NTFS

NTFS

Developer	Microsoft
Full name	New Technology File System[1]
Introduced	July 1993 (Windows NT 3.1)
Partition identifier	0x07 (MBR) EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (GPT)
Structures
Directory contents	B+ tree[2]
File allocation	Bitmap
Bad blocks	$badclus (MFT Record)
Limits
Max. file size	16 EiB – 1 KiB (format); 16 TiB – 64 KiB (Windows 7, Windows Server 2008 R2 or earlier implementation)[3] 256 TiB – 64 KiB (Windows 8, Windows Server 2012 implementation)[4]
Max. number of files	4,294,967,295 (232-1)[3]
Max. filename length	255 UTF-16 code units[5]
Max. volume size	264 clusters − 1 cluster (format); 256 TiB − 64 KiB (implementation)[3]
Allowed characters in filenames	In Posix namespace, any UTF-16 code unit (case sensitive) except U+0000 (NUL) and / (slash). In Win32 namespace, any UTF-16 code unit (case insensitive) except U+0000 (NUL) / (slash) \ (backslash) : (colon) * (asterisk) ? (Question mark) " (quote) < (less than) > (greater than) and | (pipe) [5]
Features
Dates recorded	Creation, modification, POSIX change, access
Date range	1 January 1601 – 28 May 60056 (File times are 64-bit numbers counting 100-nanosecond intervals (ten million per second) since 1601, which is 58,000+ years)
Date resolution	100 ns
Forks	Yes (see Alternate data streams below)
Attributes	Read-only, hidden, system, archive, not content indexed, off-line, temporary, compressed
File system permissions	ACLs
Transparent compression	Per-file, LZ77 (Windows NT 3.51 onward)
Transparent encryption	Per-file, DESX (Windows 2000 onward), Triple DES (Windows XP onward), AES (Windows XP Service Pack 1, Windows Server 2003 onward)
Data deduplication	Yes (Windows Server 2012)[6]
Supported operating systems	Windows NT 3.1 and later OS X 10.3 and later

NTFS (New Technology File System) is a proprietary file system developed by Microsoft.^[1] Starting with Windows NT 3.1, it is the default file system of Windows NT family.^[7]

NTFS supersedes FAT file system. NTFS has several technical improvements over FAT and HPFS (High Performance File System), such as improved support for metadata, and the use of advanced data structures to improve performance, reliability, and disk space utilization, plus additional extensions, such as security access control lists (ACL) and file system journaling.

History

In the mid-1980s, Microsoft and IBM formed a joint project to create the next generation of graphical operating system. The result of the project was OS/2, but Microsoft and IBM disagreed on many important issues and eventually separated: OS/2 remained an IBM project and Microsoft worked on Windows NT. The OS/2 file system HPFS contained several important new features. When Microsoft created their new operating system, they borrowed many of these concepts for NTFS.^[8] Probably as a result of this common ancestry, HPFS and NTFS share the same disk partition identification type code (07). Sharing an ID is unusual, since there were dozens of available codes, and other major file systems have their own code. FAT has more than nine (one each for FAT12, FAT16, FAT32, etc.). Algorithms identifying the file system in a partition type 07 must perform additional checks. It is also clear that NTFS owes some of its architectural design to Files-11 used by VMS. Dave Cutler was the main lead for both VMS and Windows NT.

Versions

Microsoft has released five versions of NTFS:

• v1.0: Released with Windows NT 3.1 in 1993.^[7] v1.0 is incompatible with v1.1 and newer: Volumes written by Windows NT 3.5x cannot be read by Windows NT 3.1 until an update (available on the NT 3.5x installation media) is installed.^[9]
• v1.1: Released with Windows NT 3.5, in fall 1994^{[citation needed]}
• v1.2: Released with Windows NT 3.51 in 1995. Supports compressed files, named streams and access control lists^[2]
• v3.0: Released with Windows 2000.^[10] Supports disk quotas, Encrypting File System, sparse files, reparse points, update sequence number (USN) journaling, the $Extend folder and its files. Reorganized security descriptors so that multiple files using the same security setting can share the same descriptor.^[2]
• v3.1: Released with Windows XP in autumn 2001. Expanded the Master File Table (MFT) entries with redundant MFT record number (useful for recovering damaged MFT files).

The NTFS.sys version number (e.g. v5.0 in Windows 2000) should not be confused with the NTFS format version number (v3.1 since Windows XP).^[11]

Windows Vista implemented Transactional NTFS, NTFS symbolic links, partition shrinking and self-healing.^[12] All except NTFS symbolic links are operating system's features. Windows Vista also introduced persistent shadow copies for use with System Restore and Previous Versions features. Persistent shadow copies, however, are deleted when the older operating system mounts that NTFS volume. This happens because the older operating system does not understand the newer format of persistent shadow copies.^[13]

Features

NTFS v3.0 includes several new features over its predecessors: sparse file support, disk usage quotas, reparse points, distributed link tracking, and file-level encryption, also known as the Encrypting File System (EFS).

NTFS Log

NTFS is a journaling file system and uses the NTFS Log ($LogFile) to record metadata changes to the volume.

It is a critical functionality of NTFS (a feature that FAT/FAT32 does not provide) for ensuring that its internal complex data structures (notably the volume allocation bitmap), or data moves performed by the defragmentation API, the modifications to MFT records (such as moves of some variable-length attributes stored in MFT records and attribute lists), and indices (for directories and security descriptors) will remain consistent in case of system crashes, and allow easy rollback of uncommitted changes to these critical data structures when the volume is remounted.

USN Journal

The USN Journal (Update Sequence Number Journal) is a system management feature that records changes to files, streams and directories on the volume, as well as their various attributes and security settings. The journal is made available for applications to track changes to the volume.^[14] This journal can be enabled or disabled on non-system volumes^[15] and is not enabled by default for a newly added drive.^{[citation needed]}

Hard links and short filename support

Hard links allows different file names to refer to the same file contents.

Hard links are similar to directory junctions, but refer to files instead. Hard links may link to files in the same volume only because each volume has its own MFT. Hard links have their own file metadata, so a change in file size or attributes under one hard link may not update the others until they are opened.^[16]

Hard links were originally included to support the POSIX subsystem in Windows NT.^[17]

Short (8.3) filenames was a limitation of the original FAT file system. Operating system support is needed because there are legacy applications that can work only with 8.3 filenames. Windows uses hard links to support short (8.3) filenames in NTFS. In this case, an additional filename record and directory entry is added, but both 8.3 and long file name are linked and updated together, unlike a regular hard link.

Alternate data streams (ADS)

Alternate data streams allow more than one data stream to be associated with a filename, using the format "filename:streamname" (e.g., "text.txt:extrastream").

NTFS Streams were introduced in Windows NT 3.1, to enable Services for Macintosh (SFM) to store resource forks. Although current versions of Windows Server no longer include SFM, third-party Apple Filing Protocol (AFP) products (such as GroupLogic's ExtremeZ-IP) still use this feature of the file system. Very small ADS (called Zone.Identifier) are added by Internet Explorer and recently by other browsers to mark files downloaded from external sites as possibly unsafe to run; the local shell would then require user confirmation before opening them.^[18] When the user indicates that they no longer want this confirmation dialog, this ADS is deleted.

Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. Only the first stream is preserved when a file is copied to a FAT-formatted USB drive, is attached to an e-mail, or is uploaded to a website, so using alternate streams for critical data may cause problems. Microsoft provides a tool called Streams^[19] to view streams on a selected volume. Starting with Windows PowerShell 3.0, it is possible to manage ADS natively with seven cmdlets: Add-Content, Clear-Content, Get-Content, Get-Item, Out-String, Remove-Item, Set-Content.^{[citation needed]}

Malware has used alternate data streams to hide code.^[20] As a result, malware scanners and other special tools now check for alternate data streams.

File compression

NTFS can compress files using LZNT1 algorithm (a variant of the LZ77^[21]). Files are compressed in 16-cluster chunks. With 4 kB clusters, files are compressed in 64 kB chunks. If the compression reduces 64 kB of data to 60 kB or less, NTFS treats the unneeded 4 kB pages like empty sparse file clusters—they are not written. This allows for reasonable random-access times - the OS just has to follow the chain of fragments. However, large compressible files become highly fragmented since every chunk < 64KB becomes a fragment.^[22][23] Single-user systems with limited hard disk space can benefit from NTFS compression for small files, from 4 kB to 64 kB or more, depending on compressibility. Files less than 900 bytes or so are stored within the directory entry at the MFT.^[24]

Flash memory, such as SSD drives do not have the head movement delays of hard disk drives, so fragmentation has only small effects. Users of fast multi-core processors will find improvements in application speed by compressing their applications and data as well as a reduction in space used.^[25] Note that SSDs with Sandforce controllers already compress data. However, since less data is transferred, there is a reduction in I/Os.

The best use of compression is for files that are repetitive, seldom written, usually accessed sequentially, and not themselves compressed. Log files are an ideal example.

Compressing system files needed at boot time, like drivers, NTLDR, winload.exe, or BOOTMGR may prevent the system from booting correctly, as compression filters are not available then.^[26] However, in later editions of Windows, compression of important system files is disallowed.

Files may be compressed or decompressed individually (via changing the advanced attributes) for a drive, directory, or directory tree, becoming a default for the files inside.

Although read–write access to compressed files is mostly^[27] transparent, Microsoft recommends avoiding compression on server systems and/or network shares holding roaming profiles because it puts a considerable load on the processor.^[28] Compression is not recommended by Microsoft for files exceeding 30 MB because of the performance hit.^{[citation needed]} Since many fragments are created for compressible files, defragmentation may take longer.

Sparse files

Sparse files are files interspersed with empty segments for which no actual storage space is used. To the applications, the file looks like an ordinary file with empty regions seen as regions filled with zeros.^[29]

Database applications, for instance, may use sparse files.^[30] As with compressed files, the actual sizes of sparse files are not taken into account when determining quota limits.^[31]

Volume Shadow Copy

The Volume Shadow Copy Service (VSS) keeps historical versions of files and folders on NTFS volumes by copying old, newly overwritten data to shadow copy (copy-on-write). The old file data is overlaid on the new when the user requests a revert to an earlier version. This also allows data backup programs to archive files currently in use by the file system. On heavily loaded systems, Microsoft recommends setting up a shadow copy volume on a separate disk.^[32]

Transactional NTFS

As of Windows Vista, applications can use Transactional NTFS to group changes to files together into a transaction. The transaction will guarantee that all changes happen, or none of them do, and it will guarantee that applications outside the transaction will not see the changes until they are committed.^[33]

It uses similar techniques as those used for Volume Shadow Copies (i.e. copy-on-write) to ensure that overwritten data can be safely rolled back, and a CLFS log to mark the transactions that have still not been committed, or those that have been committed but still not fully applied (in case of system crash during a commit by one of the participants).

Transactional NTFS does not restrict transactions to just the local NTFS volume, but also includes other transactional data or operations in other locations such as data stored in separate volumes, the local registry, or SQL databases, or the current states of system services or remote services. These transactions are coordinated network-wide with all participants using a specific service, the DTC, to ensure that all participants will receive same commit state, and to transport the changes that have been validated by any participant (so that the others can invalidate their local caches for old data or rollback their ongoing uncommitted changes). Transactional NTFS allows, for example, the creation of network-wide consistent distributed filesystems, including with their local live or offline caches.

Encrypting File System (EFS)

EFS provides strong^[34] and user-transparent encryption of any file or folder on an NTFS volume. EFS works in conjunction with the EFS service, Microsoft's CryptoAPI and the EFS File System Run-Time Library (FSRTL). EFS works by encrypting a file with a bulk symmetric key (also known as the File Encryption Key, or FEK), which is used because it takes a relatively small amount of time to encrypt and decrypt large amounts of data than if an asymmetric key cipher is used. The symmetric key that is used to encrypt the file is then encrypted with a public key that is associated with the user who encrypted the file, and this encrypted data is stored in an alternate data stream of the encrypted file. To decrypt the file, the file system uses the private key of the user to decrypt the symmetric key that is stored in the file header. It then uses the symmetric key to decrypt the file. Because this is done at the file system level, it is transparent to the user.^[35] Also, in case of a user losing access to their key, support for additional decryption keys has been built into the EFS system, so that a recovery agent can still access the files if needed. NTFS-provided encryption and NTFS-provided compression are mutually exclusive; however, NTFS can be used for one and a third-party tool for the other.

The support of EFS is not available in Basic, Home and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate and Server versions of Windows or by using enterprise deployment tools within Windows domains.

Quotas

Disk quotas were introduced in NTFS v3. They allow the administrator of a computer that runs a version of Windows that supports NTFS to set a threshold of disk space that users may use. It also allows administrators to keep track of how much disk space each user is using. An administrator may specify a certain level of disk space that a user may use before they receive a warning, and then deny access to the user once they hit their upper limit of space. Disk quotas do not take into account NTFS's transparent file-compression, should this be enabled. Applications that query the amount of free space will also see the amount of free space left to the user who has a quota applied to them.

Reparse points

This feature was introduced in NTFS v3. Reparse points are used by associating a reparse tag in the user space attribute of a file or directory. When the object manager (see Windows NT line executive) parses a file system name lookup and encounters a reparse attribute, it will reparse the name lookup, passing the user controlled reparse data to every file system filter driver that is loaded into Windows. Each filter driver examines the reparse data to see whether it is associated with that reparse point, and if that filter driver determines a match, then it intercepts the file system call and executes its special functionality. Reparse points are used to implement Volume Mount Points, Directory Junctions, Hierarchical Storage Management, Native Structured Storage, Single Instance Storage, and Symbolic Links.^{[citation needed]}

Volume mount points

Volume mount points are similar to Unix mount points, where the root of another file system is attached to a directory. In NTFS, this allows additional file systems to be mounted without requiring a separate drive letter (such as C: or D:) for each.

Once a volume has been mounted on top of an existing directory of another volume, the contents previously listed in that directory become invisible and are replaced by the content of the root directory of the mounted volume. The mounted volume could still have its own drive letter assigned separately. The file system does not allow volumes to be mutually mounted on each other. Volume mount points can be made to be either persistent (remounted automatically after system reboot) or not persistent (must be manually remounted after reboot).^{[citation needed]}

Mounted volumes may use other file systems than just NTFS; notably they may be remote shared directories, possibly with their own security settings and remapping of access rights according to the remote file system policy.^{[citation needed]}

Directory junctions

Directory junctions are similar to volume mount points, but reference other directories in the file system instead of other volumes. For instance, the directory C:\exampledir with a directory junction attribute that contains a link to D:\linkeddir will automatically refer to the directory D:\linkeddir when it is accessed by a user-mode application.^[2] This function is conceptually similar to symbolic links to directories in Unix, except that the target in NTFS must always be another directory (typical Unix file systems allow the target of a symbolic link to be any type of file).

Directory joins (which can be created with the command MKLINK /J junctionName targetDirectory and removed with RMDIR junctionName from a console prompt) are persistent, and resolved on the server side as they share the same security realm of the local system or domain on which the parent volume is mounted and the same security settings for its contents as the content of the target directory; however the junction itself may have distinct security settings. Unlinking a directory junction join does not delete files in the target directory.^{[citation needed]}

Note that some directory junctions are installed by default on Windows Vista, for compatibility with previous versions of Windows, such as Documents and Settings in the root directory of the system drive, which links to the Users physical directory in the root directory of the same volume. However they are hidden by default, and their security settings are set up so that the Windows Explorer will refuse to open them from within the Shell or in most applications, except for the local built-in SYSTEM user or the local Administrators group (both user accounts are used by system software installers). This additional security restriction has probably been made to avoid users of finding apparent duplicate files in the joined directories and deleting them by error, because the semantics of directory junctions is not the same as hardlinks; the reference counting is not used on the target contents and not even on the referenced container itself.^{[citation needed]}

Directory junctions are soft links (they will persist even if the target directory is removed), working as a limited form of symbolic links (with an additional restriction on the location of the target), but it is an optimized version allowing faster processing of the reparse point with which they are implemented, with less overhead than the newer NTFS symbolic links, and can be resolved on the server side (when they are found in remote shared directories).^{[citation needed]}

Symbolic links

Symbolic links (or soft links) were introduced in Windows Vista.^[36] Symbolic links are resolved on the client side. So when a symbolic link is shared, the target is subject to the access restrictions on the client, and not the server.^{[citation needed]}

Symbolic links can be created either to files (created with MKLINK symLink targetFilename) or to directories (created with MKLINK /D symLinkD targetDirectory), but (unlike Unix symbolic links) the semantic of the link must be provided with the created link. The target however need not exist or be available when the symbolic link is created: when the symbolic link will be accessed and the target will be checked for availability, NTFS will also check if it has the correct type (file or directory); it will return a not-found error if the existing target has the wrong type.^{[citation needed]}

They can also reference shared directories on remote hosts or files and subdirectories within shared directories: their target is not mounted immediately at boot, but only temporarily on demand while opening them with the OpenFile() or CreateFile() API. Their definition is persistent on the NTFS volume where they are created (all types of symbolic links can be removed as if they were files, using DEL symLink from a command line prompt or batch).^{[citation needed]}

Distributed Link Tracking (DLT)

Distributed link tracking allows applications to track files, shell shortcuts or OLE links even if they were renamed or moved to another volume within the same machine, domain or workgroup.^[37] Tracking is implemented as a system service, which uses the object identifier (OID) index stored in a metafile.^[38] When the application requests a track to a file or directory, the tracking service creates the OID entry, which points to the file, and file rename, copy or move operation to a NTFS v3 volume also copies the object ID. This allows the tracking service to eventually find the target file.

Single Instance Storage (SIS)

When there are several directories that have different but similar files, some of these files may have identical content. Single instance storage allows identical files to be merged to one file and create references to that merged file. SIS consists of a file system filter that manages copies, modification and merges to files; and a user space service (or groveler) that searches for files that are identical and need merging. SIS was mainly designed for remote installation servers as these may have multiple installation images that contain many identical files; SIS allows these to be consolidated but, unlike for example hard links, each file remains distinct; changes to one copy of a file will leave others unaltered. This is similar to copy-on-write, which is a technique by which memory copying is not really done until one copy is modified.^[39]

Hierarchical Storage Management (HSM)

Hierarchical Storage Management is a means of transferring files that are not used for some period of time to less expensive storage media. When the file is next accessed, the reparse point on that file determines that it is needed and retrieves it from storage.^{[citation needed]}

Native Structured Storage (NSS)

NSS was an ActiveX document storage technology that has since been discontinued by Microsoft.^{[citation needed]} It allowed ActiveX Documents to be stored in the same multi-stream format that ActiveX uses internally. An NSS file system filter was loaded and used to process the multiple streams transparently to the application, and when the file was transferred to a non-NTFS formatted disk volume it would also transfer the multiple streams into a single stream.^[40]

Interoperability

Details on the implementation's internals are not released, which makes it difficult for third-party vendors to provide tools to handle NTFS.

Microsoft Windows

While the different NTFS versions are for the most part fully forward- and backward-compatible, there are technical considerations for mounting newer NTFS volumes in older versions of Microsoft Windows. This affects dual-booting, and external portable hard drives.

For example, attempting to use an NTFS partition with "Previous Versions" (a.k.a. Volume Shadow Copy) on an operating system that does not support it will result in the contents of those previous versions being lost.^[41]

Mac OS X

Mac OS X 10.3 and later include read-only support for NTFS-formatted partitions. The GPL-licensed NTFS-3G also works on Mac OS X through FUSE and allows reading and writing to NTFS partitions. A performance enhanced commercial version, called Tuxera NTFS for Mac,^[42] is also available from the NTFS-3G developers. Paragon Software Group sells a read-write driver named NTFS for Mac OS X,^[43] which is also included on some models of Seagate hard drives.^[44] Native NTFS write support has been discovered in Mac OS X 10.6 and later, but is not activated by default, although workarounds do exist to enable the functionality. However, user reports indicate the functionality is unstable and tends to cause kernel panics, probably the reason why write support has not been enabled or advertised.^[45]

Linux

The ability to read and write to NTFS is provided by the NTFS-3G driver. It is included in most Linux distributions. Other solutions exist as well:

• Linux kernel 2.2: Kernel versions 2.2.0 and later include the ability to read NTFS partitions
• Linux kernel 2.6: Kernel versions 2.6.0 and later contain a driver written by Anton Altaparmakov (University of Cambridge) and Richard Russon. It supports file read, overwrite and resize.
• NTFSMount: A read/write userspace NTFS driver. It provides read-write access to NTFS, excluding writing compressed and encrypted files, changing file ownership, and access rights.^[46]
• Tuxera NTFS: High-performance read/write commercial kernel driver, mainly targeted for embedded devices from Tuxera, which also develops the open source NTFS-3G driver.
• NTFS for Linux: A commercial driver with full read/write support is available as free and non-free download(s) for Desktop and Embedded Linux systems from Paragon Software Group.
• Captive NTFS (discontinued):^[47] A 'wrapping' driver that uses Windows' own driver, ntfs.sys.

Note that all three userspace drivers, namely NTFSMount, NTFS-3G and Captive NTFS, are built on the Filesystem in Userspace (FUSE), a Linux kernel module tasked with bridging userspace and kernel code to save and retrieve data. All drivers listed above (except Tuxera NTFS and Paragon NTFS for Linux) are open source (GPL). Due to the complexity of internal NTFS structures, both the built-in 2.6.14 kernel driver and the FUSE drivers disallow changes to the volume that are considered unsafe, to avoid corruption.

Others

eComStation, and FreeBSD offer read-only NTFS support (there is a beta NTFS driver that allows write/delete for eComStation, but is generally considered unsafe). A free third-party tool for BeOS, which was based on NTFS-3G, allows full NTFS read and write. NTFS-3G also works on Mac OS X, FreeBSD, NetBSD, Solaris, QNX and Haiku, in addition to Linux, through FUSE.^[48] A free for personal use read/write driver for MS-DOS called "NTFS4DOS" also exists.^[49][50] Ahead Software developed a "NTFSREAD" driver (version 1.200) for DR-DOS 7.0x between 2002 and 2004. It was part of their Nero Burning ROM software. OpenBSD offer native read-only NTFS support by default on i386 and amd64 platforms as of version 4.9 released 1. May 2011.^[51] Read/write support through NTFS-3G are possible in OpenBSD -current as of 1. November 2013 (which will become 5.5 release) as OpenBSD now has its own FUSE implementation ^[52] and NTFS-3G are available from ports.^[53]

Conversion from other file systems

Microsoft provides a tool (convert.exe) to convert to NTFS from other file systems. Supported systems include HPFS (only on Windows NT 3), FAT16 and, on Windows 2000 and later, FAT32.^[54][55]

Resizing

Various third-party tools are capable of resizing NTFS partitions. Starting with Windows Vista Microsoft added the built-in ability to shrink or expand a partition, but this capability is limited because it will not relocate page file fragments or files that have been marked as unmovable. So shrinking will often require relocating or disabling any page file, the index of Windows Search, and any Shadow Copy used by System Restore.

Universal time

For historical reasons, the versions of Windows that do not support NTFS all keep time internally as local zone time, and therefore so do all file systems other than NTFS that are supported by current versions of Windows. However, Windows NT and its descendants keep internal timestamps as UTC and make the appropriate conversions for display purposes. Therefore, NTFS timestamps are in UTC. This means that when files are copied or moved between NTFS and non-NTFS partitions, the OS needs to convert timestamps on the fly. But if some files are moved when daylight saving time (DST) is in effect, and other files are moved when standard time is in effect, there can be some ambiguities in the conversions. As a result, especially shortly after one of the days on which local zone time changes, users may observe that some files have timestamps that are incorrect by one hour. Due to the differences in implementation of DST in different jurisdictions, this can result in a potential timestamp error of up to 4 hours in any given 12 months.^[56]

Internals

Internally, NTFS uses B+ trees to index file system data. Although complex to implement, this allows faster file look up times in most cases. A file system journal is used to guarantee the integrity of the file system metadata but not individual files' content. Systems using NTFS are known to have improved reliability compared to FAT file systems.^[57]

Subject to the restrictions below, NTFS allows any sequence of 16-bit values for name encoding (file names, stream names, index names, etc.) except 0x0000. This means UTF-16 codepoints are supported, but the file system does not check whether a sequence is valid UTF-16 (it allows any sequence of short values, not restricted to those in the Unicode standard).

Master File Table

In NTFS, all file, directory and metafile data —file name, creation date, access permissions (by the use of access control lists), and size— are stored as metadata in the Master File Table. This abstract approach allowed easy addition of file system features during Windows NT's development—an interesting example is the addition of fields for indexing used by the Active Directory software. This also enables software like Everything or Ultrasearch^[58] to perform instantaneous real-time searches for file and folder names, without relying on an indexing service.

The MFT structure supports algorithms which minimize disk fragmentation.^[59] A directory entry consists of a filename and a "file ID", which is the record number representing the file in the Master File Table. The file ID also contains a reuse count to detect stale references. While this strongly resembles the W_FID of Files-11, other NTFS structures radically differ.

Metafiles

NTFS contains several files that define and organize the file system. In all respects, most of these files are structured like any other user file ($Volume being the most peculiar), but are not of direct interest to file system clients. These metafiles define files, back up critical file system data, buffer file system changes, manage free space allocation, satisfy BIOS expectations, track bad allocation units, and store security and disk space usage information. All content is in an unnamed data stream, unless otherwise indicated.

Segment Number	File Name	Purpose
0	$MFT	Describes all files on the volume, including file names, timestamps, stream names, and lists of cluster numbers where data streams reside, indexes, security identifiers, and file attributes like "read only", "compressed", "encrypted", etc.
1	$MFTMirr	Duplicate of the first vital entries of $MFT, usually 4 entries (4 Kilobytes).
2	$LogFile	Contains transaction log of file system metadata changes.
3	$Volume	Contains information about the volume, namely the volume object identifier, volume label, file system version, and volume flags (mounted, chkdsk requested, requested $LogFile resize, mounted on NT 4, volume serial number updating, structure upgrade request). This data is not stored in a data stream, but in special MFT attributes: If present, a volume object ID is stored in an $OBJECT_ID record; the volume label is stored in a $VOLUME_NAME record, and the remaining volume data is in a $VOLUME_INFORMATION record. Note: volume serial number is stored in file $Boot (below).
4	$AttrDef	A table of MFT attributes that associates numeric identifiers with names.
5	.	Root directory. Directory data is stored in $INDEX_ROOT and $INDEX_ALLOCATION attributes both named $I30.
6	$Bitmap	An array of bit entries: each bit indicates whether its corresponding cluster is used (allocated) or free (available for allocation).
7	$Boot	Volume boot record. This file is always located at the first clusters on the volume. It contains bootstrap code (see NTLDR/BOOTMGR) and a BIOS parameter block including a volume serial number and cluster numbers of $MFT and $MFTMirr. $Boot is usually 8192 bytes long.[citation needed]
8	$BadClus	A file that contains all the clusters marked as having bad sectors. This file simplifies cluster management by the chkdsk utility, both as a place to put newly discovered bad sectors, and for identifying unreferenced clusters. This file contains two data streams, even on volumes with no bad sectors: an unnamed stream contains bad sectors—it is zero length for perfect volumes; the second stream is named $Bad and contains all clusters on the volume not in the first stream.[60]
9	$Secure	Access control list database that reduces overhead having many identical ACLs stored with each file, by uniquely storing these ACLs in this database only (contains two indices: $SII (Standard_Information ID) and $SDH (Security Descriptor Hash), which index the stream named $SDS containing actual ACL table).[2]
10	$UpCase	A table of unicode uppercase characters for ensuring case insensitivity in Win32 and DOS namespaces.
11	$Extend	A filesystem directory containing various optional extensions, such as $Quota, $ObjId, $Reparse or $UsnJrnl.
12 ... 23	Reserved for $MFT extension entries.[61]
usually 24	$Extend\$Quota	Holds disk quota information. Contains two index roots, named $O and $Q.
usually 25	$Extend\$ObjId	Holds link tracking information. Contains an index root and allocation named $O.
usually 26	$Extend\$Reparse	Holds reparse point data (such as symbolic links). Contains an index root and allocation named $R.
27 ...	file.ext	Beginning of regular file entries.

These metafiles are treated specially by Windows and are difficult to directly view: special purpose-built tools are needed.^[62] One such tool is the nfi.exe ("NTFS File Sector Information Utility") that is freely distributed as part of the Microsoft "OEM Support Tools".^[63]

From MFT records to attribute lists, attributes, and streams

For each file (or directory) described in the MFT record, there's a linear repository of stream descriptors (also named attributes), packed together in a variable-length record (also named an attributes list), with extra padding to fill the fixed 1 KB size of every MFT record, and that fully describes the effective streams associated with that file.

Each stream (or attribute) itself has a single type (internally just a fixed-size integer in the stored descriptor, but most often handled in applications using an equivalent symbolic name in the FileOpen() or FileCreate() API call), a single optional stream name (completely unrelated to the effective filenames), plus optional associated data for that stream. For NTFS, the standard data of files, or the index data for directories are handled the same way as other data for alternate data streams, or for standard attributes. They are just one of the attributes stored in one or several attribute lists.

• For each file described in the MFT record (or in the non-resident repository of stream descriptors, see below), the stream descriptors identified by their (stream type value, stream name) must be unique. Additionally, NTFS has some ordering constraints for these descriptors.
• There's a predefined null stream type, used to indicate the end of the list of stream descriptors in the streams repository for that file. It must be present as the last stream descriptor in each stream repository (all other storage space available after it will be ignored and just consists in padding bytes to match the record size in the MFT or a cluster size in a non-resident streams repository).
• Some stream types are required and must be present in each MFT record, except unused records that are just indicated by a stream with null stream type.
  • This is the case for the standard attributes that are stored as a fixed-size record and containing the timestamps and other basic single-bit attributes (compatible with those managed by FAT/FAT32 in DOS or Windows 95/98 applications).
• Some stream types cannot have a name and must remain anonymous.
  • This is the case for the standard attributes, or for the preferred NTFS "filename" stream type, or the "short filename" stream type, when it is also present (for compatibility with DOS-like applications, see below). It is also possible for a file to only contain a short filename, in which case it will be the preferred one, as listed in the Windows Explorer.
  • The filename streams stored in the streams repository do not make the file immediately accessible through the hierarchical filesystem. In fact, all the filenames must be indexed separately in at least one separate directory on the same volume, with its own MFT entry and its own security descriptors and attributes, that will reference the MFT entry number for that file. This allows the same file or directory to be "hardlinked" several times from several containers on the same volume, possibly with distinct filenames.
• The default data stream of a regular file is a stream of type $DATA but with an anonymous name, and the ADS's are similar but must be named.
• On the opposite, the default data stream of directories has a distinct type, but are not anonymous: they have a stream name ("$I30" in NTFS 3+) that reflects its indexing format.

All streams of a given file may be displayed by using the nfi.exe ("NTFS File Sector Information Utility") that is freely distributed as part of the Microsoft "OEM Support Tools".^[64]

Resident vs. non-resident data streams

To optimize the storage and reduce the I/O overhead for the very common case of streams with very small associated data, NTFS prefers to place this data within the stream descriptor (if the size of the stream descriptor does not then exceed the maximum size of the MFT record or the maximum size of a single entry within an non-resident stream repository, see below), instead of using the MFT entry space to list clusters containing the data; in that case, the stream descriptor will not store the data directly but will just store an allocation map pointing to the actual data stored elsewhere on the volume.^[65] When the stream data can be accessed directly from within the stream descriptor, it is called "resident data" by computer forensics workers. The amount of data that fits is highly dependent on the file's characteristics, but 700 to 800 bytes is common in single-stream files with non-lengthy filenames and no ACLs.

• Some stream descriptors (such as the preferred filename, the basic file attributes, or the main allocation map for each non-resident stream) cannot be made non-resident.
• Encrypted-by-NTFS, sparse data streams, or compressed data streams cannot be made resident.
• The format of the allocation map for non-resident streams depends on its capability of supporting sparse data storage. In the current implementation of NTFS, once a non-resident stream data has been marked and converted as sparse, it cannot be changed back to non-sparse data, so it cannot become resident again, unless this data is fully truncated, discarding the sparse allocation map completely.
• When a non-resident data stream is too much fragmented, so that its effective allocation map cannot fit entirely within the MFT record, the allocation map may be also stored as an non-resident stream, with just a small resident stream containing the indirect allocation map to the effective non-resident allocation map of the non-resident data stream.
• When there are too many streams for a file (including ADS's, extended attributes, or security descriptors), so that their descriptors cannot fit all within the MFT record, a non-resident stream may also be used to store an additional repository for the other stream descriptors (except those few small streams that cannot be non-resident), using the same format as the one used in the MFT record, but without the space constraints of the MFT record.

The NTFS filesystem driver will sometimes attempt to relocate the data of some of these non-resident streams into the streams repository, and will also attempt to relocate the stream descriptors stored in a non-resident repository back to the stream repository of the MFT record, based on priority and preferred ordering rules, and size constraints.

Since resident files do not directly occupy clusters ("allocation units"), it is possible for an NTFS volume to contain more files on a volume than there are clusters. For example, a 74.5 GB partition NTFS formats with 19,543,064 clusters of 4 KB. Subtracting system files (a 64 MB log file, a 2,442,888-byte Bitmap file, and about 25 clusters of fixed overhead) leaves 19,526,158 clusters free for files and indices. Since there are four MFT records per cluster, this volume theoretically could hold almost 4 × 19,526,158 = 78,104,632 resident files.

Opportunistic locks

Opportunistic locks (oplocks) allow clients to alter their buffering strategy for a given file or stream in order to increase performance and reduce network use.^[66] Oplocks apply to the given open stream of a file and do not affect oplocks on a different stream.

Oplocks can be used to transparently access files in the background. A network client may avoid writing information into a file on a remote server if no other process is accessing the data, or it may buffer read-ahead data if no other process is writing data.

Windows supports four different types of oplocks:

• Level 2 (or shared) oplock: multiple readers, no writers (i.e. read caching).
• Level 1 (or exclusive) oplock: exclusive access with arbitrary buffering (i.e. read and write caching).
• Batch oplock (also exclusive): a stream is opened on the server, but closed on the client machine (i.e. read, write and handle caching).
• Filter oplock (also exclusive): applications and file system filters can "back out" when others try to access the same stream (i.e. read and write caching) (since Windows 2000)

Opportunistic locks have been enhanced in Windows 7 and Windows Server 2008 R2 with per-client oplock keys.^[67]

Limitations

The following are a few limitations of NTFS:

Compression

The compression algorithms in NTFS are designed to support cluster sizes of up to 4 kB. When the cluster size is greater than 4 kB on an NTFS volume, NTFS compression is not available.^[68]

Maximum cluster size

The maximum cluster size is 64 kB.^[69]

File names

File names are limited to 255 UTF-16 code points. Certain names are reserved in the volume root directory and cannot be used for files. These are $MFT, $MFTMirr, $LogFile, $Volume, $AttrDef, . (dot), $Bitmap, $Boot, $BadClus, $Secure, $Upcase, and $Extend.^[3] (dot) and $Extend are both directories; the others are files. The NT kernel limits full paths to 32,767 UTF-16 code points.

Some other file-naming limitations and recommendations can be found on http://msdn.microsoft.com/en-us/library/aa365247%28VS.85%29.aspx#naming_conventions .

Maximum volume size

In theory, the maximum NTFS volume size is 2⁶⁴−1 clusters. However, the maximum NTFS volume size as implemented in Windows XP Professional is 2³²−1 clusters partly due to partition table limitations. For example, using 64 kB clusters, the maximum Windows XP NTFS volume size is 256 TBs minus 64 KBs. Using the default cluster size of 4 kB, the maximum NTFS volume size is 16 TB minus 4 kB. (Both of these are vastly higher than the 128 GB limit lifted in Windows XP SP1.) Because partition tables on master boot record (MBR) disks only support partition sizes up to 2 TB, dynamic or GPT volumes must be used to create NTFS volumes over 2 TB. Booting from a GPT volume to a Windows environment requires a system with UEFI and 64-bit support.^[70]

Maximum file size

As designed, the maximum NTFS file size is 16 EB (16 × 1024⁶ or 2⁶⁴ bytes) minus 1 kB or 18,446,744,073,709,550,592 bytes. As implemented, the maximum NTFS file size is 16 TB minus 64 kB or 17,592,185,978,880 bytes. With Windows 8 and Windows Server 2012, the maximum NTFS file size is 256 TB minus 64 KB or 281,474,976,645,120 bytes.^[4]

Alternate data streams

Windows system calls may handle alternate data streams.^[3] Depending on the operating system, utility and remote file system, a file transfer might silently strip data streams.^[3] A safe way of copying or moving files is to use the BackupRead and BackupWrite system calls, which allow programs to enumerate streams, to verify whether each stream should be written to the destination volume and to knowingly skip unwanted streams.^[3]

Developers

NTFS developers include:^[71]

• Tom Miller
• Gary Kimura
• Brian Andrew
• David Goebel

See also

• Comparison of file systems
• NTFSDOS
• ntfsresize

References

Further reading

External links

• Documentation:
  • Microsoft: NTFS Technical Reference
  • Microsoft: Fsutil file (documentation for line command useful for manipulating or creating files in an NTFS volume from Windows)
  • LSoft Technologies: NTFS.com (documentation and resources)
• Implementations and tools:
  • Tuxera (developer of implementations and tools for various platforms)
  • NTFS-3G Safe Read/Write NTFS Driver project (read/write NTFS driver for Linux, Mac OS X, OpenSolaris, FreeBSD, NetBSD, QNX, Windows and Haiku)
  • Linux-Faqs.com: NTFS FAQ (Frequently Asked Questions) (Archived version here)
  • Jan Kratochvil: Captive NTFS (a shim that used the Windows NTFS driver to access NTFS file systems under Linux)
  • TZWorks LLC: Windows Journal Parser (jp) (tool for parsing the Windows NTFS Change Log Journal on live systems)
  • Graphic Engine for NTFS Analysis (gena) (GUI to view NTFS internals/extract data on live systems).

v t e Microsoft Windows components Management tools Backup and Restore Center Command Prompt Control Panel Applets Device Manager Disk Cleanup Disk Defragmenter Driver Verifier Event Viewer IExpress Management Console Netsh Problem Reports and Solutions Recovery Console Resource Monitor ScanDisk Sysprep System Configuration System File Checker System Policy Editor System Restore Task Manager Windows Easy Transfer Windows Installer Windows PowerShell Windows Update WinPE WinRE WinSAT WMI Applications Calculator Character Map Contacts DVD Maker Family Safety Fax and Scan Internet Explorer Journal Magnifier Media Center Media Player Mobile Device Center Mobility Center Narrator Notepad Paint Private Character Editor Remote Assistance Snipping Tool Sound Recorder Speech Recognition Store Tablet PC Input Panel Windows Desktop Gadgets Windows Photo Viewer Windows To Go WordPad Shell Aero AutoPlay AutoRun ClearType Explorer Search IFilter Saved search Namespace Special folder Start menu Taskbar Services Service Control Manager BITS CLFS Multimedia Class Scheduler Shadow Copy Task Scheduler Error Reporting Wireless Zero Configuration File systems CDFS DFS exFAT IFS FAT FAT12 FAT16 FAT32 NTFS Hard link Junction point Mount Point Reparse point Symbolic link TxF EFS ReFS UDF WinFS Server Domains Active Directory DNS Group Policy Roaming user profiles Folder redirection Distributed Transaction Coordinator MSMQ Windows Media Services Rights Management Services IIS Remote Desktop Services WSUS Windows SharePoint Services Network Access Protection PWS DFS Replication Remote Differential Compression Print Services for UNIX Remote Installation Services Windows Deployment Services System Resource Manager Hyper-V Architecture Architecture of Windows NT Vista startup Vista I/O CSRSS Desktop Window Manager DLL Enhanced Write Filter EXE File Protection Graphics Device Interface hal.dll I/O request packet Imaging Format Kernel Transaction Manager Library files Logical Disk Manager LSASS MinWin NTLDR Ntoskrnl.exe Object Manager Open XML Paper Specification Registry Resource Protection Security Accounts Manager Server Message Block Shadow Copy SMSS Startup process System Idle Process USER Win32 console Winlogon Security Action Center BitLocker Data Execution Prevention Kernel Patch Protection Mandatory Integrity Control Protected Media Path User Account Control User Interface Privilege Isolation Windows Defender Windows Firewall Compatibility COMMAND.COM Windows Services for UNIX POSIX subsystem Interix Virtual DOS machine Windows on Windows WoW64 API Active Scripting WSH VBScript JScript COM ActiveX ActiveX Document COM Structured storage DCOM OLE OLE Automation Transaction Server DirectX .NET Framework Windows Runtime Discontinued Computer games 3D Pinball Chess Titans FreeCell Hearts Hover! InkBall Hold 'Em Mahjong Titans Microsoft Minesweeper Purble Place Reversi Solitaire Spider Solitaire Tinker Others ActiveMovie Cardfile DriveSpace File Manager HyperTerminal Internet Mail and News Media Control Interface Microsoft Calendar Microsoft Diagnostics Microsoft Fax Microsoft WinHelp NTBackup Outlook Express Program Manager Video for Windows Windows Address Book Windows Calendar Windows File Protection Windows Mail Windows Messaging Windows Messenger Windows Movie Maker Microsoft NetMeeting Windows Photo Gallery Microsoft Write

v t e File systems Disk Advanced Disc Filing System AdvFS Be File System (BFS) Btrfs Disc Filing System (DFS) Episode EFS exFAT ext ext2 ext3 ext3cow ext4 FAT FAT12 FAT16 FAT16B FAT32 Files-11 Hierarchical File System (HFS) HFS Plus High Performance File System (HPFS) IBM General Parallel File System JFS Macintosh File System MINIX NetWare File System NILFS Novell Storage Services NTFS QFS QNX4FS ReFS ReiserFS Reiser4 SpadFS UBIFS Unix File System Veritas File System (VxFS) VFAT Write Anywhere File Layout (WAFL) XFS Xsan ZFS more... Optical disc HSF ISO 9660 ISO 13490 UDF Flash memory / SSD FAT exFAT CHFS TFAT FFS2 F2FS HPFS JFFS JFFS2 JFS LogFS NVFS YAFFS UBIFS Distributed Coda CXFS GFS2 Google File System OCFS2 QFS Xsan more... NAS AFS OpenAFS AFP DFS GPFS Google File System Lustre NCP NFS POHMELFS Hadoop HAMMER SMB (CIFS) SSHFS more... Specialized cramfs FUSE SquashFS UMSDOS UnionFS more... Pseudo- and virtual configfs devfs procfs specfs sysfs tmpfs WinFS Encrypted EncFS EFS ZFS Types Clustered Journaling Log-structured Record-oriented Synthetic Versioning Topics Directory Extent File attribute Fork