|
From: Jeff M. <je...@bo...> - 2003-07-19 16:19:52
|
The $ATTRIBUTE_LIST attribute record structure is described here: http://linux-ntfs.sourceforge.net/ntfs/attributes/attribute_list.html The table lists the "Base File Reference of the attribute" as an 8 byte field at offset 0x10. This is incorrect; on my Windows XP formatted volume, I find records that look like the following examples: 09 00 00 00 00 00 09 00 f8 3c 00 00 00 00 4a 00 20 05 00 00 00 00 83 04 This leads me to believe that the file number is described by 4 bytes, followed by two 2 byte values for who-knows-what. Or perhaps the file number is described by 6 bytes followed by a single 2 byte value for who-knows-what (hey, this is NTFS we're talking about... stranger things have been known to happen). I posted another documentation "bug" a while back, but nobody has responded and the docs are still incorrect. That bug was as follows: The $Boot file (boot sector) structure is described here: http://linux-ntfs.sourceforge.net/ntfs/files/boot.html The table lists a 4-byte value at offset 0x0024 as "Always 80 00 80 00". This seems to be the case for partitions on hard disks that I have access to. If I format a USB thumb drive as NTFS in Windows XP, however, this field shows up as "80 00 00 00". Perhaps the difference is due to the thumb drive being "removable media", or perhaps it has to do with the fact that the drive itself is formatted as NTFS rather than a partition on the drive. Hope this helps!!! |
