| Glossary |
This Attribute stores the name of the file attribute anl is always resident.
As defined in $AttrDef, this attribute has a minimum size of 68 bytes and a maximum of 578 bytes. This equates to a maximum filename length of 255 Unicode characters.
| Offset | Size | Description |
|---|---|---|
| ~ | ~ | Standard Attribute Header |
| 0x00 | 8 | File reference to the parent directory. |
| 0x08 | 8 | C Time - File Creation |
| 0x10 | 8 | A Time - File Altered |
| 0x18 | 8 | M Time - MFT Changed |
| 0x20 | 8 | R Time - File Read |
| 0x28 | 8 | Allocated size of the file |
| 0x30 | 8 | Real size of the file |
| 0x38 | 4 | Flags, e.g. Directory, compressed, hidden |
| 0x3c | 4 | Used by EAs and Reparse |
| 0x40 | 1 | Filename length in characters (L) |
| 0x41 | 1 | Filename namespace |
| 0x42 | 2L | File name in Unicode (not null terminated) |
The allocated size of a file is the amount of disk space the file is taking up. It will be a multiple of the cluster size. The real size of the file is the size of the unnamed data attribute. This is the number that will appear in a directory listing.
N.B. The Real Size is only present if the Starting VCN is zero. See the Standard Attribute Header for more information.
| Flag | Description |
|---|---|
| 0x0001 | Read-Only |
| 0x0002 | Hidden |
| 0x0004 | System |
| 0x0020 | Archive |
| 0x0040 | Device |
| 0x0080 | Normal |
| 0x0100 | Temporary |
| 0x0200 | Sparse File |
| 0x0400 | Reparse Point |
| 0x0800 | Compressed |
| 0x1000 | Offline |
| 0x2000 | Not Content Indexed |
| 0x4000 | Encrypted |
| 0x10000000 | Directory (copy from corresponding bit in MFT record) |
| 0x20000000 | Index View (copy from corresponding bit in MFT record) |
NTFS implements POSIX-style Hard Links by creating a file with several Filename Attributes. Each Filename Attribute has its own details and parent. When a Hard Linked file is deleted, its filename is removed from the MFT Record. When the last link is removed, then the file is really deleted.
N.B. All fields, except the parent directory, are only updated when the filename is changed. Until then, they just become out of date. $STANDARD_INFORMATION Attribute, however, will always be kept up-to-date.
N.B. If the file has EAs (Extended Attributes), then the EA Field will contain the size of buffer needed.
N.B. If the file is a Reparse Point, then the Reparse Field will give its type.