Tech Windows Talk NTFS

This topic contains 4 replies, has 3 voices, and was last updated by Wheels-Of-Fire 2 months, 3 weeks ago. This post has been viewed 137 times

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #13838

    Wheels-Of-Fire
    Participant
    • Total Posts 215
    • Offline
    • @grahamdearsley
      Forumite Coins: 73

    Here is another for your infomation moment.

    I have been reading through the Windows internals books, Vol 1 & 2 and have discovered three things about the NT filing system (NTFS) that interested me.

    The first thing is that everything on an NTFS volume is stored as a file and I mean EVERYTHING. Although the volume boot record is still located at sector 0 even that is a file and could be rewriten using standard methods if it wasn’t write protected.

    The second thing is that NTFS stores files as atribute streams. Every named file will have at least 2 atribute streams and they are the files atributes stream and the unnamed data stream which contains the data and is used as the default. A file can also have many more named streams though and an example of this is if you save a file with an attatchment in internet explorer. The file gets saved in the unnamed stream and the attachment gets saved in a seperate named stream. In this way although the file and attatchment are linked under the same file name they are still kept seperate.

    The third thing is the way that NTFS locates files. The FAT system uses entries in the file allocation table to find the first cluster of a file and then each cluster points to the next cluster in the chain. This system is open to cross linked clusters. When you first save a file on an NTFS volume it finds an area of contiguous clusters on the disk big enough to store your data which it calls a run and then stores the start and end sectors in a record in the master file table that by the way is also a file. If you append the file then a new run is allocated and its location is added to the original record. If your file is appended REALLY often and the original MFT record runs out of space then an extension record is created.

    Just thought this may interest someone.

     

    #13843

    Bob Williams
    Participant
    • Total Posts 1421
    • Online
    • @bullstuff2
      Forumite Coins: 315

    It IS interesting WoF! I found it so, anyway. Too knackered tonight, but I will read up on that tomorrow. Thanks for the info.

    “If you think this Universe is bad, you should see some of the others.”
    ― Philip K. Dick, legendary SF writer.

    #13851

    Wheels-Of-Fire
    Participant
    • Total Posts 215
    • Offline
    • @grahamdearsley
      Forumite Coins: 73

    If you DO read up on it Bob you will find that file records don’t work EXACTLY as I described but its close enough to get the idea. For one thing if your file is less than 1k then you may not have a seperate data stream run because it will be contained in the file record its self in the master file table. The other thing i should mention is that all files that relate to the disc structure start with a dollar sign and do not appear to standard user applications.

    #13856

    Ed P
    Participant
    • Total Posts 1365
    • Offline
    • @edps
      Forumite Coins: 275

    You forgot to mention journalling – probably the most important part of a post-DOS filing system. This helps protect the integrity of the file system if there is an unexpected crash by the operating system bang in the middle of finalizing a disk write. Linux has a similar file system design.(There are far more file systems lurking in the wild – see Wiki)

    #13860

    Wheels-Of-Fire
    Participant
    • Total Posts 215
    • Offline
    • @grahamdearsley
      Forumite Coins: 73

    I didn’t forget Ed, I just thought three items was enough to be geting on with 😊

    For those not in the know though NTFS writes a journel of any proposed disk changes before it actually makes them. If the system crashes before the operation is complete then NTFS usese the journel to roll the changes back so its as if the operation never happened. This protects the filing system but not the data. NTFS runs its repair routines on the first volume access after every boot. If nothing was wrong then this is very quick as nothing really happens but if a fault is found then it is rolled back.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Members Currently Active: 1
PlaneMan
Keymaster | Moderator | Participant | Spectator | Blocked
Additional Forum Statistics
Threads: 985, Posts: 12,361, Members: 135
Welcome to our newest member, LostSoul
Most users ever online was 11 on June 5, 2017 1:36 pm