NTFS Partition Boot Sector Next table describes the boot sector of a volume formatted with NTFS. When you format an NTFS volume, the format program allocates the first 16 sectors for the boot sector and the bootstrap code.Byte Offset Field Length Field Name 0x00 3 bytes Jump Instruction 0x03 LONGLONG OEM ID 0x0B 25 bytes BPB 0x24 48 bytes Extended BPB 0x54 426 bytes Bootstrap Code 0x01FE WORD End of Sector Marker On NTFS volumes, the data fields that follow the BPB form an extended BPB. The data in these fields enables Ntldr (NT loader program) to find the master file table (MFT) during startup. On NTFS volumes, the MFT is not located in a predefined sector, as on FAT16 and FAT32 volumes. For this reason, the MFT can be moved if there is a bad sector in its normal location. However, if the data is corrupted, the MFT cannot be located, and Windows NT/2000 assumes that the volume has not been formatted.The following example illustrates the boot sector of an NTFS volume formatted while running Windows 2000. The printout is formatted in three sections:Bytes 0x00– 0x0A are the jump instruction and the OEM ID (shown in bold print). Bytes 0x0B–0x53 are the BPB and the extended BPB. The remaining code is the bootstrap code and the end of sector er (shown in bold print). Physical Sector: Cyl 0, Side 1, Sector 1 00000000: EB 52 90 4E 54 46 53 20 - 20 20 20 00 02 08 00 00 .R.NTFS ........ 00000010: 00 00 00 00 00 F8 00 00 - 3F 00 FF 00 3F 00 00 00 ........?...?... 00000020: 00 00 00 00 80 00 80 00 - 4A F5 7F 00 00 00 00 00 ........J....... 00000030: 04 00 00 00 00 00 00 00 - 54 FF 07 00 00 00 00 00 ........T....... 00000040: F6 00 00 00 01 00 00 00 - 14 A5 1B 74 C9 1B 74 1C ...........t..t. 00000050: 00 00 00 00 FA 33 C0 8E - D0 BC 00 7C FB B8 C0 07 .....3.....|.... 00000060: 8E D8 E8 16 00 B8 00 0D - 8E C0 33 DB C6 06 0E 00 ..........3..... 00000070: 10 E8 53 00 68 00 0D 68 - 6A 02 CB 8A 16 24 00 B4 ..S.h..hj....$.. 00000080: 08 CD 13 73 05 B9 FF FF - 8A F1 66 0F B6 C6 40 66 ...s......f...@f 00000090: 0F B6 D1 80 E2 3F F7 E2 - 86 CD C0 ED 06 41 66 0F .....?.......Af. 000000A0: B7 C9 66 F7 E1 66 A3 20 - 00 C3 B4 41 BB AA 55 8A ..f..f. ...A..U. 000000B0: 16 24 00 CD 13 72 0F 81 - FB 55 AA 75 09 F6 C1 01 .$...r...U.u.... 000000C0: 74 04 FE 06 14 00 C3 66 - 60 1E 06 66 A1 10 00 66 t......f`..f...f 000000D0: 03 06 1C 00 66 3B 06 20 - 00 0F 82 3A 00 1E 66 6A ....f;. ...:..fj 000000E0: 00 66 50 06 53 66 68 10 - 00 01 00 80 3E 14 00 00 .fP.Sfh.....>... 000000F0: 0F 85 0C 00 E8 B3 FF 80 - 3E 14 00 00 0F 84 61 00 ........>.....a. 00000100: B4 42 8A 16 24 00 16 1F - 8B F4 CD 13 66 58 5B 07 .B..$......fX[.. 00000110: 66 58 66 58 1F EB 2D 66 - 33 D2 66 0F B7 0E 18 00 fXfX.-f3.f...... 00000120: 66 F7 F1 FE C2 8A CA 66 - 8B D0 66 C1 EA 10 F7 36 f......f..f....6 00000130: 1A 00 86 D6 8A 16 24 00 - 8A E8 C0 E4 06 0A CC B8 ......$......... 00000140: 01 02 CD 13 0F 82 19 00 - 8C C0 05 20 00 8E C0 66 ........... ...f 00000150: FF 06 10 00 FF 0E 0E 00 - 0F 85 6F FF 07 1F 66 61 ..........o...fa 00000160: C3 A0 F8 01 E8 09 00 A0 - FB 01 E8 03 00 FB EB FE ................ 00000170: B4 01 8B F0 AC 3C 00 74 - 09 B4 0E BB 07 00 CD 10 .....<.t........ 00000180: EB F2 C3 0D 0A 41 20 64 - 69 73 6B 20 72 65 61 64 .....A disk read 00000190: 20 65 72 72 6F 72 20 6F - 63 63 75 72 72 65 64 00 error occurred. 000001A0: 0D 0A 4E 54 4C 44 52 20 - 69 73 20 6D 69 73 73 69 ..NTLDR is missi 000001B0: 6E 67 00 0D 0A 4E 54 4C - 44 52 20 69 73 20 63 6F ng...NTLDR is co 000001C0: 6D 70 72 65 73 73 65 64 - 00 0D 0A 50 72 65 73 73 mpressed...Press 000001D0: 20 43 74 72 6C 2B 41 6C - 74 2B 44 65 6C 20 74 6F Ctrl+Alt+Del to 000001E0: 20 72 65 73 74 61 72 74 - 0D 0A 00 00 00 00 00 00 restart........ 000001F0: 00 00 00 00 00 00 00 00 - 83 A0 B3 C9 00 00 55 AA ..............U.The following table describes the fields in the BPB and the extended BPB on NTFS volumes. The fields starting at 0x0B, 0x0D, 0x15, 0x18, 0x1A, and 0x1C match those on FAT16 and FAT32 volumes. The sample values correspond to the data in this example.Byte Offset Field Length Sample Value Field Name 0x0B WORD 0x0002 Bytes Per Sector 0x0D BYTE 0x08 Sectors Per Cluster 0x0E WORD 0x0000 Reserved Sectors 0x10 3 BYTES 0x000000 always 0 0x13 WORD 0x0000 not used by NTFS 0x15 BYTE 0xF8 Media Descriptor 0x16 WORD 0x0000 always 0 0x18 WORD 0x3F00 Sectors Per Track 0x1A WORD 0xFF00 Number Of Heads 0x1C DWORD 0x3F000000 Hidden Sectors 0x20 DWORD 0x00000000 not used by NTFS 0x24 DWORD 0x80008000 not used by NTFS 0x28 LONGLONG 0x4AF57F0000000000 Total Sectors 0x30 LONGLONG 0x0400000000000000 Logical Cluster Number for the file $MFT 0x38 LONGLONG 0x54FF070000000000 Logical Cluster Number for the file $MFTMirr 0x40 DWORD 0xF6000000 Clusters Per File Record Segment 0x44 DWORD 0x01000000 Clusters Per Index Block 0x48 LONGLONG 0x14A51B74C91B741C Volume Serial Number 0x50 DWORD 0x00000000 Checksum Protecting the Boot Sector Because a normally functioning system relies on the boot sector to access a volume, it is highly recommended that you run disk scanning tools such as Chkdsk regularly, as well as back up all of your data files to protect against data loss if you lose access to a volume. For more detailed information see resource kits on Microsoft's web site http://www.microsoft.com/windows/reskits/webresources/default.asp or Microsoft Developers Network (MSDN) http://msdn.microsoft.com
{
BYTE Jumpto[3];
BYTE OemID[8];
WORD SecInByte; // 扇区字节数
BYTE SecPerClr; // 每簇扇区数
WORD ResSct; // 保留扇区数。
BYTE NtRevers0[5]; // NTFS中不使用
BYTE FormatID; // 磁盘格式代号
WORD SecPerFat; // 每FAT扇区数
WORD SecPerTrk; // 每磁道扇区数
WORD Sides; // 磁盘面数
DWORD Hsector; // 隐藏扇区数 user
DWORD BigTotalSec; // NT UNUSED
DWORD BigSecPerFat; // NT UNUSED
DWORD TotalSecLow; // 分区中扇区总数
DWORD TotalSecHigh; //
DWORD MftBeginClustL;// 文件$MFT的逻辑簇号
DWORD MftBeginClustH;
DWORD MirBeginClustL;// 文件$MFTMirr的逻辑簇号
DWORD MirBeginClustH;
DWORD ClustPerRec; // 每个文件记录块所占的簇数
DWORD ClustPerIndex; // 每个索引块占的簇数
DWORD NtSerialNoL; // 分区序列号
DWORD NtSerialNoH;
WORD NtCheckSum; // 校验和
}NTFS_BOOT_SECTOR;
BYTE* buf = new BYTE[512];
if (!ReadFile(m_hPhysicalHD, buf, 512, &dwRead, NULL))
{
delete []buf;
return FALSE;
} NTFS_BOOT_SECTOR *pNtBS = (NTFS_BOOT_SECTOR*)buf;
m_dwSectorsPerCluster = pNtBS->SecPerClr;
m_dwReserved = pNtBS->ResSct;
m_dwSectorsPerFAT = pNtBS->SecPerFat;
m_dwMFTBeginClust = pNtBS->MftBeginClustL;
DWORD dwBmpInfoBegin = m_dwStarting + m_dwMFTBeginClust*m_dwSectorsPerCluster + 12;
if (!JumpTo(m_hPhysicalHD, dwBmpInfoBegin))
return FALSE; BYTE buf[512];
DWORD dwRead = 0;
ZeroMemory((CHAR*)buf, 512);
if (!ReadFile(m_hPhysicalHD, (BYTE*)buf, 512, &dwRead, NULL))
return FALSE; DWORD dwBmpSize; // num of clusters of bitmap
DWORD dwBmpStarting; // starting cluster of bitmap
BYTE byTag = buf[312]; if ((byTag & 0x0f) == 1)
{
dwBmpSize = (DWORD)buf[313];
dwBmpStarting = *((DWORD*)(buf+314));
}
else
{
dwBmpSize = (DWORD)*((WORD*)(buf+313));
dwBmpStarting = *((DWORD*)(buf+315));
}
...........
Next table describes the boot sector of a volume formatted with NTFS. When you format an NTFS volume, the format program allocates the first 16 sectors for the boot sector and the bootstrap code.Byte Offset Field Length Field Name
0x00 3 bytes Jump Instruction
0x03 LONGLONG OEM ID
0x0B 25 bytes BPB
0x24 48 bytes Extended BPB
0x54 426 bytes Bootstrap Code
0x01FE WORD End of Sector Marker On NTFS volumes, the data fields that follow the BPB form an extended BPB. The data in these fields enables Ntldr (NT loader program) to find the master file table (MFT) during startup. On NTFS volumes, the MFT is not located in a predefined sector, as on FAT16 and FAT32 volumes. For this reason, the MFT can be moved if there is a bad sector in its normal location. However, if the data is corrupted, the MFT cannot be located, and Windows NT/2000 assumes that the volume has not been formatted.The following example illustrates the boot sector of an NTFS volume formatted while running Windows 2000. The printout is formatted in three sections:Bytes 0x00– 0x0A are the jump instruction and the OEM ID (shown in bold print).
Bytes 0x0B–0x53 are the BPB and the extended BPB.
The remaining code is the bootstrap code and the end of sector er (shown in bold print).
Physical Sector: Cyl 0, Side 1, Sector 1
00000000: EB 52 90 4E 54 46 53 20 - 20 20 20 00 02 08 00 00 .R.NTFS ........
00000010: 00 00 00 00 00 F8 00 00 - 3F 00 FF 00 3F 00 00 00 ........?...?...
00000020: 00 00 00 00 80 00 80 00 - 4A F5 7F 00 00 00 00 00 ........J.......
00000030: 04 00 00 00 00 00 00 00 - 54 FF 07 00 00 00 00 00 ........T.......
00000040: F6 00 00 00 01 00 00 00 - 14 A5 1B 74 C9 1B 74 1C ...........t..t.
00000050: 00 00 00 00 FA 33 C0 8E - D0 BC 00 7C FB B8 C0 07 .....3.....|....
00000060: 8E D8 E8 16 00 B8 00 0D - 8E C0 33 DB C6 06 0E 00 ..........3.....
00000070: 10 E8 53 00 68 00 0D 68 - 6A 02 CB 8A 16 24 00 B4 ..S.h..hj....$..
00000080: 08 CD 13 73 05 B9 FF FF - 8A F1 66 0F B6 C6 40 66 ...s......f...@f
00000090: 0F B6 D1 80 E2 3F F7 E2 - 86 CD C0 ED 06 41 66 0F .....?.......Af.
000000A0: B7 C9 66 F7 E1 66 A3 20 - 00 C3 B4 41 BB AA 55 8A ..f..f. ...A..U.
000000B0: 16 24 00 CD 13 72 0F 81 - FB 55 AA 75 09 F6 C1 01 .$...r...U.u....
000000C0: 74 04 FE 06 14 00 C3 66 - 60 1E 06 66 A1 10 00 66 t......f`..f...f
000000D0: 03 06 1C 00 66 3B 06 20 - 00 0F 82 3A 00 1E 66 6A ....f;. ...:..fj
000000E0: 00 66 50 06 53 66 68 10 - 00 01 00 80 3E 14 00 00 .fP.Sfh.....>...
000000F0: 0F 85 0C 00 E8 B3 FF 80 - 3E 14 00 00 0F 84 61 00 ........>.....a.
00000100: B4 42 8A 16 24 00 16 1F - 8B F4 CD 13 66 58 5B 07 .B..$......fX[..
00000110: 66 58 66 58 1F EB 2D 66 - 33 D2 66 0F B7 0E 18 00 fXfX.-f3.f......
00000120: 66 F7 F1 FE C2 8A CA 66 - 8B D0 66 C1 EA 10 F7 36 f......f..f....6
00000130: 1A 00 86 D6 8A 16 24 00 - 8A E8 C0 E4 06 0A CC B8 ......$.........
00000140: 01 02 CD 13 0F 82 19 00 - 8C C0 05 20 00 8E C0 66 ........... ...f
00000150: FF 06 10 00 FF 0E 0E 00 - 0F 85 6F FF 07 1F 66 61 ..........o...fa
00000160: C3 A0 F8 01 E8 09 00 A0 - FB 01 E8 03 00 FB EB FE ................
00000170: B4 01 8B F0 AC 3C 00 74 - 09 B4 0E BB 07 00 CD 10 .....<.t........
00000180: EB F2 C3 0D 0A 41 20 64 - 69 73 6B 20 72 65 61 64 .....A disk read
00000190: 20 65 72 72 6F 72 20 6F - 63 63 75 72 72 65 64 00 error occurred.
000001A0: 0D 0A 4E 54 4C 44 52 20 - 69 73 20 6D 69 73 73 69 ..NTLDR is missi
000001B0: 6E 67 00 0D 0A 4E 54 4C - 44 52 20 69 73 20 63 6F ng...NTLDR is co
000001C0: 6D 70 72 65 73 73 65 64 - 00 0D 0A 50 72 65 73 73 mpressed...Press
000001D0: 20 43 74 72 6C 2B 41 6C - 74 2B 44 65 6C 20 74 6F Ctrl+Alt+Del to
000001E0: 20 72 65 73 74 61 72 74 - 0D 0A 00 00 00 00 00 00 restart........
000001F0: 00 00 00 00 00 00 00 00 - 83 A0 B3 C9 00 00 55 AA ..............U.The following table describes the fields in the BPB and the extended BPB on NTFS volumes. The fields starting at 0x0B, 0x0D, 0x15, 0x18, 0x1A, and 0x1C match those on FAT16 and FAT32 volumes. The sample values correspond to the data in this example.Byte Offset Field Length Sample Value Field Name
0x0B WORD 0x0002 Bytes Per Sector
0x0D BYTE 0x08 Sectors Per Cluster
0x0E WORD 0x0000 Reserved Sectors
0x10 3 BYTES 0x000000 always 0
0x13 WORD 0x0000 not used by NTFS
0x15 BYTE 0xF8 Media Descriptor
0x16 WORD 0x0000 always 0
0x18 WORD 0x3F00 Sectors Per Track
0x1A WORD 0xFF00 Number Of Heads
0x1C DWORD 0x3F000000 Hidden Sectors
0x20 DWORD 0x00000000 not used by NTFS
0x24 DWORD 0x80008000 not used by NTFS
0x28 LONGLONG 0x4AF57F0000000000 Total Sectors
0x30 LONGLONG 0x0400000000000000 Logical Cluster Number for the file $MFT
0x38 LONGLONG 0x54FF070000000000 Logical Cluster Number for the file $MFTMirr
0x40 DWORD 0xF6000000 Clusters Per File Record Segment
0x44 DWORD 0x01000000 Clusters Per Index Block
0x48 LONGLONG 0x14A51B74C91B741C Volume Serial Number
0x50 DWORD 0x00000000 Checksum Protecting the Boot Sector
Because a normally functioning system relies on the boot sector to access a volume, it is highly recommended that you run disk scanning tools such as Chkdsk regularly, as well as back up all of your data files to protect against data loss if you lose access to a volume. For more detailed information see resource kits on Microsoft's web site http://www.microsoft.com/windows/reskits/webresources/default.asp or Microsoft Developers Network (MSDN) http://msdn.microsoft.com
i 节点 文件名 系统 描述
0 $MFT 主文件表-一个每个文件的索引
1 $MFTMirr MTF中前四个记录的拷贝
2 $LogFile 处理记录文件
3 $Volume 序列数,创建时间,脏标志
4 $AttrDef 属性的定义
5 . (dot) 磁盘的根目录
6 $Bitmap 包含卷中簇的映射 (已用或没用)
7 $Boot 卷的启动记录
8 $BadClus 列出卷中的坏簇
9 $Quota NT 配额信息
9 $Secure 2K 被卷用的安全描述符
10 $UpCase 用于比较的大写字符表
11 $Extend 2K 一个目录: $ObjId, $Quota, $Reparse, $UsnJrnl
12-15 <Unused> 标记被用但为空
16-23 <Unused> 标记未用
Any $ObjId 2K 每个文件唯一的ID
Any $Quota 2K 配额信息
Any $Reparse 2K 重解析点信息
Any $UsnJrnl 2K 安全日志
> 24 A_File 一个普通文件
> 24 A_Dir 一个普通目录
... ... ...
文件 - $MFT (0)
上一页 下一页
总观
在NTFS中,磁盘中的每种事物都是一个文件。甚至每一个元数据都是作为一组文件而被存储的。主文件表(MFT)是卷中每一个文件的索引。对于每一个文件,MFT保存着称为属性的一组记录,并且每一个属性都存储着不同类型的信息。 属性
类型 描述 名字
0x10 $STANDARD_INFORMATION
0x30 $FILE_NAME $MFT
0x80 $DATA [未命名]
0xB0 $BITMAP [未命名] 文件布局
未命名数据流
每一个文件的描述都被分解到文件记录中,如果一个记录不够大,则需要一个$ATTRIBUTE_LIST属性。 首先的24个文件是保留为系统文件的。参见文件页能看到一个整张列表。 i节点 文件名 描述
0 $MFT 主文件表-每个文件的索引
1 $MFTMirr MTF中前四个记录的拷贝
2 $LogFile 处理记录文件
3 $Volume 序列数,创建时间,脏标志
... ... ... 注释
MFT Zone
为防止MFT变成碎片,WINDOWS系统为此文件设置了一个缓冲,直到空间用完了,在创建新的文件时才会使用这块区域,这块缓冲的大小是可以配置的,一般情况下,一般情况下占卷的12.5%, 25%, 37.5% 到50%,当整个卷用完之后,缓冲大小可以减半以供文件数据用。 其它信息
MFT是自参考的。MFT预留了一些空间来为以后扩展。MFT记录12-15标记为已用,但为空。MFT记录16-23标记为未用,但不会再用。在Windows下,当系统运行时,MFT不能收缩。
NTFS - 属性
上一页 下一页
总观
每个MFT文件记录都是由属性构成的。这张可能属性的记录是在$AttrDef中定义的。 类型 系统 名字
0x10 $STANDARD_INFORMATION
0x20 $ATTRIBUTE_LIST
0x30 $FILE_NAME
0x40 NT $VOLUME_VERSION
0x40 2K $OBJECT_ID
0x50 $SECURITY_DESCRIPTOR
0x60 $VOLUME_NAME
0x70 $VOLUME_INFORMATION
0x80 $DATA
0x90 $INDEX_ROOT
0xA0 $INDEX_ALLOCATION
0xB0 $BITMAP
0xC0 NT $SYMBOLIC_LINK
0xC0 2K $REPARSE_POINT
0xD0 $EA_INFORMATION
0xE0 $EA
0xF0 NT $PROPERTY_SET
0x100 2K $LOGGED_UTILITY_STREAM 属性 - $STANDARD_INFORMATION (0x10)
上一页 下一页
总观
在老的NTFS版本中,此属性包含着一点DOS文件许可和文件时间。 Windows 2000引入4个新的字段,用来提及配额,安全,文件大小和日志信息。 在$AttrDef中定义的,此属性有一个最小大小为48字节,最大为72字节。 属性布局(驻留)
偏移 大小 系统 描述
~ ~ 标准属性头
0x00 8 文件创建时间
0x08 8 文件修改时间
0x10 8 MFT改变时间
0x18 8 读取文件时间
0x20 4 DOS文件允可
0x24 4 版本最大号
0x28 4 版本号
0x2C 4 类型Id
0x30 4 2K 自己Id
0x34 4 2K 安全Id
0x38 8 2K 配额变化
0x40 8 2K 更新序列数(USN)