Home
Files
Attributes
Concepts
 Glossary

File - $Secure (9)

Previous Next

Overview

In NTFS v1.2, every file had a $SECURITY_DESCRIPTOR Attribute. It was inefficient to read and check these for every file access and most of them were the same. NTFS v3.0 introduced a new Metadata File $Secure.

A new field in $STANDARD_INFORMATION, the Security Id, is a index into $Secure. There is a Data Stream, $SDS, and two indexes $SII and $SDH. The Data Stream has a copy of every $SECURITY_DESCRIPTOR Attribute on the volume, and the indexes cross-reference everything.

Attributes

Type Description Name
0x10 $STANDARD_INFORMATION  
0x30 $FILE_NAME $Secure
0x80 $DATA $SDS
0x90 $INDEX_ROOT $SDH
0x90 $INDEX_ROOT $SII
0xA0 $INDEX_ALLOCATION $SDH
0xA0 $INDEX_ALLOCATION $SII
0xB0 $BITMAP $SDH
0xB0 $BITMAP $SII

Layout of the File

$SDS Data Stream

The Security Descriptor Stream ($SDS) contains a list of all the Security Descriptors on the volume. Each entry is padded to a 16 byte boundary and has a hash for indexing purposes.

Offset Size Description
0x00 4 Hash of Security Descriptor
0x04 4 Security Id
0x08 8 Offset of this entry in this file
0x10 4 Size of this entry
0x04 V Self-relative Security Descriptor
V+0x04 P16 Padding 
    sorted by security id
    Self-relative? == has 2 * SID
    generally a large file, not all used
    there may be missing entries -- test
    large block of ids at start, then junk, then another block at 256KB

$SDH Index

The Security Descriptor Hash ($SDH) Index

Offset Size Value Description
~ ~ ~ Index Entry
0x00 2 0x18 Offset to data
0x02 2 0x14 Size of data
0x04 4 0x00 Padding
0x08 2 0x30 Size of Index Entry
0x0A 2 0x08 Size of Index Key
0x0C 2   Flags
0x0E 2 0x00 Padding
0x10 4   Key Hash of Security Descriptor
0x14 4   Key Security Id
0x18 4   Data Hash of Security Descriptor
0x1C 4   Data Security Id
0x20 8   Data Offset to Security Descriptor (in $SDS)
0x28 4   Data Size of Security Descriptor (in $SDS)
0x2C P8   Data Padding 
    Last padding is always 4 bytes and always appears
    to be the Unicode string "II".

$SII Index

    The Security Id Index ($SII)
Offset Size Value Description
~ ~ ~ Standard Index Header
0x00 2 0x14 Offset to data
0x02 2 0x14 Size of data
0x04 4 0x00 Padding
0x08 2 0x28 Size of Index Entry
0x0A 2 0x04 Size of Index Key
0x0C 2   Flags
0x0E 2 0x00 Padding
0x10 4   Key Security Id
0x14 4   Data Hash of Security Descriptor
0x18 4   Data Security Id
0x1C 8   Data Offset to Security Descriptor (in $SDS)
0x24 4   Data Size of Security Descriptor (in $SDS) 
    This file is sorted by the hash.
    The security descriptors are stored in the $SDS data stream.
    surprisingly the offset (64 bit isn't 8 byte aligned)

Notes

Questions


Copyright ©