{"id":316,"date":"2014-07-29T03:53:15","date_gmt":"2014-07-29T03:53:15","guid":{"rendered":"http:\/\/www.itcrumbs.com\/?p=316"},"modified":"2019-02-07T04:39:44","modified_gmt":"2019-02-07T04:39:44","slug":"ntfs-metafiles","status":"publish","type":"post","link":"http:\/\/www.itcrumbs.com\/?p=316","title":{"rendered":"NTFS MetaFiles"},"content":{"rendered":"
http:\/\/blogs.technet.com\/b\/askcore\/archive\/2013\/11\/08\/3303108.aspx<\/a><\/h5>\n
They sit there, hiding in the root directory\u2026metafiles<\/i>. The shell hides them from the user, but they are still there\u2026lurking. Microsoft does a pretty good job hiding these files so you don\u2019t accidentally damage them. But what are these files and how does NTFS use them?<\/h5>\n

Before we have a look at them I\u2019d like to issue a warning\u2026<\/p>\n

WARNING!!! Do NOT try to alter or delete these files. Doing so can and will cause permanent damage to your file system. And more than likely CHKDSK won\u2019t be able to save you. You will lose all your data if you ignore this warning.<\/p>\n

Hopefully you are now sufficiently scared. <\/p>\n

If you haven\u2019t already done so I recommend you read my blog entitled \u201cThe Four Stages for File Growth\u201d<\/a> to give you a better idea of how files are stored on your hard drive. It isn\u2019t required for understanding this blog but it would help.<\/p>\n

Now let\u2019s have a look at these elusive files.<\/p>\n

File 0 – $MFT:<\/b> Not to be confused with the actual MFT (Master File Table), the $MFT tells us where all the pieces of MFT are. The MFT is part of the $MFT file. And the $MFT file is contained within the MFT. It\u2019s this whole \u2018chicken and the egg\u2019 thing.<\/p>\n

$MFT \u2013 A file in the Master File Table (MFT)<\/p>\n

MFT \u2013 The table that contains all file records<\/p>\n

What makes it confusing is that the entire MFT is in the $MFT file and the file record for $MFT is found in the MFT.  They are separate structures but each one contains the other.<\/p>\n

File 1 – $MFTMirr:<\/b> This file tells us the location of a backup of the first few files in the MFT. In data recovery situations, where the beginning of the MFT is damaged, this mirror can help save the day. I\u2019ve used it a number of times myself.<\/p>\n

File 2 – $LogFile:<\/b> This is simply a journal of the NTFS\u2019s metadata transaction. Like most metafiles, it is not human readable and not meant for use by the user. Corruption of this file can cause you not to be able to mount the file system. This can be easily fixed by simply resizing the file. These two commands can assist with that\u2026.<\/p>\n

Chkdsk <drive:> \/L<\/p>\n

(to find out the current size for $LogFile)<\/p>\n

Chkdsk <drive:> \/f \/L:<new size><\/p>\n

(to resize$LogFile)<\/p>\n

File 3 – $Volume:<\/b> This file keeps record of the NTFS version, volume information, and the volume label. So if you name your volume \u2018DAVE\u2019, this is the file that stores that information<\/p>\n

\"clip_image002\"<\/a><\/p>\n

File 4 – $AttrDef:<\/b> The $AttrDef file defines the different attributes that the file system can have. Here is a list of the attribute types available:<\/p>\n

$STANDARD_INFORMATION<\/p>\n

$ATTRUBUTE_LIST<\/p>\n

$FILE_NAME<\/p>\n

$VOLUME_VERSION<\/p>\n

$OBJECT_ID<\/p>\n

$SECURITY_DESCRIPTOR<\/p>\n

$VOLUME_NAME<\/p>\n

$VOLUME_INFORMATION<\/p>\n

$DATA<\/p>\n

$INDEX_ROOT<\/p>\n

$INDEX_ALLOCATION<\/p>\n

$BITMAP<\/p>\n

$SYMBOLIC_LINK<\/p>\n

$REPARSE_POINT<\/p>\n

$EA_INFOMRATION<\/p>\n

$LOGGED_UTILITY_STREAM<\/p>\n

NOTE: Do not confuse file attributes like $DATA and $FILE_NAME with attributes like READ-ONLY, SYSTEM, or HIDDEN (which are actually just flags).<\/p>\n

File 5 \u2013 (.):<\/b> The dot (.) is the root directory for the volume. So when you do a \u2018dir\u2019 of c:\\, you are looking at the dot (.).<\/p>\n

File 6 – $Bitmap:<\/b> This file keeps track of all the clusters of the volume and whether or not each cluster is currently in use. That\u2019s how we can quickly determine how much free space you have. We just ask $Bitmap.<\/p>\n

File 7 – $Boot:<\/b> Contains boot sector and the boot strap (the first 16 sectors of the volume). The boot sector contains the location of the $MFT and $MFTMirr. Otherwise we wouldn\u2019t know where to look for them.<\/p>\n

\"clip_image004\"<\/a><\/p>\n

In the image above, all parts of the $BOOT file are shown in RED. The file starts in the MFT and points back to the beginning of the volume for its $DATA attribute, which contains the boot strap. It is this boot strap code that tells us what boot loader we are using (NTLDR for Windows XP\/Windows 2003 and BOOTMGR for Vista\/Windows 2008). Also the boot sector tells us the location of the MFT. This is part of how Windows is able to locate files during the early stages of bootup, before the NTFS.SYS driver actually loads.<\/p>\n

File 8 – $BadClus:<\/b> Keeps a record of the clusters on your volume that contain physically bad sectors. We mark them bad so we don\u2019t try to use them. If you ever run CHKDSK with a \/r switch, then you are telling CHKDSK to update $BadClus with any new bad sectors that are found.<\/p>\n

File 9 – $Secure:<\/b> Contains security information. For obvious reasons, I\u2019m not going to tell you how it works.<\/p>\n

File 10 – $UpCase:<\/b> This file contains the casing table.<\/p>\n

Trivia \u2013 For the young folks that don\u2019t know, the terms upper case and lower case came about with the early printing presses that kept the capitol letters in the upper drawer or case, while the more often used small letters were stored in the closer, lower case. <\/i><\/p>\n

File 11 – $Extend:<\/b> A directory that can house files used for optional extensions.<\/p>\n

That\u2019s about it. Microsoft reserves space in case we want to add any additional files. So you won\u2019t start seeing normal files until File 17.<\/p>\n","protected":false},"excerpt":{"rendered":"

http:\/\/blogs.technet.com\/b\/askcore\/archive\/2013\/11\/08\/3303108.aspx They sit there, hiding in the root directory\u2026metafiles. The shell hides them from the user, but they are still there\u2026lurking. Microsoft does a pretty good job hiding these files so you don\u2019t accidentally damage them. But what are these files and how does NTFS use them? Before we have a look at them I\u2019d […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-316","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts\/316","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=316"}],"version-history":[{"count":1,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts\/316\/revisions"}],"predecessor-version":[{"id":317,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts\/316\/revisions\/317"}],"wp:attachment":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=316"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}