Difference between revisions of "Unit NTFSTypes"

Latest revision as of 05:39, 31 August 2021

Note: 42 bytes (Includes NTFS 3.0)
`MagicNumber:LongWord;`	Magic number 'FILE'
`UpdateSequenceOffset:Word;`	Offset to the Update Sequence Record
`UpdateSequenceLength:Word;`	Size in words of the Update Sequence Record
`LogFileSequenceNumber:Int64;`	LogFile Sequence Number (LSN)
`SequenceNumber:Word;`	Sequence number
`HardLinkCount:Word;`	Hard link count
`AttributeOffset:Word;`	Offset to the first Attribute
`RecordFlags:Word;`	Flags
`RecordSize:LongWord;`	Actual size of the FILE record
`RecordAllocated:LongWord;`	Allocated size of the FILE record
`BaseReference:Int64;`	File reference to the base FILE record
`NextAttributeId:Word;`	Next Attribute Id
`UpdateSequenceRecord`

NTFS31 file record

PNTFS31FileRecord = ^TNTFS31FileRecord;

TNTFS31FileRecord = packed record

Note: 48 bytes
`MagicNumber:LongWord;`	Magic number 'FILE'
`UpdateSequenceOffset:Word;`	Offset to the Update Sequence Record
`UpdateSequenceLength:Word;`	Size in words of the Update Sequence Record
`LogFileSequenceNumber:Int64;`	LogFile Sequence Number (LSN)
`SequenceNumber:Word;`	Sequence number
`HardLinkCount:Word;`	Hard link count
`AttributeOffset:Word;`	Offset to the first Attribute
`RecordFlags:Word;`	Flags
`RecordSize:LongWord;`	Actual size of the FILE record
`RecordAllocated:LongWord;`	Allocated size of the FILE record
`BaseReference:Int64;`	File reference to the base FILE record
`NextAttributeId:Word;`	Next Attribute Id
`RecordSegment:Word;`	Align to 4 byte boundary (Segment of this MFT Record)
`RecordNumber:LongWord;`	Number of this MFT Record
`UpdateSequenceRecord`

NTFS restart record

PNTFSRestartRecord = ^TNTFSRestartRecord;

TNTFSRestartRecord = packed record

Note: 30 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32)
`MagicNumber:LongWord;`	Magic number 'RSTR'
`UpdateSequenceOffset:Word;`	Offset to the Update Sequence Record
`UpdateSequenceLength:Word;`	Size in words of the Update Sequence Record
`LastSequenceNumber:Int64;`	Last Log File Sequence Number (LSN) only used by Chkdsk when magic is CHKD otherwise 0
`SystemPageSize:LongWord;`	Must be >= 512 and a power of 2 (Normally 4096)
`LogPageSize:LongWord;`	Must be >= 512 and a power of 2 (Normally 4096 if the SystemPageSize is 4096 to 8192 otherwise SystemPageSize)
`RestartAreaOffset:Word;`	Absolute offset to the start of the restart area. Must be 8 byte aligned (After the Update Sequence Array)
`MinorVersion:Word;`
`MajorVersion:Word;`	NTFS1.2 is version ?.?/NTFS3.0 is version ?.?/NTFS3.1 is Version 1.1
`UpdateSequenceRecord`

NTFS restart area

PNTFSRestartArea = ^TNTFSRestartArea;

TNTFSRestartArea = packed record

Note: 48 Bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32)
`CurrentSequenceNumber:Int64;`	The Current (Last Written) Log File Sequence Number (LSN) on create this will be 0
`LogClientCount:Word;`	Must be 1
`FirstFreeClient:Word;`	The index of the first free log record (When clean normally 0 on Win2k or below and 0xFFFF on WinXP or above)
`FirstUsedClient:Word;`	The index of the first used log record (When clean normally 0xFFFF on Win2k or below and 0 on WinXP or above)
`Flags:Word;`	On Win2k or below always 0, on WinXP or above $0002 if clean
`SequenceNumberBits:LongWord;`	The number of bits to use for the sequence number (67 - the number of bits to store the logfile size in bytes
`RestartAreaLength:Word;`	Length of the restart area and log clients
`ClientArrayOffset:Word;`	Offset from the start of the restart area to the first log client
`FileSize:Int64;`	Usable byte size of the log file (rounded down to a multiple of LogPageSize, must be large enough to hold 2 restart records and 48 log records)
`LastSequenceDataLength:LongWord;`	Length of data of last LSN not including log record header (On create this will be 0)
`LogRecordHeaderLength:Word;`	Byte size of the log record header. Must be a multiple of 8.
`LogPageDataOffset:Word;`	Offset to the start of data in a log record. Must be a multiple of 8. (After the Update Sequence Array)
`LogFileOpenCount:LongWord;`	On create this will be a random value
`Reserved:LongWord;`	Alignment to 8 bytes

NTFS log client

PNTFSLogClient = ^TNTFSLogClient;

TNTFSLogClient = packed record

Note: 160 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32)
`OldestSequenceNumber:Int64;`	Oldest LSN of this log client (On create this will be 0)
`CurrentSequenceNumber:Int64;`	Current LSN within the log client (On create this will be 0)
`PrevClient:Word;`	Offset of the previous log client or 0xFFFF if first (Always 0xFFFF)
`NextClient:Word;`	Offset of the next log client or 0xFFFF if last (Always 0xFFFF)
`SequenceNumber:Word;`	On Win2K or below 0 when dirty and 1 when clean, on WinXP or above always 0
`Reserved:array[0..5] of Byte;`	Reserved/Alignment
`ClientNameLength:LongWord;`	Client name length in bytes. Should always be 8
`ClientName:array[0..63] of WideChar;`	Should always be NTFS in unicode

NTFS log record

PNTFSLogRecord = ^TNTFSLogRecord;

TNTFSLogRecord = packed record

Note: ? Bytes
`MagicNumber:LongWord;`	Magic number 'RCRD'
`UpdateSequenceOffset:Word;`	Offset to the Update Sequence Record
`UpdateSequenceLength:Word;`	Size in words of the Update Sequence Record
`LastLSN:Int64;`	???????
`Flags:LongWord;`	???????
`PageCount:Word;`	???????
`PagePosition:Word;`	???????
`NextRecordOffset:Int64;`	???????
`LastEndLSN:Int64;`	???????
`UpdateSequenceRecord`

NTFS index record

PNTFSIndexRecord = ^TNTFSIndexRecord;

TNTFSIndexRecord = packed record

Note: 24 bytes
`MagicNumber:LongWord;`	Magic number 'INDX'
`UpdateSequenceOffset:Word;`	Offset to the Update Sequence Record
`UpdateSequenceLength:Word;`	Size in words of the Update Sequence Record
`LogFileSequenceNumber:Int64;`	LogFile sequence number
`RecordNumber:Int64;`	Number of this INDX record in the Index Allocation
`IndexHeader`
`UpdateSequenceRecord`
`IndexEntry(s)`

NTFS index header

PNTFSIndexHeader = ^TNTFSIndexHeader;

TNTFSIndexHeader = packed record

Note: 16 bytes
`EntryOffset:LongWord;`	Offset to first Index Entry
`IndexSize:LongWord;`	Total size of the Index Entries
`IndexAllocated:LongWord;`	Allocated size of the Index Entries
`IndexFlags:Word;`	Flags (See Consts)
`Reserved1:Word;`	Padding (Align to 8 bytes)

NTFS index entry

PNTFSIndexEntry = ^TNTFSIndexEntry;

TNTFSIndexEntry = packed record

Note: 16 bytes (Not including Key of SubNodeNumber)
`Reserved1:Int64;`	Padding (Align to 8 bytes)
`EntrySize:Word;`	Length of the index entry
`KeySize:Word;`	Length of the key entry
`EntryFlags:Word;`	Flags (See Consts)
`Reserved2:Word;`	Padding (Align to 8 bytes)
`Key:array[0..0] of Byte;`	Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location
`SubNodeNumber:Int64`	Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set)

NTFS data index entry

PNTFSDataIndexEntry = ^TNTFSDataIndexEntry;

TNTFSDataIndexEntry = packed record

Note: 16 bytes (Not including Key, Data or SubNodeNumber)
`DataOffset:Word;`	Offset to the data (Only valid when the last entry flag is not set)
`DataSize:Word;`	Size of the data (Only valid when the last entry flag is not set)
`Reserved1:LongWord;`	Padding (Align to 8 bytes)
`EntrySize:Word;`	Length of the index entry
`KeySize:Word;`	Length of the key entry
`EntryFlags:Word;`	Flags (See Consts)
`Reserved2:Word;`	Padding (Align to 8 bytes)
`Key:array[0..0] of Byte;`	Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location
`Data:array[0..0] of Byte`	Data (Only present when the last entry flag is not set)
`SubNodeNumber:Int64`	Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set) Note: Key data depends on what is indexed (See ObjId/Quota/Owner/SecurityId/SecurityHash/Reparse structures below)

NTFS attribute index entry

PNTFSAttributeIndexEntry = ^TNTFSAttributeIndexEntry;

TNTFSAttributeIndexEntry = packed record

Note: 16 bytes (Not including Key of SubNodeNumber)
`FileReference:Int64;`	File reference (Only valid when the last entry flag is not set)
`EntrySize:Word;`	Length of the index entry
`KeySize:Word;`	Length of the key entry
`EntryFlags:Word;`	Flags (See Consts)
`Reserved1:Word;`	Padding (Align to 8 bytes)
`Key:array[0..0] of Byte;`	Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location
`SubNodeNumber:Int64`	Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set) Note: Key data depends on what is indexed but for an $I30 index it will be a FileName Attribute

NTFS attribute header

PNTFSAttributeHeader = ^TNTFSAttributeHeader;

TNTFSAttributeHeader = packed record

Note: 16 bytes
`AttributeType:LongWord;`	Attribute Type (e.g. 0x80, 0xA0)
`AttributeSize:LongWord;`	Length of the Attribute (including header)
`NonResident:Byte;`	Non-resident flag
`AttributeNameLength:Byte;`	Name length
`AttributeNameOffset:Word;`	Offset to the Name
`AttributeFlags:Word;`	Flags
`AttributeId:Word;`	Attribute Id

NTFS resident attribute header

PNTFSResidentAttributeHeader = ^TNTFSResidentAttributeHeader;

TNTFSResidentAttributeHeader = packed record

Note: 24 bytes
`AttributeType:LongWord;`	Attribute Type (e.g. 0x80, 0xA0)
`AttributeSize:LongWord;`	Length of the Attribute (including header)
`NonResident:Byte;`	Non-resident flag (Always 0)
`AttributeNameLength:Byte;`	Name length
`AttributeNameOffset:Word;`	Offset to the Name
`AttributeFlags:Word;`	Flags
`AttributeId:Word;`	Attribute Id
`DataSize:LongWord;`	Length of the Attribute Data
`DataOffset:Word;`	Offset to the Attribute Data
`Indexed:Byte;`	Indexed flag
`Reserved1:Byte;`	Padding
`AttributeName:array[0..0] of WideChar;`	Unicode Attribute Name (if NameLength > 0)
`Data:array[0..0] of Byte`	Attribute Data

NTFS non resident attribute header

PNTFSNonResidentAttributeHeader = ^TNTFSNonResidentAttributeHeader;

TNTFSNonResidentAttributeHeader = packed record

Note: 64 bytes
`AttributeType:LongWord;`	Attribute Type (e.g. 0x80, 0xA0)
`AttributeSize:LongWord;`	Length of the Attribute (including header)
`NonResident:Byte;`	Non-resident flag (Always 1)
`AttributeNameLength:Byte;`	Name length
`AttributeNameOffset:Word;`	Offset to the Name
`AttributeFlags:Word;`	Flags
`AttributeId:Word;`	Attribute Id
`StartVCN:Int64;`	Starting VCN
`LastVCN:Int64;`	Last VCN
`RunOffset:Word;`	Offset to the Data Run
`CompressionUnit:Word;`	Compression Unit Size
`Reserved1:LongWord;`	Padding
`StreamAllocated:Int64;`	Allocated size of the attribute
`StreamSize:Int64;`	Real size of the attribute
`InitializedSize:Int64;`	Initialized data size of the stream (Portion which has been Written)
`AttributeName:array[0..0] of WideChar;`	Unicode Attribute Name (if NameLength > 0)
`Run:array[0..0] of Byte`	Attribute Data Runs

NTFS compressed attribute header

PNTFSCompressedAttributeHeader = ^TNTFSCompressedAttributeHeader;

TNTFSCompressedAttributeHeader = packed record

Note: 64 bytes
`AttributeType:LongWord;`	Attribute Type (e.g. 0x80, 0xA0)
`AttributeSize:LongWord;`	Length of the Attribute (including header)
`NonResident:Byte;`	Non-resident flag (Always 1)
`AttributeNameLength:Byte;`	Name length
`AttributeNameOffset:Word;`	Offset to the Name
`AttributeFlags:Word;`	Flags
`AttributeId:Word;`	Attribute Id
`StartVCN:Int64;`	Starting VCN
`LastVCN:Int64;`	Last VCN
`RunOffset:Word;`	Offset to the Data Run
`CompressionUnit:Word;`	Compression Unit Size
`Reserved1:LongWord;`	Padding
`StreamAllocated:Int64;`	Allocated size of the attribute
`StreamSize:Int64;`	Real size of the attribute
`InitializedSize:Int64;`	Initialized data size of the stream (Portion which has been Written)
`StreamUsed:Int64;`	The actual Allocated size of the attribute (Only present when compressed and only in the first instance)
`AttributeName:array[0..0] of WideChar;`	Unicode Attribute Name (if NameLength > 0)
`Run:array[0..0] of Byte`	Attribute Data Runs

NTFS12 standard information

PNTFS12StandardInformation = ^TNTFS12StandardInformation;

TNTFS12StandardInformation = packed record

Note: 48 bytes (0x10)
Standard Attribute Header
`CreateTime:TFileTime;`	File Creation
`WriteTime:TFileTime;`	File Altered
`ChangeTime:TFileTime;`	MFT Changed
`AccessTime:TFileTime;`	File Read
`Attributes:LongWord;`	DOS File Permissions
`MaxVersions:LongWord;`	Maximum Number of Versions
`VersionNo:LongWord;`	Version Number
`ClassId:LongWord;`	Class Id

NTFS30 standard information

PNTFS30StandardInformation = ^TNTFS30StandardInformation;

TNTFS30StandardInformation = packed record

Note: 72 bytes (0x10) Includes NTFS 3.1
Standard Attribute Header
`CreateTime:TFileTime;`	File Creation
`WriteTime:TFileTime;`	File Altered
`ChangeTime:TFileTime;`	MFT Changed
`AccessTime:TFileTime;`	File Read
`Attributes:LongWord;`	DOS File Permissions
`MaxVersions:LongWord;`	Maximum Number of Versions
`VersionNo:LongWord;`	Version Number
`ClassId:LongWord;`	Class Id
`OwnerId:LongWord;`	Owner Id
`SecurityId:LongWord;`	Security Id
`QuotaCharge:Int64;`	Quota Charged
`UpdateSequenceNumber:Int64;`	Update Sequence Number

NTFS attribute list

PNTFSAttributeList = ^TNTFSAttributeList;

TNTFSAttributeList = packed record

Note: 0 bytes (0x20)
Standard Attribute Header
`Item:array[0..0] of Byte;`	Attribute List Items

NTFS file name

PNTFSFileName = ^TNTFSFileName;

TNTFSFileName = packed record

Note: 66 bytes (0x30)
Standard Attribute Header
`ParentReference:Int64;`	File reference to the parent directory.
`CreateTime:TFileTime;`	C Time - File Creation Note: These fields are only updated when the filename is changed. See Standard Information instead.
`WriteTime:TFileTime;`	A Time - File Altered Note: These fields are only updated when the filename is changed. See Standard Information instead.
`ChangeTime:TFileTime;`	M Time - MFT Changed Note: These fields are only updated when the filename is changed. See Standard Information instead.
`AccessTime:TFileTime;`	R Time - File Read
`FileAllocated:Int64;`	Allocated size of the file
`FileSize:Int64;`	Real size of the file
`FileFlags:LongWord;`	Flags, e.g. Directory, Compressed, Hidden
`ReparseTag:LongWord;`	Used by EAs and Reparse
`FileNameLength:Byte;`	Filename length in characters
`NameSpace:Byte;`	Filename namespace
`FileName:array[0..0] of WideChar;`	File name in Unicode (not null terminated) Note: NameLength but no NameOffset so Name

NTFS object ID

PNTFSObjectId = ^TNTFSObjectId;

TNTFSObjectId = packed record

Note: 64 bytes (0x40)
Standard Attribute Header
`ObjectId:TGUID;`	GUID Object Id Unique Id assigned to file
`BirthVolumeId:TGUID;`	GUID Birth Volume Id Volume where file was created
`BirthObjectId:TGUID;`	GUID Birth Object Id Original Object Id of file
`DomainId:TGUID;`	GUID Domain Id Domain in which object was created

NTFS volume version

PNTFSVolumeVersion = ^TNTFSVolumeVersion;

TNTFSVolumeVersion = packed record

Note: 0 bytes (0x40)
Standard Attribute Header
`Data:array[0..0] of Byte;`	Unknown data (Structure to be determined)

NTFS security descriptor

PNTFSSecurityDescriptor = ^TNTFSSecurityDescriptor;

TNTFSSecurityDescriptor = packed record

Note: 0 bytes (0x50)
Standard Attribute Header
`Security:array[0..0] of Byte;`	Security Descriptor

NTFS volume name

PNTFSVolumeName = ^TNTFSVolumeName;

TNTFSVolumeName = packed record

Note: 0 bytes (0x60)
Standard Attribute Header
`VolumeName:array[0..0] of WideChar;`	Unicode name Note: The DataOffset and DataSize in the ?

NTFS volume information

PNTFSVolumeInformation = ^TNTFSVolumeInformation;

TNTFSVolumeInformation = packed record

Note: 16 bytes (0x70)
Standard Attribute Header
`Reserved1:Int64;`	Always zero ?
`MajorVersion:Byte;`	Major version number
`MinorVersion:Byte;`	Minor version number
`VolumeFlags:Word;`	Flags
`Reserved2:LongWord;`	Always zero ? (Padding only, not part of data)

NTFS data

PNTFSData = ^TNTFSData;

TNTFSData = packed record

Note: 0 bytes (0x80)
Standard Attribute Header
`Data:array[0..0] of Byte;`	Any data Note: The DataOffset and DataSize in the header give the pointer to the Data

NTFS index root

PNTFSIndexRoot = ^TNTFSIndexRoot;

TNTFSIndexRoot = packed record

Note: 16 bytes (0x90)
Standard Attribute Header
`IndexType:LongWord;`	Attribute Type
`CollateRule:LongWord;`	Collation Rule
`IndexRecordSize:LongWord;`	Size of Index Allocation Entry (bytes)
`IndexCounterOffset:LongWord;`	Index Record Number increment
`IndexHeader`
`IndexEntry(s)`

NTFS index allocation

PNTFSIndexAllocation = ^TNTFSIndexAllocation;

TNTFSIndexAllocation = packed record

Note: 0 bytes (0xA0)
Standard Attribute Header
`Run:array[0..0] of Byte;`	Data run Note: The RunOffset and AttributeSize in the header give the pointer to the Run

NTFS bitmap

PNTFSBitmap = ^TNTFSBitmap;

TNTFSBitmap = packed record

Note: 0 bytes (0xB0)
Standard Attribute Header
`Bitmap:array[0..0] of Int64;`	Bit field Note: The DataOffset and DataSize in the header give the pointer to the Bitmap (Bit ordering works as an array of bytes)

NTFS reparse point

PNTFSReparsePoint = ^TNTFSReparsePoint;

TNTFSReparsePoint = packed record

Note: 8 bytes (0xC0)
Standard Attribute Header
`ReparseTag:LongWord;`	Reparse Type (and Flags)
`ReparseSize:Word;`	Reparse Data Length
`Reserved1:Word;`	Padding (align to 8 bytes)
`ReparseData:array[0..0] of Byte;`	Reparse Data

NTFS reparse point Microsoft

PNTFSReparsePointMicrosoft = ^TNTFSReparsePointMicrosoft;

TNTFSReparsePointMicrosoft = TNTFSReparsePoint;

Note: 8 bytes (0xC0)

NTFS reparse point other

PNTFSReparsePointOther = ^TNTFSReparsePointOther;

TNTFSReparsePointOther = packed record

Note: 24 bytes (0xC0)
Standard Attribute Header
`ReparseTag:LongWord;`	Reparse Type (and Flags)
`ReparseSize:Word;`	Reparse Data Length
`Reserved1:Word;`	Padding (align to 8 bytes)
`ReparseGUID:TGUID;`	Reparse GUID
`ReparseData:array[0..0] of Byte;`	Reparse Data

NTFS symbolic link

PNTFSSymbolicLink = ^TNTFSSymbolicLink;

TNTFSSymbolicLink = packed record

Note: 0 bytes (0xC0)
Standard Attribute Header
`Data:array[0..0] of Byte;`	Unknown data (Structure to be determined)

NTFS extended attribute information

PNTFSExtendedAttrInformation = ^TNTFSExtendedAttrInformation;

TNTFSExtendedAttrInformation = packed record

Note: 8 bytes (0xD0)
Standard Attribute Header
`PackedSize:Word;`	Size of the packed Extended Attributes
`FlagCount:Word;`	Number of Extended Attributes which have NEED_EA flag
`UnpackedSize:LongWord;`	Size of the unpacked Extended Attributes

NTFS extended attribute

PNTFSExtendedAttr = ^TNTFSExtendedAttr;

TNTFSExtendedAttr = packed record

Note: 0 bytes (0xE0)
Standard Attribute Header
`Extended:array[0..0] of Byte;`	Extended Attributes

NTFS property set

PNTFSPropertySet = ^TNTFSPropertySet;

TNTFSPropertySet = packed record

Note: 0 bytes (0xF0)
Standard Attribute Header
`Data:array[0..0] of Byte;`	Unknown data (Structure to be determined)

NTFS logged utility stream

PNTFSLoggedUtilityStream = ^TNTFSLoggedUtilityStream;

TNTFSLoggedUtilityStream = packed record

Note: 0 bytes (0x100)
Standard Attribute Header
`Data:array[0..0] of Byte;`	Any data Note: The DataOffset and DataSize in the header give the pointer to the Data

NTFS unknown

PNTFSUnknown = ^TNTFSUnknown;

TNTFSUnknown = packed record

Note: 0 bytes (0x100)
Standard Attribute Header
`Data:array[0..0] of Byte;`	Any data Note: The DataOffset and DataSize in the header give the pointer to the Data

NTFS end

PNTFSEnd = ^TNTFSEnd;

TNTFSEnd = packed record

Note: 0 bytes (0xFFFFFFFF)
Standard Attribute Header

NTFS run data

PNTFSRunData = ^TNTFSRunData;

TNTFSRunData = packed record

Note: 0 bytes
`Run:array[0..0] of Byte;`	Data Run Note: The RunOffset and AttributeSize in the header give the pointer to the Run

NTFS item data

PNTFSItemData = ^TNTFSItemData;

TNTFSItemData = packed record

Note: 26 bytes (Data of attribute $ATTRIBUTE_LIST)
`AttributeType:LongWord;`	Type
`ItemSize:Word;`	Record length
`AttributeNameLength:Byte;`	Name length
`AttributeNameOffset:Byte;`	Offset to Name
`StartVCN:Int64;`	Starting VCN
`FileReference:Int64;`	File Reference of the attribute
`AttributeId:Word;`	Attribute Id
`AttributeName:array[0..0] of WideChar;`	Name in Unicode (if NameLength > 0)

NTFS object Id data

PNTFSObjIdData = ^TNTFSObjIdData;

TNTFSObjIdData = packed record

Note: 56 bytes (Data of index $O in file $ObjId) Key is ObjectId
`FileReference:Int64;`	MFT Reference
`BirthVolumeId:TGUID;`	GUID Birth Volume Id (This is the ObjectId from the file $Volume)
`BirthObjectId:TGUID;`	GUID Birth Object Id
`DomainId:TGUID;`	GUID Domain Id

NTFS quota data

PNTFSQuotaData = ^TNTFSQuotaData;

TNTFSQuotaData = packed record

Note: 48 bytes Not including SID (Data of index $Q in file $Quota) Key is OwnerId
`Version:LongWord;`	Version (0x02)
`Flags:LongWord;`	Flags
`BytesUsed:Int64;`	Bytes Used
`ChangeTime:TFileTime;`	Change Time
`WarningLimit:Int64;`	Warning Limit
`HardLimit:Int64;`	Hard Limit
`ExceedTime:TFileTime;`	Exceeded Time
`SID:array[0..0] of Byte;`	SID
`Padding:array[0..0] of Byte`	Padding (align to 8 bytes) Handled by Calculation of Index Entry Size

NTFS owner data

PNTFSOwnerData = ^TNTFSOwnerData;

TNTFSOwnerData = packed record

Note: 4 bytes (Data of index $O in file $Quota) Key is SID
`OwnerId:LongWord;`	Owner Id
`Padding:array[0..0] of Byte`	Padding (align to 8 bytes) Handled by Calculation of Index Entry Size

NTFS up case data

PNTFSUpCaseData = ^TNTFSUpCaseData;

TNTFSUpCaseData = packed record

Note: 131072 bytes (Data of file $UpCase)
`Data:array[0..65535] of Word;`	Conversion data

NTFS attribute definition data

PNTFSAttrDefData = ^TNTFSAttrDefData;

TNTFSAttrDefData = packed record

Note: 160 bytes (Data of file $AttrDef)
`AttributeName:array[0..63] of WideChar;`	Label in Unicode
`AttributeType:LongWord;`	Type
`DisplayRule:LongWord;`	Display rule
`CollateRule:LongWord;`	Collation rule
`AttrDefFlags:LongWord;`	Flags (See Consts)
`MinimumSize:Int64;`	Minimum size
`MaximumSize:Int64;`	Maximum size

NTFS reparse data

PNTFSReparseData = ^TNTFSReparseData;

TNTFSReparseData = packed record

Note: 0 bytes Not including Data (Data of attribute $REPARSE_POINT)
`Data:array[0..0] of Byte;`	Any data

NTFS reparse symbolic link data

PNTFSReparseSymLinkData = ^TNTFSReparseSymLinkData;

TNTFSReparseSymLinkData = packed record

Note: 12 bytes Not including Names (Data of attribute $REPARSE_POINT)
`SubstituteNameOffset:Word;`	Substitute Name Offset
`SubstituteNameLength:Word;`	Substitute Name Length (Length is in bytes not characters)
`PrintNameOffset:Word;`	Print Name Offset
`PrintNameLength:Word;`	Print Name Length (Length is in bytes not characters)
`Reserved1:LongWord;`	Always Zero
`PrintName:array[0..0] of Byte`	Path Buffer (Not Null terminated)
`SubstituteName:array[0..0] of Byte`	Path Buffer (Not Null terminated)

NTFS reparse mount point data

PNTFSReparseMountPointData = ^TNTFSReparseMountPointData;

TNTFSReparseMountPointData = packed record

Note: 12 bytes (Minimum 8 bytes plus 2 unicode nulls) Not including Names (Data of attribute $REPARSE_POINT)
`SubstituteNameOffset:Word;`	Substitute Name Offset (Offset includes the null terminator)
`SubstituteNameLength:Word;`	Substitute Name Length (Length is in bytes not characters and does not include the null terminator)
`PrintNameOffset:Word;`	Print Name Offset (Offset includes the null terminator)
`PrintNameLength:Word;`	Print Name Length (Length is in bytes not characters and does not include the null terminator)
`SubstituteName:array[0..0] of Byte`	Path Buffer (Null terminated)
`PrintName:array[0..0] of Byte`	Path Buffer (Null terminated)

NTFS extended data

PNTFSExtendedData = ^TNTFSExtendedData;

TNTFSExtendedData = packed record

Note: 8 bytes Not including Name (Data of attribute $EA)
`ExtendedOffset:LongWord;`	Offset to next Extended Attribute (Offset to next EA is the size of this EA)
`ExtendedFlags:Byte;`	Flags
`ExtendedNameLength:Byte;`	Name Length (N)
`ExtendedDataSize:Word;`	Value Length (V)
`ExtendedName:array[0..0] of Char;`	Name Note: No offset so always in the same location
`ExtendedData:array[0..0] of Byte`	Value

NTFS security data

PNTFSSecurityData = ^TNTFSSecurityData;

TNTFSSecurityData = packed record

Note: 20 bytes Minimum (Data of attribute $SECURITY_DESCRIPTOR and stream $SDS in file $Secure)
`Revision:Byte;`	Revision
`Reserved1:Byte;`	Padding
`Control:Word;`	Control Flags
`OwnerOffset:LongWord;`	Offset to Owner SID
`GroupOffset:LongWord;`	Offset to Group SID
`SaclOffset:LongWord;`	Offset to SACL
`DaclOffset:LongWord;`	Offset to DACL

NTFS SID identifier authority data

PNTFSSidIdentifierAuthorityData = ^TNTFSSidIdentifierAuthorityData;

TNTFSSidIdentifierAuthorityData = packed record

Note: 6 Bytes
`Value:array[0..5] of Byte;`

NTFS SID data

PNTFSSidData = ^TNTFSSidData;

TNTFSSidData = packed record

Note: 8 Bytes Minimum (Not including SubAuthority)
`Revision:Byte;`
`SubAuthorityCount:Byte;`
`IdentifierAuthority:array[0..5] of Byte;`
`SubAuthority:array[0..0] of LongWord;`	Not included in size

NTFS acl data

PNTFSAclData = ^TNTFSAclData;

TNTFSAclData = packed record

Note: 8 Bytes
`AclRevision:Byte;`
`Reserved1:Byte;`	Must be Zero
`AclSize:Word;`
`AceCount:Word;`
`Reserved2:Word;`	Must be Zero

NTFS ace header data

PNTFSAceHeaderData = ^TNTFSAceHeaderData;

TNTFSAceHeaderData = packed record

Note: 4 Bytes
`AceType:Byte;`
`AceFlags:Byte;`
`AceSize:Word;`

NTFS ace data

PNTFSAceData = ^TNTFSAceData;

TNTFSAceData = packed record

Note: 8 Bytes Minimum (Not including Sid)
`Header:TNTFSAceHeaderData;`
`Mask:LongWord;`
`Sid:array[0..0] of Byte;`	Not included in size

NTFS object ace data

PNTFSObjectAceData = ^TNTFSObjectAceData;

TNTFSObjectAceData = packed record

Note: 44 Bytes Minimum (Not including Sid)
`Header:TNTFSAceHeaderData;`
`Mask:LongWord;`
`Flags:LongWord;`
`ObjectType:TGUID;`
`InheritedObjectType:TGUID;`
`Sid:array[0..0] of Byte;`	Not included in size

NTFS security item data

PNTFSSecurityItemData = ^TNTFSSecurityItemData;

TNTFSSecurityItemData = packed record

Note: 40 Bytes Minimum Including Security (Data of stream $SDS in file $Secure)
`SecurityHash:LongWord;`	Hash of Security Descriptor
`SecurityId:LongWord;`	Security Id
`SecurityOffset:Int64;`	Offset of this entry in $SDS
`SecuritySize:LongWord;`	Size of this entry in $SDS
`Security:TNTFSSecurityData;`	Self-relative Security Descriptor
`Padding:array[0..0] of Byte`	Padding (align to 16 bytes) Handled by Calculation of Stream Size

NTFS security Id data

PNTFSSecurityIdData = ^TNTFSSecurityIdData;

TNTFSSecurityIdData = packed record

Note: 20 Bytes (Data of index $SII in file $Secure) (Key is SecurityId)
`SecurityHash:LongWord;`	Hash of Security Descriptor
`SecurityId:LongWord;`	Security Id
`SecurityOffset:Int64;`	Offset of this entry in $SDS
`SecuritySize:LongWord;`	Size of this entry in $SDS

NTFS security hash data

PNTFSSecurityHashData = ^TNTFSSecurityHashData;

TNTFSSecurityHashData = packed record

Note: 20 Bytes (Data of index $SDH in file $Secure)
`SecurityHash:LongWord;`	Hash of Security Descriptor
`SecurityId:LongWord;`	Security Id
`SecurityOffset:Int64;`	Offset of this entry in $SDS
`SecuritySize:LongWord;`	Size of this entry in $SDS
`Padding:LongWord;`	Padding (align to 8 bytes) Always 4 bytes and always appears to be the Unicode string "II"

NTFS object Id key data

PNTFSObjIdKeyData = ^TNTFSObjIdKeyData;

TNTFSObjIdKeyData = packed record

Note: 16 Bytes (Key of index $O in file $ObjId)
`ObjectId:TGUID;`	GUID Object Id
`Data:array[0..0] of Byte`	Data (see above)

NTFS quota key data

PNTFSQuotaKeyData = ^TNTFSQuotaKeyData;

TNTFSQuotaKeyData = packed record

Note: 4 Bytes (Key of index $Q in file $Quota)
`OwnerId:LongWord;`	Owner Id
`Data:array[0..0] of Byte`	Data (see above)
`Padding:array[0..0] of Byte`	Padding (align to 8 bytes) Handled by Calculation of Index Entry Size

NTFS owner key data

PNTFSOwnerKeyData = ^TNTFSOwnerKeyData;

TNTFSOwnerKeyData = packed record

Note: 0 Bytes Not including SID (Key of index $O in file $Quota)
`SID:array[0..0] of Byte;`	SID
`Data:array[0..0] of Byte`	Data (see above)
`Padding:array[0..0] of Byte`	Padding (align to 8 bytes) Handled by Calculation of Index Entry Size

NTFS security Id key data

PNTFSSecurityIdKeyData = ^TNTFSSecurityIdKeyData;

TNTFSSecurityIdKeyData = packed record

Note: 4 Bytes (Key of index $SII in file $Secure)
`SecurityId:LongWord;`	Security Id
`Data:array[0..0] of Byte`	Data (see above)

NTFS security hash key data

PNTFSSecurityHashKeyData = ^TNTFSSecurityHashKeyData;

TNTFSSecurityHashKeyData = packed record

Note: 8 Bytes (Key of index $SDH in file $Secure)
`SecurityHash:LongWord;`	Hash of Security Descriptor
`SecurityId:LongWord;`	Security Id
`Data:array[0..0] of Byte`	Data (see above)
`Padding:array[0..0] of Byte`	Padding (align to 8 bytes) Handled by Calculation of Index Entry Size

NTFS reparse key data

PNTFSReparseKeyData = ^TNTFSReparseKeyData;

TNTFSReparseKeyData = packed record

Note: 12 Bytes (Key of index $R in file $Reparse) This index contains no data
`ReparseTag:LongWord;`	Reparse Tag (and Flags)
`FileReference:Int64;`	MFT Reference of Reparse Point
`Padding:LongWord;`	Padding (align to 8 bytes) Handled by Calculation of Index Entry Size

NTFS run offset

PNTFSRunOffset = ^TNTFSRunOffset;

TNTFSRunOffset = packed record

Note: 8 Bytes
`case Integer of`
`1:(Offset1:ShortInt);`
`2:(Offset2:SmallInt);`
`4:(Offset4:LongInt);`
`8:(Offset8:Int64);`

NTFS run length

PNTFSRunLength = ^TNTFSRunLength;

TNTFSRunLength = packed record

Note: 8 Bytes
`case Integer of`
`1:(Length1:Byte);`
`2:(Length2:Word);`
`4:(Length4:LongWord);`
`8:(Length8:Int64);`

Public variables

None defined

Function declarations

None defined

Return to Unit Reference

Note: 2 bytes
`UpdateSequenceNumber:Word;`	Update Sequence Number
`UpdateSequenceArray:array[0..0] of Word;`	Update Sequence Array
`Padding`	Padding (align to 8 bytes)

Difference between revisions of "Unit NTFSTypes"

Latest revision as of 05:39, 31 August 2021

Contents

Description

Constants

Type definitions

Public variables

Function declarations

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools

@@ Line 5: / Line 5: @@
 ----
-''To be documented''
+'''Ultibo NTFS Types unit'''
 === Constants ===
 ----
-''To be documented''
+''None defined''
 === Type definitions ===
 ----
-''To be documented''
+'''NTFS specific types'''
+{| class="wikitable" style="font-size: 14px; text-align: left; width: 100%; height: 50px;"
+|-
+| <code>TNTFSType = (ntNONE,ntNTFS12,ntNTFS30,ntNTFS31);</code>
+| style="width: 40%;"|
+|-
+|}
+'''NTFS record number'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSRecordNumber = ^TNTFSRecordNumber;</code>
+<code>TNTFSRecordNumber = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 48 bits (Read/Write as Word,LongWord)
+|-
+| <code>RecordSegment:Word;</code>
+| style="width: 50%;"|&nbsp;
+|-
+| <code>RecordNumber:LongWord;</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS file reference'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSFileReference = ^TNTFSFileReference;</code>
+<code>TNTFSFileReference = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 64 bits (Read/Write as Int64) Note endian ordering
+|-
+| <code>RecordNumber:LongWord;</code>
+| style="width: 50%;"|&nbsp;
+|-
+| <code>RecordSegment:Word;</code>
+| &nbsp;
+|-
+| <code>SequenceNumber:Word;</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS sub node record'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSubNodeRecord = ^TNTFSSubNodeRecord;</code>
+<code>TNTFSSubNodeRecord = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 bytes
+|-
+| <code>SubNodeNumber:Int64;</code>
+| style="width: 50%;"|&nbsp;
+|-
+|}
+</div></div>
+'''NTFS update sequence record'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSUpdateSequenceRecord = ^TNTFSUpdateSequenceRecord;</code>
+<code>TNTFSUpdateSequenceRecord = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 2 bytes
+|-
+| <code>UpdateSequenceNumber:Word;</code>
+| Update Sequence Number
+|-
+| <code>UpdateSequenceArray:array[0..0] of Word;</code>
+| Update Sequence Array
+|-
+| <code>Padding</code>
+| Padding (align to 8 bytes)
+|-
+|}
+</div></div>
+'''NTFS12 file record'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFS12FileRecord = ^TNTFS12FileRecord;</code>
+<code>TNTFS12FileRecord = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 42 bytes (Includes NTFS 3.0)
+|-
+| <code>MagicNumber:LongWord;</code>
+| Magic number 'FILE'
+|-
+| <code>UpdateSequenceOffset:Word;</code>
+| Offset to the Update Sequence Record
+|-
+| <code>UpdateSequenceLength:Word;</code>
+| Size in words of the Update Sequence Record
+|-
+| <code>LogFileSequenceNumber:Int64;</code>
+| LogFile Sequence Number (LSN)
+|-
+| <code>SequenceNumber:Word;</code>
+| Sequence number
+|-
+| <code>HardLinkCount:Word;</code>
+| Hard link count
+|-
+| <code>AttributeOffset:Word;</code>
+| Offset to the first Attribute
+|-
+| <code>RecordFlags:Word;</code>
+| Flags
+|-
+| <code>RecordSize:LongWord;</code>
+| Actual size of the FILE record
+|-
+| <code>RecordAllocated:LongWord;</code>
+| Allocated size of the FILE record
+|-
+| <code>BaseReference:Int64;</code>
+| File reference to the base FILE record
+|-
+| <code>NextAttributeId:Word;</code>
+| Next Attribute Id
+|-
+| <code>UpdateSequenceRecord</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS31 file record'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFS31FileRecord = ^TNTFS31FileRecord;</code>
+<code>TNTFS31FileRecord = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 48 bytes
+|-
+| <code>MagicNumber:LongWord;</code>
+| Magic number 'FILE'
+|-
+| <code>UpdateSequenceOffset:Word;</code>
+| Offset to the Update Sequence Record
+|-
+| <code>UpdateSequenceLength:Word;</code>
+| Size in words of the Update Sequence Record
+|-
+| <code>LogFileSequenceNumber:Int64;</code>
+| LogFile Sequence Number (LSN)
+|-
+| <code>SequenceNumber:Word;</code>
+| Sequence number
+|-
+| <code>HardLinkCount:Word;</code>
+| Hard link count
+|-
+| <code>AttributeOffset:Word;</code>
+| Offset to the first Attribute
+|-
+| <code>RecordFlags:Word;</code>
+| Flags
+|-
+| <code>RecordSize:LongWord;</code>
+| Actual size of the FILE record
+|-
+| <code>RecordAllocated:LongWord;</code>
+| Allocated size of the FILE record
+|-
+| <code>BaseReference:Int64;</code>
+| File reference to the base FILE record
+|-
+| <code>NextAttributeId:Word;</code>
+| Next Attribute Id
+|-
+| <code>RecordSegment:Word;</code>
+| Align to 4 byte boundary (Segment of this MFT Record)
+|-
+| <code>RecordNumber:LongWord;</code>
+| Number of this MFT Record
+|-
+| <code>UpdateSequenceRecord</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS restart record'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSRestartRecord = ^TNTFSRestartRecord;</code>
+<code>TNTFSRestartRecord = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 30 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32)
+|-
+| <code>MagicNumber:LongWord;</code>
+| Magic number 'RSTR'
+|-
+| <code>UpdateSequenceOffset:Word;</code>
+| Offset to the Update Sequence Record
+|-
+| <code>UpdateSequenceLength:Word;</code>
+| Size in words of the Update Sequence Record
+|-
+| <code>LastSequenceNumber:Int64;</code>
+| Last Log File Sequence Number (LSN) only used by Chkdsk when magic is CHKD otherwise 0
+|-
+| <code>SystemPageSize:LongWord;</code>
+| Must be >= 512 and a power of 2 (Normally 4096)
+|-
+| <code>LogPageSize:LongWord;</code>
+| Must be >= 512 and a power of 2 (Normally 4096 if the SystemPageSize is 4096 to 8192 otherwise SystemPageSize)
+|-
+| <code>RestartAreaOffset:Word;</code>
+| Absolute offset to the start of the restart area. Must be 8 byte aligned (After the Update Sequence Array)
+|-
+| <code>MinorVersion:Word;</code>
+| &nbsp;
+|-
+| <code>MajorVersion:Word;</code>
+| NTFS1.2 is version ?.?/NTFS3.0 is version ?.?/NTFS3.1 is Version 1.1
+|-
+| <code>UpdateSequenceRecord</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS restart area'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSRestartArea = ^TNTFSRestartArea;</code>
+<code>TNTFSRestartArea = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 48 Bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32)
+|-
+| <code>CurrentSequenceNumber:Int64;</code>
+| The Current (Last Written) Log File Sequence Number (LSN) on create this will be 0
+|-
+| <code>LogClientCount:Word;</code>
+| Must be 1
+|-
+| <code>FirstFreeClient:Word;</code>
+| The index of the first free log record (When clean normally 0 on Win2k or below and 0xFFFF on WinXP or above)
+|-
+| <code>FirstUsedClient:Word;</code>
+| The index of the first used log record (When clean normally 0xFFFF on Win2k or below and 0 on WinXP or above)
+|-
+| <code>Flags:Word;</code>
+| On Win2k or below always 0, on WinXP or above $0002 if clean
+|-
+| <code>SequenceNumberBits:LongWord;</code>
+| The number of bits to use for the sequence number (67 - the number of bits to store the logfile size in bytes
+|-
+| <code>RestartAreaLength:Word;</code>
+| Length of the restart area and log clients
+|-
+| <code>ClientArrayOffset:Word;</code>
+| Offset from the start of the restart area to the first log client
+|-
+| <code>FileSize:Int64;</code>
+| Usable byte size of the log file (rounded down to a multiple of LogPageSize, must be large enough to hold 2 restart records and 48 log records)
+|-
+| <code>LastSequenceDataLength:LongWord;</code>
+| Length of data of last LSN not including log record header (On create this will be 0)
+|-
+| <code>LogRecordHeaderLength:Word;</code>
+| Byte size of the log record header. Must be a multiple of 8.
+|-
+| <code>LogPageDataOffset:Word;</code>
+| Offset to the start of data in a log record. Must be a multiple of 8. (After the Update Sequence Array)
+|-
+| <code>LogFileOpenCount:LongWord;</code>
+| On create this will be a random value
+|-
+| <code>Reserved:LongWord;</code>
+| Alignment to 8 bytes
+|-
+|}
+</div></div>
+'''NTFS log client'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSLogClient = ^TNTFSLogClient;</code>
+<code>TNTFSLogClient = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 160 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32)
+|-
+| <code>OldestSequenceNumber:Int64;</code>
+| Oldest LSN of this log client (On create this will be 0)
+|-
+| <code>CurrentSequenceNumber:Int64;</code>
+| Current LSN within the log client (On create this will be 0)
+|-
+| <code>PrevClient:Word;</code>
+| Offset of the previous log client or 0xFFFF if first (Always 0xFFFF)
+|-
+| <code>NextClient:Word;</code>
+| Offset of the next log client or 0xFFFF if last (Always 0xFFFF)
+|-
+| <code>SequenceNumber:Word;</code>
+| On Win2K or below 0 when dirty and 1 when clean, on WinXP or above always 0
+|-
+| <code>Reserved:array[0..5] of Byte;</code>
+| Reserved/Alignment
+|-
+| <code>ClientNameLength:LongWord;</code>
+| Client name length in bytes. Should always be 8
+|-
+| <code>ClientName:array[0..63] of WideChar;</code>
+| Should always be NTFS in unicode
+|-
+|}
+</div></div>
+'''NTFS log record'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSLogRecord = ^TNTFSLogRecord;</code>
+<code>TNTFSLogRecord = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: ? Bytes
+|-
+| <code>MagicNumber:LongWord;</code>
+| Magic number 'RCRD'
+|-
+| <code>UpdateSequenceOffset:Word;</code>
+| Offset to the Update Sequence Record
+|-
+| <code>UpdateSequenceLength:Word;</code>
+| Size in words of the Update Sequence Record
+|-
+| <code>LastLSN:Int64;</code>
+| ???????
+|-
+| <code>Flags:LongWord;</code>
+| ???????
+|-
+| <code>PageCount:Word;</code>
+| ???????
+|-
+| <code>PagePosition:Word;</code>
+| ???????
+|-
+| <code>NextRecordOffset:Int64;</code>
+| ???????
+|-
+| <code>LastEndLSN:Int64;</code>
+| ???????
+|-
+| <code>UpdateSequenceRecord</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS index record'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSIndexRecord = ^TNTFSIndexRecord;</code>
+<code>TNTFSIndexRecord = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 24 bytes
+|-
+| <code>MagicNumber:LongWord;</code>
+| Magic number 'INDX'
+|-
+| <code>UpdateSequenceOffset:Word;</code>
+| Offset to the Update Sequence Record
+|-
+| <code>UpdateSequenceLength:Word;</code>
+| Size in words of the Update Sequence Record
+|-
+| <code>LogFileSequenceNumber:Int64;</code>
+| LogFile sequence number
+|-
+| <code>RecordNumber:Int64;</code>
+| Number of this INDX record in the Index Allocation
+|-
+| <code>IndexHeader</code>
+| &nbsp;
+|-
+| <code>UpdateSequenceRecord</code>
+| &nbsp;
+|-
+| <code>IndexEntry(s)</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS index header'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSIndexHeader = ^TNTFSIndexHeader;</code>
+<code>TNTFSIndexHeader = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 16 bytes
+|-
+| <code>EntryOffset:LongWord;</code>
+| Offset to first Index Entry
+|-
+| <code>IndexSize:LongWord;</code>
+| Total size of the Index Entries
+|-
+| <code>IndexAllocated:LongWord;</code>
+| Allocated size of the Index Entries
+|-
+| <code>IndexFlags:Word;</code>
+| Flags (See Consts)
+|-
+| <code>Reserved1:Word;</code>
+| Padding (Align to 8 bytes)
+|-
+|}
+</div></div>
+'''NTFS index entry'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSIndexEntry = ^TNTFSIndexEntry;</code>
+<code>TNTFSIndexEntry = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 16 bytes (Not including Key of SubNodeNumber)
+|-
+| <code>Reserved1:Int64;</code>
+| Padding (Align to 8 bytes)
+|-
+| <code>EntrySize:Word;</code>
+| Length of the index entry
+|-
+| <code>KeySize:Word;</code>
+| Length of the key entry
+|-
+| <code>EntryFlags:Word;</code>
+| Flags (See Consts)
+|-
+| <code>Reserved2:Word;</code>
+| Padding (Align to 8 bytes)
+|-
+| <code>Key:array[0..0] of Byte;</code>
+| Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location
+|-
+| <code>SubNodeNumber:Int64</code>
+| Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set)
+|-
+|}
+</div></div>
+'''NTFS data index entry'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSDataIndexEntry = ^TNTFSDataIndexEntry;</code>
+<code>TNTFSDataIndexEntry = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 16 bytes (Not including Key, Data or SubNodeNumber)
+|-
+| <code>DataOffset:Word;</code>
+| Offset to the data (Only valid when the last entry flag is not set)
+|-
+| <code>DataSize:Word;</code>
+| Size of the data (Only valid when the last entry flag is not set)
+|-
+| <code>Reserved1:LongWord;</code>
+| Padding (Align to 8 bytes)
+|-
+| <code>EntrySize:Word;</code>
+| Length of the index entry
+|-
+| <code>KeySize:Word;</code>
+| Length of the key entry
+|-
+| <code>EntryFlags:Word;</code>
+| Flags (See Consts)
+|-
+| <code>Reserved2:Word;</code>
+| Padding (Align to 8 bytes)
+|-
+| <code>Key:array[0..0] of Byte;</code>
+| Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location
+|-
+| <code>Data:array[0..0] of Byte</code>
+| Data (Only present when the last entry flag is not set)
+|-
+| <code>SubNodeNumber:Int64</code>
+| Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set)
+Note: Key data depends on what is indexed (See ObjId/Quota/Owner/SecurityId/SecurityHash/Reparse structures below)
+|-
+|}
+</div></div>
+'''NTFS attribute index entry'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSAttributeIndexEntry = ^TNTFSAttributeIndexEntry;</code>
+<code>TNTFSAttributeIndexEntry = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 16 bytes (Not including Key of SubNodeNumber)
+|-
+| <code>FileReference:Int64;</code>
+| File reference (Only valid when the last entry flag is not set)
+|-
+| <code>EntrySize:Word;</code>
+| Length of the index entry
+|-
+| <code>KeySize:Word;</code>
+| Length of the key entry
+|-
+| <code>EntryFlags:Word;</code>
+| Flags (See Consts)
+|-
+| <code>Reserved1:Word;</code>
+| Padding (Align to 8 bytes)
+|-
+| <code>Key:array[0..0] of Byte;</code>
+| Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location
+|-
+| <code>SubNodeNumber:Int64</code>
+| Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set)
+Note: Key data depends on what is indexed but for an $I30 index it will be a FileName Attribute
+|-
+|}
+</div></div>
+'''NTFS attribute header'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSAttributeHeader = ^TNTFSAttributeHeader;</code>
+<code>TNTFSAttributeHeader = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 16 bytes
+|-
+| <code>AttributeType:LongWord;</code>
+| Attribute Type (e.g. 0x80, 0xA0)
+|-
+| <code>AttributeSize:LongWord;</code>
+| Length of the Attribute (including header)
+|-
+| <code>NonResident:Byte;</code>
+| Non-resident flag
+|-
+| <code>AttributeNameLength:Byte;</code>
+| Name length
+|-
+| <code>AttributeNameOffset:Word;</code>
+| Offset to the Name
+|-
+| <code>AttributeFlags:Word;</code>
+| Flags
+|-
+| <code>AttributeId:Word;</code>
+| Attribute Id
+|-
+|}
+</div></div>
+'''NTFS resident attribute header'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSResidentAttributeHeader = ^TNTFSResidentAttributeHeader;</code>
+<code>TNTFSResidentAttributeHeader = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 24 bytes
+|-
+| <code>AttributeType:LongWord;</code>
+| Attribute Type (e.g. 0x80, 0xA0)
+|-
+| <code>AttributeSize:LongWord;</code>
+| Length of the Attribute (including header)
+|-
+| <code>NonResident:Byte;</code>
+| Non-resident flag (Always 0)
+|-
+| <code>AttributeNameLength:Byte;</code>
+| Name length
+|-
+| <code>AttributeNameOffset:Word;</code>
+| Offset to the Name
+|-
+| <code>AttributeFlags:Word;</code>
+| Flags
+|-
+| <code>AttributeId:Word;</code>
+| Attribute Id
+|-
+| <code>DataSize:LongWord;</code>
+| Length of the Attribute Data
+|-
+| <code>DataOffset:Word;</code>
+| Offset to the Attribute Data
+|-
+| <code>Indexed:Byte;</code>
+| Indexed flag
+|-
+| <code>Reserved1:Byte;</code>
+| Padding
+|-
+| <code>AttributeName:array[0..0] of WideChar;</code>
+| Unicode Attribute Name (if NameLength > 0)
+|-
+| <code>Data:array[0..0] of Byte</code>
+| Attribute Data
+|-
+|}
+</div></div>
+'''NTFS non resident attribute header'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSNonResidentAttributeHeader = ^TNTFSNonResidentAttributeHeader;</code>
+<code>TNTFSNonResidentAttributeHeader = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 64 bytes
+|-
+| <code>AttributeType:LongWord;</code>
+| Attribute Type (e.g. 0x80, 0xA0)
+|-
+| <code>AttributeSize:LongWord;</code>
+| Length of the Attribute (including header)
+|-
+| <code>NonResident:Byte;</code>
+| Non-resident flag (Always 1)
+|-
+| <code>AttributeNameLength:Byte;</code>
+| Name length
+|-
+| <code>AttributeNameOffset:Word;</code>
+| Offset to the Name
+|-
+| <code>AttributeFlags:Word;</code>
+| Flags
+|-
+| <code>AttributeId:Word;</code>
+| Attribute Id
+|-
+| <code>StartVCN:Int64;</code>
+| Starting VCN
+|-
+| <code>LastVCN:Int64;</code>
+| Last VCN
+|-
+| <code>RunOffset:Word;</code>
+| Offset to the Data Run
+|-
+| <code>CompressionUnit:Word;</code>
+| Compression Unit Size
+|-
+| <code>Reserved1:LongWord;</code>
+| Padding
+|-
+| <code>StreamAllocated:Int64;</code>
+| Allocated size of the attribute
+|-
+| <code>StreamSize:Int64;</code>
+| Real size of the attribute
+|-
+| <code>InitializedSize:Int64;</code>
+| Initialized data size of the stream (Portion which has been Written)
+|-
+| <code>AttributeName:array[0..0] of WideChar;</code>
+| Unicode Attribute Name (if NameLength > 0)
+|-
+| <code>Run:array[0..0] of Byte</code>
+| Attribute Data Runs
+|-
+|}
+</div></div>
+'''NTFS compressed attribute header'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSCompressedAttributeHeader = ^TNTFSCompressedAttributeHeader;</code>
+<code>TNTFSCompressedAttributeHeader = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 64 bytes
+|-
+| <code>AttributeType:LongWord;</code>
+| Attribute Type (e.g. 0x80, 0xA0)
+|-
+| <code>AttributeSize:LongWord;</code>
+| Length of the Attribute (including header)
+|-
+| <code>NonResident:Byte;</code>
+| Non-resident flag (Always 1)
+|-
+| <code>AttributeNameLength:Byte;</code>
+| Name length
+|-
+| <code>AttributeNameOffset:Word;</code>
+| Offset to the Name
+|-
+| <code>AttributeFlags:Word;</code>
+| Flags
+|-
+| <code>AttributeId:Word;</code>
+| Attribute Id
+|-
+| <code>StartVCN:Int64;</code>
+| Starting VCN
+|-
+| <code>LastVCN:Int64;</code>
+| Last VCN
+|-
+| <code>RunOffset:Word;</code>
+| Offset to the Data Run
+|-
+| <code>CompressionUnit:Word;</code>
+| Compression Unit Size
+|-
+| <code>Reserved1:LongWord;</code>
+| Padding
+|-
+| <code>StreamAllocated:Int64;</code>
+| Allocated size of the attribute
+|-
+| <code>StreamSize:Int64;</code>
+| Real size of the attribute
+|-
+| <code>InitializedSize:Int64;</code>
+| Initialized data size of the stream (Portion which has been Written)
+|-
+| <code>StreamUsed:Int64;</code>
+| The actual Allocated size of the attribute (Only present when compressed and only in the first instance)
+|-
+| <code>AttributeName:array[0..0] of WideChar;</code>
+| Unicode Attribute Name (if NameLength > 0)
+|-
+| <code>Run:array[0..0] of Byte</code>
+| Attribute Data Runs
+|-
+|}
+</div></div>
+'''NTFS12 standard information'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFS12StandardInformation = ^TNTFS12StandardInformation;</code>
+<code>TNTFS12StandardInformation = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 48 bytes (0x10)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>CreateTime:TFileTime;</code>
+| File Creation
+|-
+| <code>WriteTime:TFileTime;</code>
+| File Altered
+|-
+| <code>ChangeTime:TFileTime;</code>
+| MFT Changed
+|-
+| <code>AccessTime:TFileTime;</code>
+| File Read
+|-
+| <code>Attributes:LongWord;</code>
+| DOS File Permissions
+|-
+| <code>MaxVersions:LongWord;</code>
+| Maximum Number of Versions
+|-
+| <code>VersionNo:LongWord;</code>
+| Version Number
+|-
+| <code>ClassId:LongWord;</code>
+| Class Id
+|-
+|}
+</div></div>
+'''NTFS30 standard information'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFS30StandardInformation = ^TNTFS30StandardInformation;</code>
+<code>TNTFS30StandardInformation = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 72 bytes (0x10) Includes NTFS 3.1
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>CreateTime:TFileTime;</code>
+| File Creation
+|-
+| <code>WriteTime:TFileTime;</code>
+| File Altered
+|-
+| <code>ChangeTime:TFileTime;</code>
+| MFT Changed
+|-
+| <code>AccessTime:TFileTime;</code>
+| File Read
+|-
+| <code>Attributes:LongWord;</code>
+| DOS File Permissions
+|-
+| <code>MaxVersions:LongWord;</code>
+| Maximum Number of Versions
+|-
+| <code>VersionNo:LongWord;</code>
+| Version Number
+|-
+| <code>ClassId:LongWord;</code>
+| Class Id
+|-
+| <code>OwnerId:LongWord;</code>
+| Owner Id
+|-
+| <code>SecurityId:LongWord;</code>
+| Security Id
+|-
+| <code>QuotaCharge:Int64;</code>
+| Quota Charged
+|-
+| <code>UpdateSequenceNumber:Int64;</code>
+| Update Sequence Number
+|-
+|}
+</div></div>
+'''NTFS attribute list'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSAttributeList = ^TNTFSAttributeList;</code>
+<code>TNTFSAttributeList = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0x20)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Item:array[0..0] of Byte;</code>
+| Attribute List Items
+|-
+|}
+</div></div>
+'''NTFS file name'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSFileName = ^TNTFSFileName;</code>
+<code>TNTFSFileName = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 66 bytes (0x30)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>ParentReference:Int64;</code>
+| File reference to the parent directory.
+|-
+| <code>CreateTime:TFileTime;</code>
+| C Time - File Creation Note: These fields are only updated when the filename is changed. See Standard Information instead.
+|-
+| <code>WriteTime:TFileTime;</code>
+| A Time - File Altered Note: These fields are only updated when the filename is changed. See Standard Information instead.
+|-
+| <code>ChangeTime:TFileTime;</code>
+| M Time - MFT Changed Note: These fields are only updated when the filename is changed. See Standard Information instead.
+|-
+| <code>AccessTime:TFileTime;</code>
+| R Time - File Read
+|-
+| <code>FileAllocated:Int64;</code>
+| Allocated size of the file
+|-
+| <code>FileSize:Int64;</code>
+| Real size of the file
+|-
+| <code>FileFlags:LongWord;</code>
+| Flags, e.g. Directory, Compressed, Hidden
+|-
+| <code>ReparseTag:LongWord;</code>
+| Used by EAs and Reparse
+|-
+| <code>FileNameLength:Byte;</code>
+| Filename length in characters
+|-
+| <code>NameSpace:Byte;</code>
+| Filename namespace
+|-
+| <code>FileName:array[0..0] of WideChar;</code>
+| File name in Unicode (not null terminated) Note: NameLength but no NameOffset so Name
+|-
+|}
+</div></div>
+'''NTFS object ID'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSObjectId = ^TNTFSObjectId;</code>
+<code>TNTFSObjectId = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 64 bytes (0x40)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>ObjectId:TGUID;</code>
+| GUID Object Id Unique Id assigned to file
+|-
+| <code>BirthVolumeId:TGUID;</code>
+| GUID Birth Volume Id Volume where file was created
+|-
+| <code>BirthObjectId:TGUID;</code>
+| GUID Birth Object Id Original Object Id of file
+|-
+| <code>DomainId:TGUID;</code>
+| GUID Domain Id Domain in which object was created
+|-
+|}
+</div></div>
+'''NTFS volume version'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSVolumeVersion = ^TNTFSVolumeVersion;</code>
+<code>TNTFSVolumeVersion = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0x40)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Data:array[0..0] of Byte;</code>
+| Unknown data (Structure to be determined)
+|-
+|}
+</div></div>
+'''NTFS security descriptor'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSecurityDescriptor = ^TNTFSSecurityDescriptor;</code>
+<code>TNTFSSecurityDescriptor = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0x50)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Security:array[0..0] of Byte;</code>
+| Security Descriptor
+|-
+|}
+</div></div>
+'''NTFS volume name'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSVolumeName = ^TNTFSVolumeName;</code>
+<code>TNTFSVolumeName = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0x60)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>VolumeName:array[0..0] of WideChar;</code>
+| Unicode name Note: The DataOffset and DataSize in the ?
+|-
+|}
+</div></div>
+'''NTFS volume information'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSVolumeInformation = ^TNTFSVolumeInformation;</code>
+<code>TNTFSVolumeInformation = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 16 bytes (0x70)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Reserved1:Int64;</code>
+| Always zero ?
+|-
+| <code>MajorVersion:Byte;</code>
+| Major version number
+|-
+| <code>MinorVersion:Byte;</code>
+| Minor version number
+|-
+| <code>VolumeFlags:Word;</code>
+| Flags
+|-
+| <code>Reserved2:LongWord;</code>
+| Always zero ? (Padding only, not part of data)
+|-
+|}
+</div></div>
+'''NTFS data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSData = ^TNTFSData;</code>
+<code>TNTFSData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0x80)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Data:array[0..0] of Byte;</code>
+| Any data Note: The DataOffset and DataSize in the header give the pointer to the Data
+|-
+|}
+</div></div>
+'''NTFS index root'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSIndexRoot = ^TNTFSIndexRoot;</code>
+<code>TNTFSIndexRoot = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 16 bytes (0x90)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>IndexType:LongWord;</code>
+| Attribute Type
+|-
+| <code>CollateRule:LongWord;</code>
+| Collation Rule
+|-
+| <code>IndexRecordSize:LongWord;</code>
+| Size of Index Allocation Entry (bytes)
+|-
+| <code>IndexCounterOffset:LongWord;</code>
+| Index Record Number increment
+|-
+| <code>IndexHeader</code>
+| &nbsp;
+|-
+| <code>IndexEntry(s)</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS index allocation'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSIndexAllocation = ^TNTFSIndexAllocation;</code>
+<code>TNTFSIndexAllocation = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0xA0)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Run:array[0..0] of Byte;</code>
+| Data run Note: The RunOffset and AttributeSize in the header give the pointer to the Run
+|-
+|}
+</div></div>
+'''NTFS bitmap'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSBitmap = ^TNTFSBitmap;</code>
+<code>TNTFSBitmap = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0xB0)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Bitmap:array[0..0] of Int64;</code>
+| Bit field Note: The DataOffset and DataSize in the header give the pointer to the Bitmap (Bit ordering works as an array of bytes)
+|-
+|}
+</div></div>
+'''NTFS reparse point'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSReparsePoint = ^TNTFSReparsePoint;</code>
+<code>TNTFSReparsePoint = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 bytes (0xC0)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>ReparseTag:LongWord;</code>
+| Reparse Type (and Flags)
+|-
+| <code>ReparseSize:Word;</code>
+| Reparse Data Length
+|-
+| <code>Reserved1:Word;</code>
+| Padding (align to 8 bytes)
+|-
+| <code>ReparseData:array[0..0] of Byte;</code>
+| Reparse Data
+|-
+|}
+</div></div>
+'''NTFS reparse point Microsoft'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSReparsePointMicrosoft = ^TNTFSReparsePointMicrosoft;</code>
+<code>TNTFSReparsePointMicrosoft = TNTFSReparsePoint;</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 bytes (0xC0)
+|-
+| &nbsp;
+| style="width: 50%;"|&nbsp;
+|-
+|}
+</div></div>
+'''NTFS reparse point other'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSReparsePointOther = ^TNTFSReparsePointOther;</code>
+<code>TNTFSReparsePointOther = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 24 bytes (0xC0)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>ReparseTag:LongWord;</code>
+| Reparse Type (and Flags)
+|-
+| <code>ReparseSize:Word;</code>
+| Reparse Data Length
+|-
+| <code>Reserved1:Word;</code>
+| Padding (align to 8 bytes)
+|-
+| <code>ReparseGUID:TGUID;</code>
+| Reparse GUID
+|-
+| <code>ReparseData:array[0..0] of Byte;</code>
+| Reparse Data
+|-
+|}
+</div></div>
+'''NTFS symbolic link'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSymbolicLink = ^TNTFSSymbolicLink;</code>
+<code>TNTFSSymbolicLink = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0xC0)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Data:array[0..0] of Byte;</code>
+| Unknown data (Structure to be determined)
+|-
+|}
+</div></div>
+'''NTFS extended attribute information'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSExtendedAttrInformation = ^TNTFSExtendedAttrInformation;</code>
+<code>TNTFSExtendedAttrInformation = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 bytes (0xD0)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>PackedSize:Word;</code>
+| Size of the packed Extended Attributes
+|-
+| <code>FlagCount:Word;</code>
+| Number of Extended Attributes which have NEED_EA flag
+|-
+| <code>UnpackedSize:LongWord;</code>
+| Size of the unpacked Extended Attributes
+|-
+|}
+</div></div>
+'''NTFS extended attribute'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSExtendedAttr = ^TNTFSExtendedAttr;</code>
+<code>TNTFSExtendedAttr = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0xE0)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Extended:array[0..0] of Byte;</code>
+| Extended Attributes
+|-
+|}
+</div></div>
+'''NTFS property set'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSPropertySet = ^TNTFSPropertySet;</code>
+<code>TNTFSPropertySet = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0xF0)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Data:array[0..0] of Byte;</code>
+| Unknown data (Structure to be determined)
+|-
+|}
+</div></div>
+'''NTFS logged utility stream'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSLoggedUtilityStream = ^TNTFSLoggedUtilityStream;</code>
+<code>TNTFSLoggedUtilityStream = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0x100)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Data:array[0..0] of Byte;</code>
+| Any data Note: The DataOffset and DataSize in the header give the pointer to the Data
+|-
+|}
+</div></div>
+'''NTFS unknown'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSUnknown = ^TNTFSUnknown;</code>
+<code>TNTFSUnknown = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0x100)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| <code>Data:array[0..0] of Byte;</code>
+| Any data Note: The DataOffset and DataSize in the header give the pointer to the Data
+|-
+|}
+</div></div>
+'''NTFS end'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSEnd = ^TNTFSEnd;</code>
+<code>TNTFSEnd = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes (0xFFFFFFFF)
+|-
+|colspan="2"|''Standard Attribute Header''
+|-
+| &nbsp;
+| style="width: 50%;"|&nbsp;
+|-
+|}
+</div></div>
+'''NTFS run data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSRunData = ^TNTFSRunData;</code>
+<code>TNTFSRunData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes
+|-
+| <code>Run:array[0..0] of Byte;</code>
+| Data Run Note: The RunOffset and AttributeSize in the header give the pointer to the Run
+|-
+|}
+</div></div>
+'''NTFS item data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSItemData = ^TNTFSItemData;</code>
+<code>TNTFSItemData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 26 bytes (Data of attribute $ATTRIBUTE_LIST)
+|-
+| <code>AttributeType:LongWord;</code>
+| Type
+|-
+| <code>ItemSize:Word;</code>
+| Record length
+|-
+| <code>AttributeNameLength:Byte;</code>
+| Name length
+|-
+| <code>AttributeNameOffset:Byte;</code>
+| Offset to Name
+|-
+| <code>StartVCN:Int64;</code>
+| Starting VCN
+|-
+| <code>FileReference:Int64;</code>
+| File Reference of the attribute
+|-
+| <code>AttributeId:Word;</code>
+| Attribute Id
+|-
+| <code>AttributeName:array[0..0] of WideChar;</code>
+| Name in Unicode (if NameLength > 0)
+|-
+|}
+</div></div>
+'''NTFS object Id data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSObjIdData = ^TNTFSObjIdData;</code>
+<code>TNTFSObjIdData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 56 bytes (Data of index $O in file $ObjId) Key is ObjectId
+|-
+| <code>FileReference:Int64;</code>
+| MFT Reference
+|-
+| <code>BirthVolumeId:TGUID;</code>
+| GUID Birth Volume Id (This is the ObjectId from the file $Volume)
+|-
+| <code>BirthObjectId:TGUID;</code>
+| GUID Birth Object Id
+|-
+| <code>DomainId:TGUID;</code>
+| GUID Domain Id
+|-
+|}
+</div></div>
+'''NTFS quota data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSQuotaData = ^TNTFSQuotaData;</code>
+<code>TNTFSQuotaData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 48 bytes Not including SID (Data of index $Q in file $Quota) Key is OwnerId
+|-
+| <code>Version:LongWord;</code>
+| Version (0x02)
+|-
+| <code>Flags:LongWord;</code>
+| Flags
+|-
+| <code>BytesUsed:Int64;</code>
+| Bytes Used
+|-
+| <code>ChangeTime:TFileTime;</code>
+| Change Time
+|-
+| <code>WarningLimit:Int64;</code>
+| Warning Limit
+|-
+| <code>HardLimit:Int64;</code>
+| Hard Limit
+|-
+| <code>ExceedTime:TFileTime;</code>
+| Exceeded Time
+|-
+| <code>SID:array[0..0] of Byte;</code>
+| SID
+|-
+| <code>Padding:array[0..0] of Byte</code>
+| Padding (align to 8 bytes) Handled by Calculation of Index Entry Size
+|-
+|}
+</div></div>
+'''NTFS owner data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSOwnerData = ^TNTFSOwnerData;</code>
+<code>TNTFSOwnerData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 4 bytes (Data of index $O in file $Quota) Key is SID
+|-
+| <code>OwnerId:LongWord;</code>
+| Owner Id
+|-
+| <code>Padding:array[0..0] of Byte</code>
+| Padding (align to 8 bytes) Handled by Calculation of Index Entry Size
+|-
+|}
+</div></div>
+'''NTFS up case data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSUpCaseData = ^TNTFSUpCaseData;</code>
+<code>TNTFSUpCaseData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 131072 bytes (Data of file $UpCase)
+|-
+| <code>Data:array[0..65535] of Word;</code>
+| Conversion data
+|-
+|}
+</div></div>
+'''NTFS attribute definition data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSAttrDefData = ^TNTFSAttrDefData;</code>
+<code>TNTFSAttrDefData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 160 bytes (Data of file $AttrDef)
+|-
+| <code>AttributeName:array[0..63] of WideChar;</code>
+| Label in Unicode
+|-
+| <code>AttributeType:LongWord;</code>
+| Type
+|-
+| <code>DisplayRule:LongWord;</code>
+| Display rule
+|-
+| <code>CollateRule:LongWord;</code>
+| Collation rule
+|-
+| <code>AttrDefFlags:LongWord;</code>
+| Flags (See Consts)
+|-
+| <code>MinimumSize:Int64;</code>
+| Minimum size
+|-
+| <code>MaximumSize:Int64;</code>
+| Maximum size
+|-
+|}
+</div></div>
+'''NTFS reparse data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSReparseData = ^TNTFSReparseData;</code>
+<code>TNTFSReparseData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 bytes Not including Data (Data of attribute $REPARSE_POINT)
+|-
+| <code>Data:array[0..0] of Byte;</code>
+| Any data
+|-
+|}
+</div></div>
+'''NTFS reparse symbolic link data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSReparseSymLinkData = ^TNTFSReparseSymLinkData;</code>
+<code>TNTFSReparseSymLinkData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 12 bytes Not including Names (Data of attribute $REPARSE_POINT)
+|-
+| <code>SubstituteNameOffset:Word;</code>
+| Substitute Name Offset
+|-
+| <code>SubstituteNameLength:Word;</code>
+| Substitute Name Length (Length is in bytes not characters)
+|-
+| <code>PrintNameOffset:Word;</code>
+| Print Name Offset
+|-
+| <code>PrintNameLength:Word;</code>
+| Print Name Length (Length is in bytes not characters)
+|-
+| <code>Reserved1:LongWord;</code>
+| Always Zero
+|-
+| <code>PrintName:array[0..0] of Byte</code>
+| Path Buffer (Not Null terminated)
+|-
+| <code>SubstituteName:array[0..0] of Byte</code>
+| Path Buffer (Not Null terminated)
+|-
+|}
+</div></div>
+'''NTFS reparse mount point data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSReparseMountPointData = ^TNTFSReparseMountPointData;</code>
+<code>TNTFSReparseMountPointData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 12 bytes (Minimum 8 bytes plus 2 unicode nulls) Not including Names (Data of attribute $REPARSE_POINT)
+|-
+| <code>SubstituteNameOffset:Word;</code>
+| Substitute Name Offset (Offset includes the null terminator)
+|-
+| <code>SubstituteNameLength:Word;</code>
+| Substitute Name Length (Length is in bytes not characters and does not include the null terminator)
+|-
+| <code>PrintNameOffset:Word;</code>
+| Print Name Offset (Offset includes the null terminator)
+|-
+| <code>PrintNameLength:Word;</code>
+| Print Name Length (Length is in bytes not characters and does not include the null terminator)
+|-
+| <code>SubstituteName:array[0..0] of Byte</code>
+| Path Buffer (Null terminated)
+|-
+| <code>PrintName:array[0..0] of Byte</code>
+| Path Buffer (Null terminated)
+|-
+|}
+</div></div>
+'''NTFS extended data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSExtendedData = ^TNTFSExtendedData;</code>
+<code>TNTFSExtendedData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 bytes Not including Name (Data of attribute $EA)
+|-
+| <code>ExtendedOffset:LongWord;</code>
+| Offset to next Extended Attribute (Offset to next EA is the size of this EA)
+|-
+| <code>ExtendedFlags:Byte;</code>
+| Flags
+|-
+| <code>ExtendedNameLength:Byte;</code>
+| Name Length (N)
+|-
+| <code>ExtendedDataSize:Word;</code>
+| Value Length (V)
+|-
+| <code>ExtendedName:array[0..0] of Char;</code>
+| Name Note: No offset so always in the same location
+|-
+| <code>ExtendedData:array[0..0] of Byte</code>
+| Value
+|-
+|}
+</div></div>
+'''NTFS security data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSecurityData = ^TNTFSSecurityData;</code>
+<code>TNTFSSecurityData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 20 bytes Minimum (Data of attribute $SECURITY_DESCRIPTOR and stream $SDS in file $Secure)
+|-
+| <code>Revision:Byte;</code>
+| Revision
+|-
+| <code>Reserved1:Byte;</code>
+| Padding
+|-
+| <code>Control:Word;</code>
+| Control Flags
+|-
+| <code>OwnerOffset:LongWord;</code>
+| Offset to Owner SID
+|-
+| <code>GroupOffset:LongWord;</code>
+| Offset to Group SID
+|-
+| <code>SaclOffset:LongWord;</code>
+| Offset to SACL
+|-
+| <code>DaclOffset:LongWord;</code>
+| Offset to DACL
+|-
+|}
+</div></div>
+'''NTFS SID identifier authority data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSidIdentifierAuthorityData = ^TNTFSSidIdentifierAuthorityData;</code>
+<code>TNTFSSidIdentifierAuthorityData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 6 Bytes
+|-
+| <code>Value:array[0..5] of Byte;</code>
+| style="width: 50%;"|&nbsp;
+|-
+|}
+</div></div>
+'''NTFS SID data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSidData = ^TNTFSSidData;</code>
+<code>TNTFSSidData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 Bytes Minimum (Not including SubAuthority)
+|-
+| <code>Revision:Byte;</code>
+| &nbsp;
+|-
+| <code>SubAuthorityCount:Byte;</code>
+| &nbsp;
+|-
+| <code>IdentifierAuthority:array[0..5] of Byte;</code>
+| &nbsp;
+|-
+| <code>SubAuthority:array[0..0] of LongWord;</code>
+| Not included in size
+|-
+|}
+</div></div>
+'''NTFS acl data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSAclData = ^TNTFSAclData;</code>
+<code>TNTFSAclData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 Bytes
+|-
+| <code>AclRevision:Byte;</code>
+| &nbsp;
+|-
+| <code>Reserved1:Byte;</code>
+| Must be Zero
+|-
+| <code>AclSize:Word;</code>
+| &nbsp;
+|-
+| <code>AceCount:Word;</code>
+| &nbsp;
+|-
+| <code>Reserved2:Word;</code>
+| Must be Zero
+|-
+|}
+</div></div>
+'''NTFS ace header data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSAceHeaderData = ^TNTFSAceHeaderData;</code>
+<code>TNTFSAceHeaderData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 4 Bytes
+|-
+| <code>AceType:Byte;</code>
+| style="width: 50%;"|&nbsp;
+|-
+| <code> AceFlags:Byte;</code>
+| &nbsp;
+|-
+| <code>AceSize:Word;</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS ace data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSAceData = ^TNTFSAceData;</code>
+<code>TNTFSAceData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 Bytes Minimum (Not including Sid)
+|-
+| <code>Header:TNTFSAceHeaderData;</code>
+| &nbsp;
+|-
+| <code>Mask:LongWord;</code>
+| &nbsp;
+|-
+| <code>Sid:array[0..0] of Byte;</code>
+| Not included in size
+|-
+|}
+</div></div>
+'''NTFS object ace data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSObjectAceData = ^TNTFSObjectAceData;</code>
+<code>TNTFSObjectAceData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 44 Bytes Minimum (Not including Sid)
+|-
+| <code>Header:TNTFSAceHeaderData;</code>
+| &nbsp;
+|-
+| <code>Mask:LongWord;</code>
+| &nbsp;
+|-
+| <code>Flags:LongWord;</code>
+| &nbsp;
+|-
+| <code>ObjectType:TGUID;</code>
+| &nbsp;
+|-
+| <code>InheritedObjectType:TGUID;</code>
+| &nbsp;
+|-
+| <code>Sid:array[0..0] of Byte;</code>
+| Not included in size
+|-
+|}
+</div></div>
+'''NTFS security item data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSecurityItemData = ^TNTFSSecurityItemData;</code>
+<code>TNTFSSecurityItemData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 40 Bytes Minimum Including Security (Data of stream $SDS in file $Secure)
+|-
+| <code>SecurityHash:LongWord;</code>
+| Hash of Security Descriptor
+|-
+| <code>SecurityId:LongWord;</code>
+| Security Id
+|-
+| <code>SecurityOffset:Int64;</code>
+| Offset of this entry in $SDS
+|-
+| <code>SecuritySize:LongWord;</code>
+| Size of this entry in $SDS
+|-
+| <code>Security:TNTFSSecurityData;</code>
+| Self-relative Security Descriptor
+|-
+| <code>Padding:array[0..0] of Byte</code>
+| Padding (align to 16 bytes) Handled by Calculation of Stream Size
+|-
+|}
+</div></div>
+'''NTFS security Id data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSecurityIdData = ^TNTFSSecurityIdData;</code>
+<code>TNTFSSecurityIdData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 20 Bytes (Data of index $SII in file $Secure) (Key is SecurityId)
+|-
+| <code>SecurityHash:LongWord;</code>
+| Hash of Security Descriptor
+|-
+| <code>SecurityId:LongWord;</code>
+| Security Id
+|-
+| <code>SecurityOffset:Int64;</code>
+| Offset of this entry in $SDS
+|-
+| <code>SecuritySize:LongWord;</code>
+| Size of this entry in $SDS
+|-
+|}
+</div></div>
+'''NTFS security hash data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSecurityHashData = ^TNTFSSecurityHashData;</code>
+<code>TNTFSSecurityHashData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 20 Bytes (Data of index $SDH in file $Secure)
+|-
+| <code>SecurityHash:LongWord;</code>
+| Hash of Security Descriptor
+|-
+| <code>SecurityId:LongWord;</code>
+| Security Id
+|-
+| <code>SecurityOffset:Int64;</code>
+| Offset of this entry in $SDS
+|-
+| <code>SecuritySize:LongWord;</code>
+| Size of this entry in $SDS
+|-
+| <code>Padding:LongWord;</code>
+| Padding (align to 8 bytes) Always 4 bytes and always appears to be the Unicode string "II"
+|-
+|}
+</div></div>
+'''NTFS object Id key data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSObjIdKeyData = ^TNTFSObjIdKeyData;</code>
+<code>TNTFSObjIdKeyData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 16 Bytes (Key of index $O in file $ObjId)
+|-
+| <code>ObjectId:TGUID;</code>
+| GUID Object Id
+|-
+| <code>Data:array[0..0] of Byte</code>
+| Data (see above)
+|-
+|}
+</div></div>
+'''NTFS quota key data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSQuotaKeyData = ^TNTFSQuotaKeyData;</code>
+<code>TNTFSQuotaKeyData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 4 Bytes (Key of index $Q in file $Quota)
+|-
+| <code>OwnerId:LongWord;</code>
+| Owner Id
+|-
+| <code>Data:array[0..0] of Byte</code>
+| Data (see above)
+|-
+| <code>Padding:array[0..0] of Byte</code>
+| Padding (align to 8 bytes) Handled by Calculation of Index Entry Size
+|-
+|}
+</div></div>
+'''NTFS owner key data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSOwnerKeyData = ^TNTFSOwnerKeyData;</code>
+<code>TNTFSOwnerKeyData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 0 Bytes Not including SID (Key of index $O in file $Quota)
+|-
+| <code>SID:array[0..0] of Byte;</code>
+| SID
+|-
+| <code>Data:array[0..0] of Byte</code>
+| Data (see above)
+|-
+| <code>Padding:array[0..0] of Byte</code>
+| Padding (align to 8 bytes) Handled by Calculation of Index Entry Size
+|-
+|}
+</div></div>
+'''NTFS security Id key data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSecurityIdKeyData = ^TNTFSSecurityIdKeyData;</code>
+<code>TNTFSSecurityIdKeyData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 4 Bytes (Key of index $SII in file $Secure)
+|-
+| <code>SecurityId:LongWord;</code>
+| Security Id
+|-
+| <code>Data:array[0..0] of Byte</code>
+| Data (see above)
+|-
+|}
+</div></div>
+'''NTFS security hash key data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSSecurityHashKeyData = ^TNTFSSecurityHashKeyData;</code>
+<code>TNTFSSecurityHashKeyData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 Bytes (Key of index $SDH in file $Secure)
+|-
+| <code>SecurityHash:LongWord;</code>
+| Hash of Security Descriptor
+|-
+| <code>SecurityId:LongWord;</code>
+| Security Id
+|-
+| <code>Data:array[0..0] of Byte</code>
+| Data (see above)
+|-
+| <code>Padding:array[0..0] of Byte</code>
+| Padding (align to 8 bytes) Handled by Calculation of Index Entry Size
+|-
+|}
+</div></div>
+'''NTFS reparse key data'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSReparseKeyData = ^TNTFSReparseKeyData;</code>
+<code>TNTFSReparseKeyData = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 12 Bytes (Key of index $R in file $Reparse) This index contains no data
+|-
+| <code>ReparseTag:LongWord;</code>
+| Reparse Tag (and Flags)
+|-
+| <code>FileReference:Int64;</code>
+| MFT Reference of Reparse Point
+|-
+| <code>Padding:LongWord;</code>
+| Padding (align to 8 bytes) Handled by Calculation of Index Entry Size
+|-
+|}
+</div></div>
+'''NTFS run offset'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSRunOffset = ^TNTFSRunOffset;</code>
+<code>TNTFSRunOffset = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 Bytes
+|-
+| <code>case Integer of</code>
+| style="width: 50%;"|&nbsp;
+|-
+| <code>1:(Offset1:ShortInt);</code>
+| &nbsp;
+|-
+| <code>2:(Offset2:SmallInt);</code>
+| &nbsp;
+|-
+| <code>4:(Offset4:LongInt);</code>
+| &nbsp;
+|-
+| <code>8:(Offset8:Int64);</code>
+| &nbsp;
+|-
+|}
+</div></div>
+'''NTFS run length'''
+<div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;">
+<code>PNTFSRunLength = ^TNTFSRunLength;</code>
+<code>TNTFSRunLength = packed record</code>
+<div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;">
+{| class="wikitable" style="font-size: 14px; background: white;"
+|-
+|colspan="2"|Note: 8 Bytes
+|-
+| <code>case Integer of</code>
+| style="width: 50%;"|&nbsp;
+|-
+| <code>1:(Length1:Byte);</code>
+| &nbsp;
+|-
+| <code>2:(Length2:Word);</code>
+| &nbsp;
+|-
+| <code>4:(Length4:LongWord);</code>
+| &nbsp;
+|-
+| <code>8:(Length8:Int64);</code>
+| &nbsp;
+|-
+|}
+</div></div>
+<br />
 === Public variables ===
 ----
-''To be documented''
+''None defined''
 === Function declarations ===
 ----
-''To be documented''
+''None defined''
 Return to [[Unit_Reference|Unit Reference]]

Note: 48 bits (Read/Write as Word,LongWord)
`RecordSegment:Word;`
`RecordNumber:LongWord;`

Note: 64 bits (Read/Write as Int64) Note endian ordering
`RecordNumber:LongWord;`
`RecordSegment:Word;`
`SequenceNumber:Word;`