NTFS


Windows NT 3.1 (the first version of NT despite the 3.1 designation) was released in August 1993 and introduced the New Technology File System (NTFS), which is unique to NT-based operating systems (including Windows 2000 and Windows XP) and is not supported by Windows 9x/Me. NTFS includes many advanced features not found in the FAT file systems.

NTFS is the native file system of Windows NT/2000/XP and Vista. Windows 2000 and later use an enhanced version of NTFS called NTFS 5 or NTFS 2000; Windows NT 4.0 must have Service Pack 4 or above installed to be capable of accessing an NTFS 5/NTFS 2000 disk. Although NT/2000/XP support FAT partitions (and Windows 2000/XP even support FAT32), NTFS provides many advantages over FAT, including long filenames, support for larger files and partitions, extended attributes, and increased security. NTFS, like all of Windows NT, was newly designed from the ground up. Backward-compatibility with previous Microsoft operating systems was not a concern because the developers were intent on creating an entirely new 32-bit platform. As a result, few operating systems other than Windows NT and Windows 2000/XP, which are based on Windows NT, can natively read NTFS partitions. More recently that has been changing; for example Apple included the ability to read (but not write) NTFS volumes in the Mac OS X 10.3 (Panther) and later versions. Also NTFS drivers have become available for Linux, MS-DOS, and other OSs as well. Unfortunately most of these solutions have had to be reverse engineered because Microsoft has kept the internal technical details of NTFS mostly private.

NTFS supports filenames of up to 255 characters, using spaces, multiple periods, and any other standard characters except the following: *?/\;<>. Since Windows NT 3.51, NTFS has also supported compression on a file-by-file (or folder-by-folder) basis through each file or folder's properties sheet. No third-party program, such as WinZip or PKZip, is needed to compress or decompress files stored on an NTFS drive. NTFS 5 also supports encryption on a file-by-file or folder-by-folder properties sheet.

Tip

To access advanced file attributes under NTFS such as compression, encryption, and indexing, right-click the file or folder, select Properties, and click the Advanced button to bring up the Advanced properties dialog box.


NTFS supports larger volumes (up to 16TiB), larger files, and more files per volume than FAT. NTFS also uses smaller cluster sizes than even FAT32, resulting in more efficient use of a volume. For example, a 30GiB NTFS volume uses 4KiB clusters, whereas the same size volume formatted with FAT32 uses 16KiB clusters. Smaller clusters reduce wasted space on the volume. NTFS cluster sizes are shown in Table 10.37.

Table 10.37. NTFS Cluster Sizes

Volume Size

Sectors per Cluster

Cluster Size

16MiB512MiB

1

0.5KiB

>512MiB1GiB

2

1KiB

>1GiB2GiB

4

2KiB

>2GiB2TiB [1]

8

4KiB

MB = Megabyte = 1,000,000 bytes

GB = Gigabyte = 1,000MB = 1,000,000,000 bytes

TB = Terabyte = 1,000GB = 1,000,000,000,000 bytes

KiB = Kibibytes = 1,024 bytes

MiB = Mebibyte = 1,024KiB = 1,048,576 bytes

GiB = Gibibyte = 1,024MiB = 1,073,741,824 bytes

TiB = Tebibytes = 1,024GiB = 1,099,511,627,776 bytes


[1] Larger cluster sizes can be forced by altering the format parameters; however, file compression is disabled if clusters larger than 8 sectors (4KiB) are selected.

NTFS uses a special file structure called a master file table (MFT) and metadata files. The MFT is basically a relational database that consists of rows of file records and columns of file attributes. It contains at least one entry for every file on an NTFS volume. NTFS creates file and folder records for each file and folder created on an NTFS volume. These are stored in the MFT and consume 1KiB each. Each file record contains information about the position of the file record in the MFT, as well as file attributes and any other information about the file.

NTFS was designed to manage clusters using up to 64-bit numbers, which is an astronomical amount, but the current implementations use 32-bit numbers instead. Using 32-bit numbers allows for addressing up to 4,294,967,295 clusters, each of which is typically up to 4KiB.

NTFS reserves a total of 32 sectors for a 16-sector-long default volume boot sector and a backup boot sector. The default boot sector is located at the beginning (logical sector 0) of the volume, whereas the backup boot sector is written at the logical center of the volume (if it was formatted using NT 3.51 and earlier) or at the end of the volume (if it was formatted with NT 4.0 or later, including 2000 and XP).

An NTFS volume can therefore contain up to 34,359,738,392 total sectors (32 sectors reserved for the default and backup boot sectors, plus 4,294,967,295 clusters x 8 sectors), which is 17.59TB or 16.00TiB. The 32-bit sector numbering scheme used in the partition tables located in the MBR limits a single disk to no more than 4,294,967,295 (2 32 1) sectors, which is 2.2TB or 2TiB.

Windows 2000 and later versions (including XP Pro) can get around this on nonbootable drives by using a dynamic disk . Windows 2000 and XP Professional (but not XP Home) offer two types of storage: basic disks and dynamic disks. Basic disks use the same structures as before, with an MBR on the disk containing a partition table limited to four primary partitions per disk, or three primary partitions and one extended partition with unlimited logical drives. Primary partitions and logical drives on basic disks are known as basic volumes .

Dynamic disks were first introduced in Windows 2000 and provide the capability to create dynamic volumes that can be simple (using only one drive), spanned (using multiple drives), or striped (using multiple drives simultaneously for increased performance). Dynamic disks use a hidden database (contained in the last megabyte of the disk) to track information about dynamic volumes on the disk and about other dynamic disks in the computer. Because each dynamic disk in a computer stores a replica of the dynamic disk database, a corrupted database on one dynamic disk can be repaired using the database on another. By spanning or striping multiple drives using dynamic disk formats, you can exceed the 2TiB limit of a single MBR-based partition. Note, however, that dynamic disks and volumes are intended for use on servers and not standard desktop PCs. As such this book won't be going into much more detail on dynamic disks and volumes, and in general one should not create them on standard desktop or mobile systems.

Although the 32-bit sector numbering in the partition tables on MBR disks limits NTFS basic disks to 2TiB volumes, you can use dynamic volumes to create NTFS volumes larger than 2TiB by spanning or striping multiple basic disks to create a larger dynamic disk. Because the dynamic volumes are managed in the hidden database, they are not affected by the 2TiB limit imposed by the partition tables in the MBR. In essence, dynamic disks enable Windows 2000 and XP Pro to create NTFS volumes as large as 16TiB. The volume limits for NTFS are listed in Table 10.38.

Table 10.38. NTFS Volume Limits

Volume Limit

Clusters

Sectors per Cluster

Total Volume Sectors

Volume Size (Decimal)

Volume Size (Binary)

Minimum size

32,698

1

32,730

16.76MB

15.98MiB

Basic disk max.

536,870,908

8

4,294,967,295

2.2TB

2TiB

Dynamic disk max.

4,294,967,295

8

34,359,738,392

17.59TB

16TiB

MB = Megabyte = 1,000,000 bytes

GB = Gigabyte = 1,000MB = 1,000,000,000 bytes

TB = Terabyte = 1,000GB = 1,000,000,000,000 bytes

KiB = Kibibytes = 1,024 bytes

MiB = Mebibyte = 1,024KiB = 1,048,576 bytes

GiB = Gibibyte = 1,024MiB = 1,073,741,824 bytes

TiB = Tebibytes = 1,024GiB = 1,099,511,627,776 bytes


Some notable characteristics and features of NTFS include

  • Files are limited in size to 16TiB less 64KiB or by the size of the volume, whichever is lower. NTFS supports up to 4,294,967,295 (2 32 1) files on a volume.

  • NTFS is not normally used on removable media because NTFS does not flush data to the disk immediately. In addition, removing NTFS-formatted media without using the Safe Removal application can result in data loss. For removable media that can be ejected unexpectedly, you should use FAT12, FAT16, or FAT32 instead.

  • NTFS incorporates transaction logging and recovery techniques. In the event of a failure, upon reboot NTFS uses its log file and checkpoint information to restore the consistency of the file system.

  • NTFS dynamically remaps clusters found to contain bad sectors and then marks the defective cluster as bad so it will no longer be used.

  • NTFS has built-in security features. These enable you to set permissions on a file or folder.

  • NTFS has a built-in Encrypting File System (EFS). This performs dynamic encryption and decryption as you work with encrypted files or folders, while preventing others from doing so.

  • It enables the setting of disk quotas. You can track and control space usage for NTFS volumes among various users.

  • NTFS has built-in dynamic compression, which compresses and decompresses files as you use them.

NTFS ArchitectureThe MFT

Although NTFS partitions are very different from FAT partitions internally, they do comply with the extra-partitional disk structures described earlier in this chapter. NTFS partitions are listed in the master partition table of a disk drive's master boot record, just like FAT partitions, and they have a volume boot record as well, although it is formatted somewhat differently.

When a volume is formatted with NTFS, system files are created in the root folder of the NTFS volume. These system files can be stored at any physical location on the NTFS volume. This means that damage to any specific location on the disk will probably not render the entire partition inaccessible.

Typically, 12 NTFS system files (often referred to as metadata files) are created when you format an NTFS volume. Table 10.39 shows the names and descriptions for these files.

Table 10.39. NTFS System Files

Filename

Meaning

Description

$mft

Master file table (MFT)

Contains a record for every file on the NTFS volume in its Data attribute

$mftmirr

Master file table2 (MFT2)

Mirror of the MFT used for recoverability purposes; contains the first four records in $mft or the first cluster of $mft , whichever is larger

$badclus

Bad cluster file

Contains all the bad clusters on the volume

$bitmap

Cluster allocation bitmap

Contains the bitmap for the entire volume, showing which clusters are used

$boot

Boot file

Contains the volume's bootstrap if the volume is bootable

$attrdef

Attribute definitions table

Contains the definition of all system- and user - defined attributes on the volume

$logfile

Log file

Logs file transactions; used for recoverability purposes

$quota

Quota table

Table used to indicate disk quota usage for each user on a volume; used in NTFS 5

$ upcase

Upcase table

Table used for converting uppercase and lowercase characters to the matching uppercase Unicode characters

$volume

Volume

Contains volume information, such as volume name and version

$extend

NTFS extension file

Stores optional extensions, such as quotas, object identifiers, and reparse point data

(no name)

Root filename index

The root folder (directory)


An NTFS partition is based on a structure called the master file table (MFT). The MFT concept expands on that of the FAT. Instead of using a table of cluster references, the MFT contains much more detailed information about the files and folders in the partition. In some cases, it even contains the files and folders themselves .

The first record in the MFT is called the descriptor , which contains information about the MFT itself. The volume boot record for an NTFS partition contains a reference that points to the location of this descriptor record. The second record in the MFT is a mirror copy of the descriptor, which provides fault tolerance, should the first copy be damaged.

The third record is the log file record. All NTFS transactions are logged to a file that can be used to restore data in the event of a disk problem. The bulk of the MFT consists of records for the files and folders stored on the partition. NTFS files take the form of objects that have both user- and systemdefined attributes. Attributes on NTFS partitions are more comprehensive than the few simple flags used on FAT partitions. All the information on an NTFS file is stored as attributes of that file. In fact, even the file data itself is an attribute. Unlike FAT files, the attributes of NTFS files are part of the file itself; they are not listed separately in a folder entry. Folders exist as MFT records as well, but they consist mainly of indexes listing the files in the folderthey do not contain the size, date, time, and other information about the individual files.

Thus, an NTFS drive's MFT is much more than a cluster list, like a FAT; it is actually the primary data storage structure on the partition. If a file or folder is relatively small (less than approximately 1,500 bytes), the entire file or folder might even be stored in the MFT. For larger amounts of storage, the MFT record for a file or folder contains pointers to external clusters in the partition. These external clusters are called extents . All the records in the MFT, including the descriptors and the log file, are capable of using extents for storage of additional attributes. The attributes of a file that are part of the MFT record are called resident attributes, whereas those stored in extents are called nonresident attributes.

NTFS 5 (NTFS 2000)

Along with Windows 2000 came a new variation of NTFS called NTFS 5 (also called NTFS 2000); NTFS 5 is also used by Windows XP. This update of the NT file system includes several new features that are exploited and even required by Windows 2000 and Windows XP. Because of this, when you install Windows 2000 or Windows XP, any existing NTFS volumes automatically are upgraded to NTFS 5 (there is no way to override this option). If you also run Windows NT versions earlier than Windows NT 4 Service Pack 4 (SP4), NT 4 is no longer capable of accessing the NTFS 5 volumes. If you want to run both NT 4 and Windows 2000 or Windows XP on the same system (as in a dual-boot configuration), you must upgrade NT 4 by installing Service Pack 4 or later. An updated NTFS.SYS driver in Service Pack 4 enables NT 4 to read from and write to NTFS 5 volumes.

New features of the NTFS 5 file system include

  • Disk quotas. System administrators can limit the amount of disk space users can consume on a per-volume basis. The three quota levels are Off, Tracking, and Enforced.

  • Encryption. NTFS 5 can automatically encrypt and decrypt files as they are read from and written to the disk (not available in Windows XP Home Edition).

  • Reparse points. Programs can trap open operations against objects in the file system and run their own code before returning file data. This can be used to extend file system features such as mount points, which you can use to redirect data read and written from a folder to another volume or physical disk.

  • Sparse files. This feature enables programs to create very large files as placeholders but to consume disk space by adding to the files only as necessary.

  • USN (Update Sequence Number) Journal. Provides a log of all changes made to files on the volume.

  • Mounted drives. You can attach volumes including drives and folders to an empty folder stored on an NTFS drive. For example, you can create a folder on one drive that allows you to access content stored on another drive.

Because these featuresespecially the USN Journalare required for Windows 2000 to run, a Windows 2000/Server 2003 domain controller must use an NTFS 5 partition as the system volume.

NTFS Changes in Windows XP

The location of the MFT has changed in Windows XP versus Windows 2000 and Windows NT. In Windows 2000 and Windows NT, the MFT is typically located at the start of the disk space used by the NTFS file system. In Windows XP, the $logfile and $bitmap metadata files are located 3GB from the start of the disk space used by NTFS. As a result, system performance has been increased by 5%8% in Windows XP over Windows 2000 or Windows NT.

Another improvement in Windows XP's implementation of NTFS is the amount of MFT information read into memory. During bootup, Windows XP reads only a few hundred kilobytes of MFT information if all drives are formatted with NTFS. However, if some or all of the drives are formatted with FAT32, many megabytes of information (the amount varies by the number of drives and the size of the drives) must be read during bootup . Thus, using NTFS utilizes system memory more efficiently .

NTFS Compatibility

Although NTFS partitions are not directly accessible by DOS and other operating systems, Windows NT/2000 is designed for network use, so other operating systems are expected to be capable of accessing NTFS files via the network. For this reason, NTFS continues to support the standard DOS file attributes and the 8.3 FAT naming convention.

One of the main reasons for using NTFS is the security it provides for files and folders. NTFS security attributes are called permissions and are designed to enable system administrators to control access to files and folders by granting specific rights to users and groups. This is a much more granular approach than the FAT file system attributes, which apply to all users.

However, you can still set the FAT-style attributes on NTFS files using the standard Windows NT/2000 file management tools, including Windows NT/2000 Explorer and even the command-prompt ATTRIB command. When you copy FAT files to an NTFS drive over the network, the FAT-style attributes remain in place until you explicitly remove them. This can be an important consideration because the FAT-style attributes take precedence over the NTFS permissions. A file on an NTFS drive that is flagged with the FAT read-only attribute, for example, can't be deleted by a Windows NT/2000 user, even if that user has NTFS permissions that grant her full access.

To enable DOS and 16-bit Windows systems to access files on NTFS partitions over a network, the file system maintains an 8.3 alias name for every file and folder on the partition. The algorithm for deriving the alias from the long filename is the same as that used by Windows 95's VFAT. Windows NT/2000 also provides its FAT partitions with the same type of long filename support used by VFAT, allocating additional folder entries to store the long filenames as necessary.

Creating NTFS Drives

NTFS is designed for use primarily on hard disk drives, and not removable storage. You can't create an NTFS floppy disk, although you can format some removable media (any that use an MBR and partitions), such as Iomega Zip and Jaz cartridges, to use NTFS. Three basic ways to create an NTFS disk partition are as follows :

  • Create a new NTFS volume out of unpartitioned disk space during the Windows NT/2000 installation process or after the installation with the Disk Administrator utility.

  • Format an existing partition to NTFS (destroying its data in the process), using the Windows NT Format dialog box (accessible from Windows NT Explorer or Disk Administrator) or the FORMAT command (with the /fs:ntfs switch) from the command prompt.

  • Convert an existing FAT partition to NTFS ( preserving its data) during the Windows NT/2000 installation process or after the installation with the command-line CONVERT utility.

NTFS Tools

Because it uses a fundamentally different architecture, virtually none of the troubleshooting techniques outlined for FAT are applicable when dealing with NTFS partitions, nor can the disk utilities intended for use on FAT partitions address them. Windows NT has a rudimentary capability to check a disk for file system errors and bad sectors with its own version of CHKDSK , but apart from that, the operating system contains no other disk repair or defragmentation utilities. Windows 2000 and Windows XP include a command-line and GUI version of CHKDSK and also include a defragmenting tool that is run from the Windows Explorer GUI. Windows XP Professional also includes DiskProbe ( DSKPROBE.exe ), a direct disk sector editor, in its Windows Support Tools (the Windows 2000 Resource Kit also contains DiskProbe).

One difference between Windows 2000/XP's CHKDSK and Windows 9x/Me's SCANDISK is that CHKDSK cannot fix file system errors if it is run within the Windows GUI. If you run CHKDSK and select the Automatically Fix File System Errors option, you must schedule CHKDSK to run at the next system startup. You can run CHKDSK without this option to find file system problems; you can also run CHKDSK within the Windows GUI to look for and attempt to fix bad sectors.

Tip

You can use the FSUTIL command-line program in Windows XP and later to learn more about a particular drive's file system, including whether you need to run CHKDSK or a third-party disk repair tool. For example, to determine whether drive D: is dirty (has file system errors requiring repair), you would open a command prompt and enter this command:

 FSUTIL DIRTY QUERY D: 

For more examples of FSUTIL commands and syntax, enter FSUTIL with no options at a command prompt. Note that FSUTIL is not included with Windows 2000 or earlier versions.


The NTFS file system, however, does have its own automatic disk repair capabilities. In addition to Windows NT/2000/XP's fault-tolerance features, such as disk mirroring (maintaining the same data on two separate drives) and disk striping with parity (splitting data across several drives with parity information for data reconstruction), the OS has two features to help improve reliability:

  • Transaction management

  • Cluster remapping

NTFS can roll back any transaction (its term for a change to a file stored on an NTFS volume) if it isn't completed properly due to disk errors, running out of memory, or errors such as removing media or disconnecting a device before the transaction process is complete. Each transaction has five steps:

1.
NTFS creates a log file of the metadata operations of the transaction (file updates, erasure, and so on) and caches the file in system memory.

2.
NTFS stores the actual metadata operations in memory.

3.
NTFS marks the transaction record in the log file as committed.

4.
NTFS saves the log file to disk after the transaction is complete.

5.
NTFS saves the actual metadata operations to disk after the transaction is complete.

This process is designed to prevent random data (lost clusters) on NTFS drives.

With cluster remapping, when Windows (NT/2000/XP) detects a bad sector on an NTFS partition, it automatically remaps the data in that cluster to another cluster. If the drive is part of a fault-tolerant drive array, any lost data is reconstructed from the duplicate data on the other drives.

Despite these features, however, there is still a real need for third-party disk repair and defragmentation utilities for Windows NT/2000/XP. These were scarce when Windows NT was first released, but third-party utilities that can repair and defragment NTFS drives are now widely available. One I recommend is Norton Utilities 2004 (also included in Norton SystemWorks 2005) by Symantec, which works with Windows 98, Windows Me, Windows 2000, and Windows XP. Earlier versions work with Windows NT 4.0 and Windows 95. If you are looking for even faster defragmentation, Golden Bow's (www.vopt.com) VoptXP (which also supports Windows 9x, Me, and 2000) is a longtime favorite because of its incredible speed and efficiency.




Upgrading and Repairing Microsoft Windows
Upgrading and Repairing Microsoft Windows (2nd Edition)
ISBN: 0789736950
EAN: 2147483647
Year: 2005
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net