Никак не могу разобраться с сабжем.. Как получить доступ к MFT, CreateFile("c:\$Mft",...) сбивается, ошибка 5. Или есть альтернаивные пути? Вроде FSCTL_GET_RETRIEVAL_POINTERS с StartingVcn по информации об MFT из NTFS_VOLUME_DATA_BUFFER. Кто подскажет?
The FSCTL_GET_NTFS_VOLUME_DATA control code retrieves information about the specified NTFS volume. To perform this operation, call the DeviceIoControl function with the following parameters. BOOL DeviceIoControl( (HANDLE) hDevice, // handle to device FSCTL_GET_NTFS_VOLUME_DATA, // dwIoControlCode (LPVOID) lpInBuffer, // lpInBuffer (DWORD) nInBufferSize, // size of input buffer (LPVOID) lpOutBuffer, // output buffer (DWORD) nOutBufferSize, // size of output buffer (LPDWORD) lpBytesReturned, // number of bytes returned (LPOVERLAPPED) lpOverlapped // OVERLAPPED structure );
Parsing File System Metadata We also wanted to take periodic snapshots of each local NTFS partition, so that for every file we would know its name, size, attributes, and its physical location on the disk. For this we found valuable NTFS driver documentation and source code at http://www.informatik.hu-berlin.de/~loewis/ntfs. We found that just about all the data we need is in a special file in each partition called the Master File Table (MFT). This file, named $MFT, contains fixed-length records describing the attributes of each file (and directory, since directories are basically just special files). However, we can't just dump this file, for at least three reasons. First, the file is sparse: many files' attributes don't use an entire record and many records are unused because they correspond to deleted files. Second, an attribute can be nonresident, meaning that it's somewhere else on disk and only a pointer to it is in the MFT record. Third, the contents of a file are considered an attribute of the file, so recording the MFT would record file contents and violate the confidentiality of our users' data. So, instead, we do a depth-first search of the directory structure of each NTFS partition and, for each file, find and record certain non-data attributes of that file. Finding the metadata for a file requires knowing its file number, which is the index of the MFT record containing that file's attributes. The partition root always has file number 5. We still haven't explained how you read directly from a disk, or how you find specific MFT records. To read a raw disk on Windows NT and Windows 2000, a user-mode program can open a file called \\.\X:, where X is the appropriate drive letter. The first file block contains useful information: the size of a block (the 2-byte value at offset 0xB), the number of blocks in a cluster (the 1-byte value at offset 0xD), the number of clusters in an MFT record (the 1-byte value at offset 0x40), and the cluster number of the first MFT record (the 8-byte value at offset 0x30). The first MFT record is useful to find, since it contains the file attributes for $MFT itself. By parsing its data attribute information you can locate any MFT record. Then, parsing a file's MFT record reveals the entire file's attributes. (This is easy if you read the NTFS documentation described earlier and judiciously inspect sections of the Linux NTFS driver code.) If the file is actually a directory, you can parse its index allocation attribute to find the file numbers of its contents.
Полезные исходники http://www.sysinternals.com/ntw2k/source/ntfsinfo.shtml http://www.sysinternals.com/ntw2k/info/defrag.shtml з.ы. для дефрагментации MFT есть проги
volodya Это есть, на http://linux-ntfs.sourceforge.net был, на SysInternals (и не только) тоже был . Я думал о стандартных способах, вроде FSCTL_GET_NTFS_VOLUME_DATA и FSCTL_GET_RETRIEVAL_POINTERS, но пока не разобрался, почему они не работают с $Mft..
