Glossary

NTFS - Attributes

Previous Next

Overview

Each MFT FILE Record is built up from Attributes. The list of possible Attributes is defined in $AttrDef.

Type OS Name
0x10   $STANDARD_INFORMATION
0x20   $ATTRIBUTE_LIST
0x30   $FILE_NAME
0x40 NT $VOLUME_VERSION
0x40 2K $OBJECT_ID
0x50   $SECURITY_DESCRIPTOR
0x60   $VOLUME_NAME
0x70   $VOLUME_INFORMATION
0x80   $DATA
0x90   $INDEX_ROOT
0xA0   $INDEX_ALLOCATION
0xB0   $BITMAP
0xC0 NT $SYMBOLIC_LINK
0xC0 2K $REPARSE_POINT
0xD0   $EA_INFORMATION
0xE0   $EA
0xF0 NT $PROPERTY_SET
0x100 2K $LOGGED_UTILITY_STREAM

Notes

Other Information

$PROPERTY_SET, $SYMBOLIC_LINK and $VOLUME_VERSION existed in NTFS v1.2, but weren't used. They no longer exist in NTFS v3.0 (that used by Win2K).

Each MFT record has a Standard Header, followed by a list of attributes (in order of ascending Attribute Id) and an end marker. The end marker is just four bytes: 0xFFFFFFFF.


Copyright ©