[Linux-NTFS-Dev] Update to the NTFS Documentation

[Bo B. <bo...@in...>]

Hello,

The book Windows NT/2000 Native API Reference by Gary Nebbett contains one
chapter that describes the physical format of NTFS. I compared that to
the documentation at http://www.flatcap.org/ntfs/index.html and the
following is corection/new information.

The homepage for his book is:
http://www.newriders.com/books/title.cfm?isbn=1578701996
where it also is possible to download the .h file that I quoted below.


	Bo Branten


> Attribute type 0xF0
    is PropertySet
    (intended to support Native Structured Storage (NSS), a
     feature that was removed from NTFS 3.0 during beta testing)



> Standard Attribute Header
> Non-Resident, No Name
> 0x22 2 Compression Engine (b)
    is 1 byte
> 0x24 4 0x0000 Unused (c)
    is 5 byte

> b) This field has a value of 0x04 when the attribute is compressed
    logarithm to the base two of the number of clusters in a
    compression unit



> Attribute - $STANDARD_INFORMATION (0x10)
> 0x08 8 Last modification time 
> 0x10 8 Last modification time for FILE record 
    the opposite order

typedef struct {
    ULONGLONG CreationTime; 
    ULONGLONG ChangeTime;
    ULONGLONG LastWriteTime; 
    ULONGLONG LastAccessTime; 
    ULONG FileAttributes; 
    ULONG AlignmentOrReservedOrUnknown[3];
    ULONG QuotaId;                        // NTFS 3.0 only
    ULONG SecurityId;                     // NTFS 3.0 only
    ULONGLONG QuotaCharge;                // NTFS 3.0 only
    USN Usn;                              // NTFS 3.0 only
} STANDARD_INFORMATION, *PSTANDARD_INFORMATION;



> Attribute - $FILE_NAME (0x30)
> 0x08 8 Last modification time 
> 0x10 8 Last modification time for FILE record 
    the opposite order

> 0x38 8 Flags, e.g. Directory, compressed, hidden 
    is 4 byte followed of 4 byte reserved



> Attribute - $OBJECT_ID (0x40)

typedef struct {
    GUID ObjectId;
    union {
        struct {
            GUID BirthVolumeId;
            GUID BirthObjectId;
            GUID DomainId;
        } ;
        UCHAR ExtendedInfo[48];
    };
} OBJECTID_ATTRIBUTE, *POBJECTID_ATTRIBUTE;



> Attribute - $INDEX_ROOT (0x90)
> 0x04 4 Always 00 00 00 01? 
    CollationRule to sort index entrys

> 0x08 4 Size of index buffers ? 
    yes

> 0x0C 4 Number of clusters per index buffer ? 
    yes

0x10 4 Always 00 00 00 10 ? 
    yes since INDEX_ROOT is followed by DIRECTORY_INDEX:

typedef struct {
    ATTRIBUTE_TYPE Type;
    ULONG CollationRule;
    ULONG BytesPerIndexBlock;
    ULONG ClustersPerIndexBlock;
    DIRECTORY_INDEX DirectoryIndex;
} INDEX_ROOT, *PINDEX_ROOT;

typedef struct {
    ULONG EntriesOffset;
    ULONG IndexBlockLength;
    ULONG AllocatedSize;
    ULONG Flags;         // 0x00 = Small directory, 0x01 = Large directory
} DIRECTORY_INDEX, *PDIRECTORY_INDEX;

DIRECTORY_INDEX is followed by DIRECTORY_ENTRY

typedef struct {
    ULONGLONG FileReferenceNumber;
    USHORT Length;
    USHORT AttributeLength;
    ULONG Flags;           // 0x01 = Has trailing VCN, 0x02 = Last entry
    // FILENAME_ATTRIBUTE Name;
    // ULONGLONG Vcn;      // VCN in IndexAllocation of earlier entries
} DIRECTORY_ENTRY, *PDIRECTORY_ENTRY;



> Attribute - $INDEX_ALLOCATION (0xA0)

typedef struct {
    NTFS_RECORD_HEADER Ntfs;
    ULONGLONG IndexBlockVcn;
    DIRECTORY_INDEX DirectoryIndex;
} INDEX_BLOCK_HEADER, *PINDEX_BLOCK_HEADER;

followed by DIRECTORY_INDEX and DIRECTORY_ENTRY se above



> Attribute - $REPARSE_POINT (0xC0)

typedef struct {
    ULONG ReparseTag;
    USHORT ReparseDataLength;
    USHORT Reserved;
    UCHAR ReparseData[1];
} REPARSE_POINT, *PREPARSE_POINT;



> Attribute - $EA_INFORMATION (0xD0)

typedef struct {
    ULONG EaLength;
    ULONG EaQueryLength;
} EA_INFORMATION, *PEA_INFORMATION;



> Attribute - $EA (0xE0)

typedef struct {
    ULONG NextEntryOffset;
    UCHAR Flags;
    UCHAR EaNameLength;
    USHORT EaValueLength;
    CHAR EaName[1];
    // UCHAR EaData[];
} EA_ATTRIBUTE, *PEA_ATTRIBUTE;



Attribute - $LOGGED_UTILITY_STREAM (0x100)

An attribute logged utility stream contains whateber data the creator of the
attribute choses but operations on the attribute is logged to the NTFS
logfile just like the NTFS metadata changes, it is used by the encrypting
file system EFS.



> NTFS - Files
> 11 $Extend A directory containing $ObjId, $Quota, $Reparse 

    and $UsnJrnl

> File - $Boot (7)

typedef struct {
    UCHAR Jump[3];
    UCHAR Format[8];
    USHORT BytesPerSector;
    UCHAR SectorsPerCluster;
    USHORT BootSectors;
    UCHAR Mbz1;
    USHORT Mbz2;
    USHORT Reserved1;
    UCHAR MediaType;
    USHORT Mbz3;
    USHORT SectorsPerTrack;
    USHORT NumberOfHeads;
    ULONG PartitionOffset;
    ULONG Reserved2[2];
    ULONGLONG TotalSectors;
    ULONGLONG MftStartLcn;
    ULONGLONG Mft2StartLcn;
    ULONG ClustersPerFileRecord;
    ULONG ClustersPerIndexBlock;
    ULONGLONG VolumeSerialNumber;
    UCHAR Code[0x1AE];
    USHORT BootSignature;
} BOOT_BLOCK, *PBOOT_BLOCK;