|
From: Kallol M. <kal...@ya...> - 2003-04-18 11:34:50
|
Hi,
To learn about MFT, I was experimenting with different
NTFS volumes.
Using "NtFsControlFile" fn. in ntdll.dll in Win2K
I got the following parameters:
ClusterSize = 4096 (decimal)
RecordSize = 1024 (decimal)
MFT Total = 0 81816576 (decimal)
MFT Start LCN = 0 16 (decimal)
MFT2 Start LCN = 0 320311 (decimal)
Now I tried to read MFT from LCN 16(decimal). The
first
entry is MFT itself with "FILE" signature and name
as $MFT. They are coming OK. But when I tried to read
the attrib $DATA, I got the a single run of 4 clusters
from LCN 0x10 (decimal 16). Here is the dump
of data attrib.
80 00 00 00 48 00 00 00
01 00 40 00 00 00 01 00 00 00 00 00 00 00 00 00
03 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
00 70 e0 04 00 00 00 00 00 6c e0 04 00 00 00 00
00 6c e0 04 00 00 00 00 11 04 10 00 00 fa 75 08
The last two bytes are Update Sequence no. as they
are end of a sector. And applying FIXIP, it becomes
E3 80.
4 clusters with 4K cluster size and 1K MFT record size
will only hold 16 MFT entries. Where did the rest of
the
MFT go? The volume is freshly formatted and it had
a few files in it. Even if I reformat (from OS), the
same thing happens. Funcionally, if I try to delete
a file from Explorer, most of the time, it is becoming
very very slow (takes more than a minute to complete
deletion). Please let me know what's going on here.
Thanks
__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
|
