NTFS: a file system integrity and complexity

NTFS is the file system used by the powerful, complicated Windows. Few file systems offer many resources, and to treat them all I had to write a book.Indeed there is even a book that deals with NTFS in detail, but it is already outdated. The idea of this paper is not to cover all the features of NTFS, not to present in detail some of these features. Instead, we will cover their basic structure and outline some of the more advanced features, with examples of usage where possible. Let us focus on things that NTFS does, not how he does these things. It's hard to stay in the middle ground between an informative article and a detailed article therefore includes many references for those interested in more details.

Glossary of NTFS

• Sector - storage drive low on disk. It used to be 512 bytes, but is now jumping to 4,096 bytes;

• Cluster - unit of disk space a file system that consists of various sectors;

• File System - a method for organizing and storing files and data;

• Partition - logical division of data from a hard drive. It houses the formatted file system;

• MBR - short for master boot record or master boot record, is both a sector as a partition, and stores information for booting the operating system;

• Metadata - attributes that help describe data files, such as owner, size, creation date, file type etc..;

• MFT - short for master file table or master file table, which defines an NTFS partition or volume;

• Basic disk - a disk or basic volume is a simple type of storage used by Windows;

• Dynamic Disk - Dynamic Disks are a more advanced type of storage used by Windows. They are useful on computers with many discs. Dynamic disks provide features that are not offered for basic disks, such as spanning, striping and RAID;

• GUID partition table (GPT) - GPT is a new disk architecture that expands the concept of the MBR, making possible very large file systems;

• Slack - wasted space due to the size of a cluster file system.

A file system file

NTFS is a file system built off of. The main one is the master file table or MFT. The TFM is the main metadata file, and contains or points to all other files from NTFS. The list of files in the partition, volume information, allocations of cluster; all are. An exception is the master boot record, which is a system partition, not a file. He needs to be loaded by Windows that the file system is booted.

Quotas

NTFS Quotas are one way to ensure that certain users do not occupy the entire disk and monitor disk usage. Disk quotas are generally more useful on servers with multiple users, but a quota can be used to display a warning before your disk is full, or to prevent his relatives from filling up the disk with files from them.

Disk quotas can be created per user and per volume. You can configure the display of a warning when disk usage exceeds a preset limit. The warning can be issued to the user via email and the administrator via the log entry. You can also set a hard quota, so that the user who exceeds the limit set can not save files until you delete other files to another user to flip the owner of some files or the administrator to increase its quota. When quotas are set, the verification of the available space will only show values for the user's quota.

To access the shares on a PC, open Windows Explorer and right click on top of a disk volume, eg, Local Disk (C:). Select Properties, Cota, Cota Display Settings.

To access the shares on a server, open the gpedit.msc (the Group Policy Editor). Navigate to Computer Configuration, Admin Templates, System, and Disk Quotas. On the right side, double-click the Default Quota Limit and Warning Level Properties.

It is best practice to notify users before applying quotas, and give them some kind of backup or archiving strategy. Some users take the imposition of quotas for the personal side. The use of quotas slightly increases the processing, so use it wisely.

Administrators can monitor events related to quotas in the event logs. To do this, select Control Panel, System and Security Administration Tools, View Event Logs.

Better Backups with the shadow copy

Launched along with Windows Server 2003 and improved in Windows Server 2008, Shadow Copy enables better backups. When Microsoft launched Vista and Windows Server 2008, it replaced the venerable WBAdmin the NTBackup utility, or Backup and Restore Center in Windows. Other names are or Complete PC Backup Windows Server Backup. The new backup system uses virtual snapshot of the service, which in turn depends on resources from the shadow copy of NTFS.

Shadow copies allow you to create a snapshot file system without having to deal with the problem of the file contents change during the backup. Shadow copies also circumvent the problem of locked files during the backup. Administrators no longer need to disable the server to release the file system blockages caused by users. The downtime affects productivity, and under ideal conditions, productivity is synonymous with money.

Usually the shadow copies do not need maintenance, but you can use vssadmin to create, delete, and list of shadow copies. Click the Start button (bottom left), type CMD in the Search box programs and files, in the Programs section, right click cmd.exe and choose Run as administrator. At the command line, type:

 vssadmin list providers

If you are using Windows Server, you can create a new volume shadow copy typing (vol replace the id of the volume):

 vssadmin create shadow / for = vol

If you are using Windows Server 2008 or later, use the command line utility DiskShadow Scripting for VSS operations.

Easy file compression

Remember how the Stacker was popular a few decades ago? No? Stacker was an addition made by others and that made it possible to bend space on the disk effective for text files and office. It was easy to install, its use was transparent and the whole thing was so cool that Microsoft took the guys in the business to include file compression on Windows. And he took a hell of a process because of this, let us say in passing.

On NTFS you can set the compression of a specific file in a specific folder or a folder and its subfolders.

To access the compaction: in Explorer, right-click a folder or file, select Properties, General tab, click the Advanced button. Attributes in compression and encoding, select the Compress contents to save disk space. After choosing a folder, Windows will ask if compression should be applied only to that folder or also to its subfolders and files. After compressing a file or folder, that item is displayed in a different color (default is blue).

NTFS compression method uses the LZ77. There are many compression methods that offer a higher compression, but the LZ77 offers a good compromise between speed and compression. With non-binary files, usually compression reduces the size 2x. Can you compress MP3 files, JPEG images and video files, but the LZ77 will not offer a better compression, because these files are already compressed.

When an uncompressed file is copied to a compressed folder, the file remains uncompressed. When a compressed file is copied to an uncompressed folder, the file is decompressed. The compressed files are decompressed transparently to the user or application that opens the file.

Alternate Data Streams

The alternate data streams must be the most underused feature of NTFS. A data stream is the set of data retrieved when an application opens a file. If an image editor opens a JPEG image, for example, it obtains a data stream with header information followed by JPEG compressed image data. This is a data stream. The use of alternate data streams file gives anyone the ability to have multiple streams. The Macintosh popularized this feature, with their resource forks, which were used to store the icon of an application and information form and positioning of menus.

On NTFS, each stream has its opportunistic locking , file locking, cluster size, file size and membership application. But each flow sharing the file permissions and file name. Windows uses the alternate data stream to store file attributes. Right click on a file, click Properties and select the Details tab.You can add text fields such as title, keywords, revision number etc.. This information enters the alternate data streams called? SummaryInformation.

Here are some examples you can try on your PC (bold entry, exit without bold):

 C: \ Users \ Andrew> echo This is going to flow a> test.txt: Stream1
 C: \ Users \ Andrew> This will echo to the stream 2> test.txt: Stream2  C: \ Users \ Andrew> More <test.txt: Stream1
 This goes for the flow 1  C: \ Users \ Andrew> More <test.txt: Stream2
 This goes for the flow 2

To view the flow properties of a file, use dir / R

 C: \ Users \ Andrew> Dir / R


 06/22/2010 11:01 AM 18 test.txt

 19 test.txt: fork1: $ DATA

 17 test.txt: fork2: $ DATA

 1 file (s) 18 bytes

Data flows can be used to merge data and executables. For example, you can create a single file that looks like a data file but also can run:

 C: \ Users \ Andrew> Echo These data go here> data.txt
 C: \ Users \ Andrew> Type test.exe> data.txt: data.exe  C: \ Users \ Andrew> Type data.txt
 These data go here  C: \ Users \ Andrew> Start. / Data.txt: data.exe
 Data.exe runs ...

There was a time when malware writers used the streams to hide their nefarious designs. Soon the class antivirus touch and add the detection of flows to their products. For an application to use an alternating flux, it must be created to do this. This is not the case in most applications, so the alternate data streams are hardly used in Windows. Sysinternals has a good utility for this feature of NTFS, the streams .

File Screen

Strictly speaking, the screening file is not a feature of the filesystem, but a resource file server. Because it is a nice feature, it is about him here.Screening makes it possible to create a file system policy server, enabling the blocking of file types specified. Do not want anyone downloading MP3 or video files on your computer? Lock 'em up! Here's how.

Open and expand the Resource Manager File Server, double-click the File Screening Management, select the File Screening node, click Actions, then click Create File Screen. In the Path dialog box Screening File, select the folder where the screening will be applied (eg, C: \ Documents and Settings). Use Copy or Set properties of the model to define its standard screening parameters. Click Create to create the new screening.

You can create several reports on activities of sorting files using Resource Manager File Server.

Volume mount points

Volume mount points are more useful in server environments, but it is interesting to know them as they may be working on PCs too. A volume is a partition with only one name. The most popular volume, obviously, is the C: drive. A home PC may have only one volume, but a server environment can have dozens of them. What happens if you have partitions assigned to A: to Z: and still have to mount more volumes? That's where the mount points.Mount points allow you to mount and manage many volumes without using the naming convention style C:.

Mount points allow seamlessly link multiple volumes. They work like this: Click the Start button in the lower left corner, go to Control Panel, System and Security, Administrative Tools, Create and Format Hard Drive Partitions. The utility will open Disk Management. Choose an empty partition or create one.After selecting the size, a dialog box will appear. Select Mount in the following empty NTFS folder and select the empty folder in which you want to edit.The new volume can be formatted, and you can give it a name. Pronto, the new volume is mounted in empty folder. The mount point is labeled with the property Mounted Volume and designated by an icon.

Mounting a volume is a great way to get around the problem of having a C: partition full, and also to expand the file system on demand. The utilitymountvol offers a means to create, delete and list volumes from the command line and for use in scripts.

Hard links, symbolic links and junction points

Vista brought features links that have been available for some time in the communities UNIX / Linux. A physical link looks (and acts) the file or folder it points to. If you change an attribute in the link, it will change the file or folder resides. If you delete a physical link, you delete the file or folder resides.

To create a physical link, call the command line and type:

 mklink / h novo_link destino_do_link

With the arrival of Vista, symlinks replaced the junction points . A symlink is a file that points to the file or folder resides. He may have different access permissions of the destination, and can establish a link between different disk volumes. The symbolic link can be deleted without affecting the target item.He can also point to network shares, something that a junction can not do (the junction can only point to directories, symbolic links can point to files).

And why use a symbolic link? Suppose you have file paths deep, and is tired of typing long paths or keep clicking on folders in Explorer. Create a link to the item in question, and presto, there's your shortcut. And most importantly, you can manage application versions or create a completely alternative folders from the pre-existing hierarchy. This is useful for those who write code for two different platforms (like Mac, for example).

To create a symbolic link, open the command line and type:

 Mklink novo_link destination

A symbolic link is listed on the Explorer icon with the white arrow. Click right on the symbolic link, choose Properties and the Shortcut tab. The guide will list the symbolic link and the path to the destination.

Be careful when deleting links, use the rmdir. Do not use Explorer to delete a link, and do not use Del / s. Why? Because the two will recursively delete the target item and everything is under it. Also be careful not to create a cycle of namespaces with the links. We are essentially creating a circular path of the folder, and it can catch your antivirus and its utilities system.

And the logs?

NTFS uses the journaling or journaling to recover from errors more efficiently. When a file is written to disk, several things need to happen. To begin, we must allocate disk space, then the data is written to disk as clusters of industries, then the metadata is updated to reflect the location on disk, creation date, file size, owner, permissions etc. . If power runs out, or if the system crashes before the process was completed, several bad things can happen.The space can be allocated and recorded, but not updated. The result: clusters orphans. If the file existed and was being updated, it can be truncated and the metadata can not be updated. With this, the file would be smaller than the size listed. At the time of the FAT, these errors would be corrected with chkdsk. All the time.

The journaling avoids these problems by keeping the file system in a "presentable". For that, the updates to the file system are logged in $ LOGFILE before being written to the file system. The first thing to do is enable the recording volume dirty bit. Every operation that modifies a file on an NTFS volume as a transaction is processed, stored in the $ LOGFILE and separated by checkpoints, or checkpoints. Each transaction is independent of the others, and is processed by the service log file. This service creates entries in the Undo and Redo $ LOGFILE. The Redo allows a transaction to go through a roll forward, or is completed. Undo allows you to reverse the transaction without damaging the file system.

If the system crashes during a write operation, Windows detects the dirty bit on reboot, start the service log file and performs three passes in the $ LOGFILE. The first is an analysis to determine if a cluster needs to be corrected, the second place and third place redos extraordinary undos in transactions that can not be completed.

The following operations modify and create an NTFS volume transactions in the log: create, delete, truncate, set information file, rename and change security.

Journaling prevents inconsistencies with the NTFS metadata, but does not prevent data loss. If your PC off in the middle of a long write operation, it is likely that you lose data. At least you can avoid a lengthy chkdsk checking on startup and the possibility of a corrupted file system.

There is not much concrete you can do with $ LOGFILE except moral gain when chatting with other sysadmins. But it is good to highlight a good utility to analyze the file system, the Fsutil. He is a Swiss army knife that deals with the daily update of changes, volume management, quotas, hard links, file system information and a wide variety of parameters from the file system.

Click the Start button (bottom left), type CMD in the Search box programs and files, in the Programs section, right click cmd.exe and choose Run as administrator. At the command line, type:

fsutil fsinfo drives

- list all units

fsutil dirty query C:

- check if the dirty bit has been activated in C:

fsutil fsinfo statistics C:

- list the statistics in C:

fsutil behavior set disablelastaccess 1

- a mischievous hack that disables the update date of last access and improves the performance of file system. It can affect backup programs.