Home - Unknown

Overview

This, final, section of the documentation is the place for all the unanswered questions. Some relate to Windows' use of NTFS and some are very technical. Your help is needed to fill in the blanks. Thanks.

Unanswered Questions

Why do some Metadata files on NTFS 3.0+ still have Security Descriptors?

On NTFS 3.0+, $Volume, $AttrDef, dot and $Boot have Security Descriptors. Is this to save time at boot up? Perhaps to reduce the number of files it has to parse? Or is this the same as the previous question?

$STANDARD_INFORMATION: Max Versions, Version Number and Class Id?

Are any of the three fields used?

Is $UsnJrnl's $J Data Stream a fixed size?

Is it a fixed size? Does it wrap around like $LogFile?

What does $UsnJrnl's $Max Data Stream do?

There's a time stamp, two fields that might be flags and a field that might be a length.

$MountMgrDatabase

What is the format of this stream?

MFT (FILE) Records

Will we only see MFT Extension records with inodes < 23? Is the sequence number always equal to the inode number for the Metadata?

MFT Mirr

How large is this if the cluster size is greater than 4kB?

Collation

Is a collation type ULONGS equivalent to GUID?

Security Descriptors

How are ACEs inherited?

    copy questions to relevant pages and x-link