| Glossary |
Each MFT FILE Record is built up from Attributes. The list of possible Attributes is defined in $AttrDef.
| Type | OS | Name |
|---|---|---|
| 0x10 | $STANDARD_INFORMATION | |
| 0x20 | $ATTRIBUTE_LIST | |
| 0x30 | $FILE_NAME | |
| 0x40 | NT | $VOLUME_VERSION |
| 0x40 | 2K | $OBJECT_ID |
| 0x50 | $SECURITY_DESCRIPTOR | |
| 0x60 | $VOLUME_NAME | |
| 0x70 | $VOLUME_INFORMATION | |
| 0x80 | $DATA | |
| 0x90 | $INDEX_ROOT | |
| 0xA0 | $INDEX_ALLOCATION | |
| 0xB0 | $BITMAP | |
| 0xC0 | NT | $SYMBOLIC_LINK |
| 0xC0 | 2K | $REPARSE_POINT |
| 0xD0 | $EA_INFORMATION | |
| 0xE0 | $EA | |
| 0xF0 | NT | $PROPERTY_SET |
| 0x100 | 2K | $LOGGED_UTILITY_STREAM |
$PROPERTY_SET, $SYMBOLIC_LINK and $VOLUME_VERSION existed in NTFS v1.2, but weren't used. They no longer exist in NTFS v3.0 (that used by Win2K).
Each MFT record has a Standard Header, followed by a list of attributes (in order of ascending Attribute Id) and an end marker. The end marker is just four bytes: 0xFFFFFFFF.