File - $AttrDef (4)

Overview

This is a system file containing information about all the file attributes usable in a volume.

Attribute end marker 0xFFFFFFFF

Its layout is a sequence of records. Each record defines one file attribute, and its layout is:

Display Rule

At the moment this is always zero

Collation Rule

At the moment this is always zero, but the possible values are:

Flags

We've only witnessed three flags: 0x02, 0x40 and 0x80. It seems that 0x40 and 0x80 are never seen together. Therefore, the guess is that:

See the column IRN in the tables below.

Type	Name	Flags	IRN	Min Size	Max Size
0x10	$STANDARD_INFORMATION	0x40	R	0x30	0x30
0x20	$ATTRIBUTE_LIST	0x80	N	-	-
0x30	$FILE_NAME	0x42	IR	0x44	0x242
0x40	$VOLUME_VERSION	0x40	R	0x8	0x8
0x50	$SECURITY_DESCRIPTOR	0x80	N	-	-
0x60	$VOLUME_NAME	0x40	R	0x2	0x100
0x70	$VOLUME_INFORMATION	0x40	R	0xC	0xC
0x80	$DATA	0x00		-	-
0x90	$INDEX_ROOT	0x40	R	-	-
0xA0	$INDEX_ALLOCATION	0x80	N	-	-
0xB0	$BITMAP	0x80	N	-	-
0xC0	$SYMBOLIC_LINK	0x80	N	-	-
0xD0	$EA_INFORMATION	0x40	R	0x8	0x8
0xE0	$EA	0x00		-	0x10000

$VOLUME_VERSION and $SYMBOLIC_LINK appeared in WinNT but weren't used. They don't appear in either Win2K or WinXP.

Type	Name	Flags	IRN	Min Size	Max Size
0x10	$STANDARD_INFORMATION	0x40	R	0x30	0x48
0x20	$ATTRIBUTE_LIST	0x80	N	-	-
0x30	$FILE_NAME	0x42	IR	0x44	0x242
0x40	$OBJECT_ID	0x40	R	-	0x100
0x50	$SECURITY_DESCRIPTOR	0x80	N	-	-
0x60	$VOLUME_NAME	0x40	R	0x2	0x100
0x70	$VOLUME_INFORMATION	0x40	R	0xC	0xC
0x80	$DATA	0x00		-	-
0x90	$INDEX_ROOT	0x40	R	-	-
0xA0	$INDEX_ALLOCATION	0x80	N	-	-
0xB0	$BITMAP	0x80	N	-	-
0xC0	$REPARSE_POINT	0x80	N	-	0x4000
0xD0	$EA_INFORMATION	0x40	R	0x8	0x8
0xE0	$EA	0x00		-	0x10000
0xF0	$PROPERTY_SET	?	?	?	?
0x100	$LOGGED_UTILITY_STREAM	0x80	N	-	0x10000

$PROPERTY_SET existed, briefly, in NTFS v3.0. It was intended to support Native Structure Storage (NSS).

It should be possible to add user-defined attributes to this file.

    $AttrDef has big WAS it? 36K?
    yep in nt4 = 36K mostly blank
    now 2560 = 15attrs + 1 blank (2.5K)