layout of $Bitmap ............................................................................................. 48

3.18. $Boot Attributes ................................................................................................ 48

3.19. Layout of $Boot ................................................................................................ 49

3.20. $BadClus Attributes ........................................................................................... 50

3.21. $Secure Attributes ............................................................................................. 51

3.22. Layout of $Secure:$SDS ..................................................................................... 52

3.23. Layout of $Secure:$SDH .................................................................................... 52

3.24. Layout of $Secure:$SII ....................................................................................... 53

3.25. $UpCase Attributes ............................................................................................ 54

3.26. Layout of $UpCase ............................................................................................ 54

3.27. $Extend Attributes ............................................................................................. 55

3.28. $ObjId Attributes ............................................................................................... 55

3.29. Layout of $ObjId:$O .......................................................................................... 56

3.30. $ObjId flags ..................................................................................................... 56

3.31. $Quota Attributes .............................................................................................. 57

3.32. Layout of $Quota:$O ......................................................................................... 57

3.33. Layout of $Quota:$Q ......................................................................................... 58

3.34. $Quota flags ..................................................................................................... 58

3.35. $Reparse Attributes ............................................................................................ 59

3.36. Layout of $Reparse:$R ....................................................................................... 60

3.37. $UsnJrnl Attributes ............................................................................................ 60

3.38. Layout of $UsnJrnl:$J ........................................................................................ 61

3.39. Layout of $UsnJrnl:$Max .................................................................................... 61

3.40. $UsnJrnl reason flags ......................................................................................... 62

3.41. $UsnJrnl source info flags ................................................................................... 62

4.1. NTFS Concepts .................................................................................................. 64

4.2. Layout of a resident unnamed attribute header .......................................................... 65

4.3. Layout of a resident named attribute header .............................................................. 65

4.4. Layout of a non-resident unnamed attribute header .................................................... 66

4.5. Layout of a non-resident named attribute header ........................................................ 66

4.6. Attribute flags .................................................................................................... 67

4.7. Default cluster size .............................................................................................. 72

4.8. Collation types .................................................................................................... 73

4.9. Default collations types for standard indexes ............................................................ 73

4.10. Layout of a data run ........................................................................................... 77

4.11. Parsed data runs: Example 1 - Normal, Unfragmented File ........................................ 81

4.12. Parsed data runs: Example 2 - Normal, Fragmented File ............................................ 82

4.13. Parsed data runs: Example 3 - Normal, Scrambled File ............................................. 82

4.14. Parsed data runs: Example 4 - Sparse, Unfragmented File .......................................... 83

4.15. Parsed data runs: Example 5 - Compressed, Unfragmented File .................................. 84

4.16. A directory record attributes ................................................................................ 85

4.17. A file record attributes ........................................................................................ 86

4.18. Fictional named data streams ............................................................................... 87

4.19. Summary Information named data streams ............................................................. 88

4.20. contents of Summary Information named data streams .............................................. 88

4.21. Layout of a file record ........................................................................................ 89

4.22. File record flags ................................................................................................ 90

4.23. Layout of a file reference .................................................................................... 92

4.24. Fixup example: before ........................................................................................ 94

4.25. Fixup example: after .......................................................................................... 95

4.26. Layout of a Standard Index Header ....................................................................... 96

NTFS Documentation

vii

4.27. List of Common Indexes ..................................................................................... 97

4.28. Layout of an Index record header .......................................................................... 97

4.29. Common well known SIDs ................................................................................ 100

4.30. Identifier Authorities ........................................................................................ 100

4.31. Relative Identifiers ........................................................................................... 101

4.32. Domain Users ................................................................................................. 101

4.33. Domain Groups ............................................................................................... 102

4.34. Domain Aliases ............................................................................................... 102

4.35. Universal well-known SIDs ............................................................................... 102

4.36. NT well-known SIDs ....................................................................................... 103

122. Measurement Units ........................................................................................... 128

 

 

 

Chapter 1. Prologue

1. NTFS Documentation Preface

This is version 0.5 of the NTFS Documentation and is available as part of the Linux-NTFS Project

[http://linux-ntfs.sourceforge.net/]

This is technical documentation, created to help the programmer.

It was originally written to complement the Linux NTFS driver [http://linux-ntfs.sourceforge.net/].

The latest version is available online at: http://linux-ntfs.sourceforge.net/ntfs/index.html and can be

downloaded from: http://sourceforge.net/project/showfiles.php?group_id=13956

For simple answers to common questions, try reading the NTFS FAQ

[http://linux-ntfs.sourceforge.net/info/ntfs.html].

2. About the NTFS Documentation

2.1. Overview

NTFS is the filesystem of Windows NT, 2000 and XP. It supports almost all POSIX features, all HFS

features, and all HPFS features.

• It can deal with large capacity (up to 2 46 GB) storage units.

• It has built-in data compression.

• It uses log file for transactions.

• Byte order: everything is little-endian on-disk.

2.2. Documentation Layout

• Chapter 1 - Prologue: is information describing the documentation.

• Chapter 2 - Files: is a list of the Metadata files.

• Chapter 3 - Attributes: is a list of Metadata attributes.

• Chapter 4 - Concepts: is a list of objects that are neither file, nor attribute.

• Chapter 5 - Epilogue: is some more information about the documentation.

• Appendix I - License: is the license under which the documentation is distributed.

• The Glossary: is a what's what of technical terminology

2.3. Accuracy

1

Microsoft hasn't released any documentation for NTFS. These documents have been pieced together

partly by carefully reading all the SDKs and Windows help but mostly by reverse-engineering the

filesystem.

We're confident that the information is correct. We think we know where there are gaps in our knowledge.

We may be wrong. Beware.

2.4. Contact Points

You can post questions to an open forum on SourceForge [http://sourceforge.net/] at: http://

sourceforge.net/forum/forum.php?forum_id=44084

If you'd like to get more involved in the Linux project, then you can join one of the mailing lists (both

low volume).

• A general list for NTFS: http://tiger.informatik.hu-berlin.de/cgi-bin/mailman/listinfo/linux-ntfs

• A bit more technical one: http://lists.sourceforge.net/lists/listinfo/linux-ntfs-dev

Alternatively, if you have any questions, suggestions or corrections, please email me.

Richard Russon

2.5. License

Copyright (C) 1996-2004 Richard Russon.

Copyright (C) 2005 Yuval Fledel.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free

Documentation License, Version 1.1 or any later version published by the Free Software Foundation;

• With the Invariant Sections being Thanks

• With the Front-Cover Texts being About the NTFS Documentation

• And with the no Back-Cover Texts.

A copy of the license is included in the section entitled GNU Free Documentation License.

2.6. Thanks

Many thanks to the following for their help preparing these documents.

• Albert Cahalan

• Alex Ionescu

• Anton Altaparmakov

• Bram Moolenaar (for vim)

• Damon Casale

Prologue

2

• David Dillard

• Domagoj Pensa

• Helen Custer

• Martin von Löwis

• Olof Wolgast

• Rani Assaf

• Régis Duchesne

• Richard Russon

• Yuval Fledel

3. Tables Legend

3.1. Overview

The tables in this documentation aren't completely consistant. Below is a key to the tables showing how

various fields are represented.

3.2. Footnotes

Any table fields that have footnote marks, e.g. (a), (e), will have a fuller description immediately below

the table.

3.3. Size Fields

In NTFS not all fields are of a fixed size. Some depend on the value of another field, some depend on

the contents of the field.

All the numbers in size fields are in decimal format. e.g. 12 (twelve), 42 (forty-two).

Table 1.1. Size fields table legend

Key Name Description

12 Fixed This field is twelve bytes long. Its size is constant.

P8 Padding P8 means pad the field to an 8 byte boundary. The size of this field

could be 0 - 7 bytes. P4 means 4 byte alignment, etc (a)

V Variable The length of this field depends on its contents. An example is a

SID. To know its length, you must decode the structure.

S X-Ref A cross-reference shows that the size is defined elsewhere in the table.

The size can be represented by any letter, except P or V.

(a) Any padding of a fixed size will be displayed as a fixed size.

Prologue

3

3.4. Indexes

Where a table represents an index, the key and data will be shown as below:

Table 1.2. An example for an index table

Offset Size Description

0x00 2 Offset to data

0x02 2 Size of data

0x04 4 Key SID

0x08 4 Data Owner Id

0x0C 4 Data Hash

3.5. Operating System

Note that the fields are not all used in exactly the same way. NT indicates old fields whereas 2K and XP

indicate new fields.

Table 1.3. NTFS volume versions for each OS

OS NTFS Description

blank all Used by all versions of Windows

NT 1.2 Only used in Windows NT

2K 3.0 Windows 2000 and later

XP 3.1 New to Windows XP

repeating groups?

link padding8, padding and other table features to help/tables

consistant use of padding/alignment fields

4. Volume Layout

4.1. Overview

A freshly formatted NTFS volume will look like:

Table 1.4. Layout of a freshly formatted NTFS volume

B

O

O

M

F

T

Free Space More

Meta

data

Free Space

Prologue

4

T

4.2. Notes

4.2.1. Other information

Everything is a file in NTFS. The index to these files is the Master File Table (MFT). The MFT lists the

Boot Sector file ($Boot), located at the beginning of the disk. $Boot also lists where to find the MFT.

The MFT also lists itself.

Located in the centre of the disk, we find some more Metadata files. The interesting ones are:

$MFTMirr and $LogFile. The MFT Mirror is an exact copy of the first 4 records of the MFT. If the

MFT is damaged, then the volume could be recovered by finding the mirror. The LogFile is journal of

all the events waiting to be written to disk. If the machine crashes, then the LogFile is used to return the

disk to a sensible state.

Hidden at the end of the volume, is a copy of the boot sector (cluster 0). The only Metadata file that

makes reference to it is $Bitmap, and that only says that the cluster is in use.

4.2.2. MFT Zone

To prevent the MFT becoming fragmented, Windows maintains a buffer around it. No new files will be

created in this buffer region until the other disk space is used up. The buffer size is configurable and can

be 12.5%, 25%, 37.5% or 50% of the disk. Each time the rest of the disk becomes full, the buffer size is

halved.

MFT Zone Reservation IS NOT STORED ON DISK

MFT Zone (reserved space for MFT)

1 = 12.5%

2 = 25.0%

3 = 37.5%

4 = 50.0%

Where is this stored on disk?

volume? mft? boot?

This is the 'system files' space at

the beginning of the disk.

NtfsMftZoneReservation

link in to mft and bitmap

• cluster size 512 bytes, 1k, 2k, 4k, 8k, 16k, 32k, 64k

• very flexible, all the system files can be relocated, except $Boot

• supports streams named data streams

• attributes for a file can span several MFT records not necessarily contiguous or in order

• everything is an attribute, including the data

• filenames stored in Unicode

• journalling file system

Prologue

5

• compression

• security

• hard links

• encryption

• LCNs vs VCNs

 

 

 

 

NTFS文档

 

 

摘要

这是一份技术文档，用来帮助程序员。

它原本是写来辅助Linux NTFS 驱动开发。 [http://linux-ntfs.sourceforge.net/].

最新的版本可以在线查看：http://linux-ntfs.sourceforge.net/ntfs/index.html 

也可以从这里下载： http://sourceforge.net/project/showfiles.php?group_id=13956

我们确信这些信息是正确的，我们认为我们知道我们的知识断层在哪里。

我们也可能有错，所以请谨慎阅读。

如果需要一般问题的简要答案，可以尝试阅读NTFS问答：

[http://linux-ntfs.sourceforge.net/info/ntfs.html].

 

 

 

第一章：前言

1. NTFS 文档 序

This is version 0.5 of the NTFS Documentation and is available as part of the Linux-NTFS Project

这是NTFS文档的0.5版本，也可以作为Linux-NTFS项目的一部分通过[http://linux-ntfs.sourceforge.net/]获得。

这是一份技术文档，用来帮助程序员。

它原本是写来辅助Linux NTFS 驱动开发。 [http://linux-ntfs.sourceforge.net/].

最新的版本可以在线查看：http://linux-ntfs.sourceforge.net/ntfs/index.html 

也可以从这里下载： http://sourceforge.net/project/showfiles.php?group_id=13956

我们确信这些信息是正确的，我们认为我们知道我们的知识断层在哪里。

我们也可能有错，所以请谨慎阅读。

如果需要一般问题的简要答案，可以尝试阅读NTFS问答：

[http://linux-ntfs.sourceforge.net/info/ntfs.html].

 

 

2. 关于 NTFS 文档 

2.1. 概览

NTFS是Windows NT, 2000 和XP的文件系统，她几乎支持所有的posix特性，所有的HFS特性，和所有的HPFS特性。

•它可以处理海量存储(最大2^46GB).

•内置了数据压缩。

•它使用日志文件进行转换。

•字节序：所有信息都是以 little-endian 格式进行存储.

 

 

 

2.2. 文档结构 

•第一章：前言：是对整个文档的描述信息。

•第二章：文件：是元数据文件的列表。

•第三章：属性：是元数据属性的列表。

•第四章：概念：是所有文件和属性的概念列表。

•第五章：后记：是其他更多的相关信息。

•附件1：声明：是文档发布声明。

•词汇表: 是技术词汇对照表

 

2.3.准确性

1

微软还未发布任何有关NTFS的文档。这些文档是通过对SDK和windows帮助的仔细研读一点一点拼凑起来的，但主要内容还是通过对NTFS文件系统的反向工程。

我们确信这些信息是正确的，我们认为我们知道我们的知识断层在哪里。

我们也可能有错，所以请谨慎阅读。

 

2.4. 联络方法

您可以在sourceforge上的开放论坛上提问 [http://sourceforge.net/] at: http://

sourceforge.net/forum/forum.php?forum_id=44084

如果你希望更多的参与 Linux 项目，您可以加入一个邮件列表（下面两个都可以）

• A general list for NTFS: http://tiger.informatik.hu-berlin.de/cgi-bin/mailman/listinfo/linux-ntfs

• A bit more technical one: http://lists.sourceforge.net/lists/listinfo/linux-ntfs-dev

另外地，如果你有什么问题，建议或者修正，请发电邮给我

Richard Russon

 

2.5. 版权

Copyright (C) 1996-2004 Richard Russon.

Copyright (C) 2005 Yuval Fledel.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free

Documentation License, Version 1.1 or any later version published by the Free Software Foundation;

• With the Invariant Sections being Thanks

• With the Front-Cover Texts being About the NTFS Documentation

• And with the no Back-Cover Texts.

A copy of the license is included in the section entitled GNU Free Documentation License.