| Glossary |
When there are lots of attributes and space in the MFT record is short, all those attributes that can be made non-resident are moved out of the MFT. If there is still not enough room, then an $ATTRIBUTE_LIST attribute is needed. The remaining attributes are placed in a new MFT record and the $ATTRIBUTE_LIST describes where to find them. It is very unusual to see this attribute.
After the standard header, this attribute contains a list of variable length records, describing the type and location (in the MFT) of all the other attributes belonging to this file. Each record is aligned on an 8-byte boundary.
The list is sorted by:
N.B. It does not list itself.
| Offset | Size | Description |
|---|---|---|
| ~ | ~ | Standard Attribute Header |
| 0x00 | 4 | Type |
| 0x04 | 2 | Record length |
| 0x06 | 1 | Name length (N) |
| 0x07 | 1 | Offset to Name (a) |
| 0x08 | 8 | Starting VCN (b) |
| 0x10 | 8 | Base File Reference of the attribute |
| 0x18 | 2 | Attribute Id (c) |
| 0x1A | 2N | Name in Unicode (if N > 0) |
(a) If the name doesn't exist, does this point at the attribute or zero?
(b) Starting VCN, or zero if the attribute is resident
(c) Each attribute has a unique identifier
(a) it always points to where the name would be (0x1A)
0x04 record allocation (8 byte alignment)
(c) always seems to be zero, check
(c) no it's only shown the first time for a given attribute type
not sure about sorting by sequence number. VCN definitely
It can be either resident or non-resident. This attribute has a no minimum or maximum size.
The offset at 0x07 is just one byte long, unusual for an attribute.
If this attribute is non-resident, then the data runs must fit into one MFT record.
The $ATTRIBUTE_LIST may be needed if the file:
8 VCN lowest_vcn;
Lowest virtual cluster number of this portion of the attribute value. This is usually 0. It
is non-zero for the case where one attribute does not fit into one mft record and thus
several mft records are allocated to hold this attribute. In the latter case, each mft
record holds one extent of the attribute and there is one attribute list entry for each
extent. NOTE: This is DEFINITELY a signed value! The windows driver uses cmp, followed
by jg when comparing this, thus it treats it as signed.
24 __u16 instance;
If lowest_vcn = 0, the instance of the attribute being referenced; otherwise 0.
The attribute list is used in case where a file need extension FILE records in the
MFT to be fully described, in order to find any file attribute of this file.
This file attribute may be non-resident because its stream is likely to grow.
The extents of one non-resident attribute (if present) immediately follow
after the initial extent. They are ordered by lowest_vcn and have their instance set to zero.