Difference between revisions of "Unit NTFSTypes"
Line 17: | Line 17: | ||
---- | ---- | ||
− | '' | + | |
+ | '''NTFS specific types''' | ||
+ | |||
+ | {| class="wikitable" style="font-size: 14px; text-align: left; width: 100%; height: 50px;" | ||
+ | |- | ||
+ | | <code>TNTFSType = (ntNONE,ntNTFS12,ntNTFS30,ntNTFS31);</code> | ||
+ | | style="width: 40%;"| | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | '''NTFS record number''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSRecordNumber = ^TNTFSRecordNumber;</code> | ||
+ | |||
+ | <code>TNTFSRecordNumber = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 48 bits (Read/Write as Word,LongWord) | ||
+ | |- | ||
+ | | <code>RecordSegment:Word;</code> | ||
+ | | style="width: 50%;"| | ||
+ | |- | ||
+ | | <code>RecordNumber:LongWord;</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS file reference''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSFileReference = ^TNTFSFileReference;</code> | ||
+ | |||
+ | <code>TNTFSFileReference = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 64 bits (Read/Write as Int64) Note endian ordering | ||
+ | |- | ||
+ | | <code>RecordNumber:LongWord;</code> | ||
+ | | style="width: 50%;"| | ||
+ | |- | ||
+ | | <code>RecordSegment:Word;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>SequenceNumber:Word;</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS sub node record''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSubNodeRecord = ^TNTFSSubNodeRecord;</code> | ||
+ | |||
+ | <code>TNTFSSubNodeRecord = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 bytes | ||
+ | |- | ||
+ | | <code>SubNodeNumber:Int64;</code> | ||
+ | | style="width: 50%;"| | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS update sequence record''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSUpdateSequenceRecord = ^TNTFSUpdateSequenceRecord;</code> | ||
+ | |||
+ | <code>TNTFSUpdateSequenceRecord = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 2 bytes | ||
+ | |- | ||
+ | | <code>UpdateSequenceNumber:Word;</code> | ||
+ | | Update Sequence Number | ||
+ | |- | ||
+ | | <code>UpdateSequenceArray:array[0..0] of Word;</code> | ||
+ | | Update Sequence Array | ||
+ | |- | ||
+ | | <code>Padding</code> | ||
+ | | Padding (align to 8 bytes) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS12 file record''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFS12FileRecord = ^TNTFS12FileRecord;</code> | ||
+ | |||
+ | <code>TNTFS12FileRecord = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 42 bytes (Includes NTFS 3.0) | ||
+ | |- | ||
+ | | <code>MagicNumber:LongWord;</code> | ||
+ | | Magic number 'FILE' | ||
+ | |- | ||
+ | | <code>UpdateSequenceOffset:Word;</code> | ||
+ | | Offset to the Update Sequence Record | ||
+ | |- | ||
+ | | <code>UpdateSequenceLength:Word;</code> | ||
+ | | Size in words of the Update Sequence Record | ||
+ | |- | ||
+ | | <code>LogFileSequenceNumber:Int64;</code> | ||
+ | | LogFile Sequence Number (LSN) | ||
+ | |- | ||
+ | | <code>SequenceNumber:Word;</code> | ||
+ | | Sequence number | ||
+ | |- | ||
+ | | <code>HardLinkCount:Word;</code> | ||
+ | | Hard link count | ||
+ | |- | ||
+ | | <code>AttributeOffset:Word;</code> | ||
+ | | Offset to the first Attribute | ||
+ | |- | ||
+ | | <code>RecordFlags:Word;</code> | ||
+ | | Flags | ||
+ | |- | ||
+ | | <code>RecordSize:LongWord;</code> | ||
+ | | Actual size of the FILE record | ||
+ | |- | ||
+ | | <code>RecordAllocated:LongWord;</code> | ||
+ | | Allocated size of the FILE record | ||
+ | |- | ||
+ | | <code>BaseReference:Int64;</code> | ||
+ | | File reference to the base FILE record | ||
+ | |- | ||
+ | | <code>NextAttributeId:Word;</code> | ||
+ | | Next Attribute Id | ||
+ | |- | ||
+ | | <code>UpdateSequenceRecord</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS31 file record''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFS31FileRecord = ^TNTFS31FileRecord;</code> | ||
+ | |||
+ | <code>TNTFS31FileRecord = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 48 bytes | ||
+ | |- | ||
+ | | <code>MagicNumber:LongWord;</code> | ||
+ | | Magic number 'FILE' | ||
+ | |- | ||
+ | | <code>UpdateSequenceOffset:Word;</code> | ||
+ | | Offset to the Update Sequence Record | ||
+ | |- | ||
+ | | <code>UpdateSequenceLength:Word;</code> | ||
+ | | Size in words of the Update Sequence Record | ||
+ | |- | ||
+ | | <code>LogFileSequenceNumber:Int64;</code> | ||
+ | | LogFile Sequence Number (LSN) | ||
+ | |- | ||
+ | | <code>SequenceNumber:Word;</code> | ||
+ | | Sequence number | ||
+ | |- | ||
+ | | <code>HardLinkCount:Word;</code> | ||
+ | | Hard link count | ||
+ | |- | ||
+ | | <code>AttributeOffset:Word;</code> | ||
+ | | Offset to the first Attribute | ||
+ | |- | ||
+ | | <code>RecordFlags:Word;</code> | ||
+ | | Flags | ||
+ | |- | ||
+ | | <code>RecordSize:LongWord;</code> | ||
+ | | Actual size of the FILE record | ||
+ | |- | ||
+ | | <code>RecordAllocated:LongWord;</code> | ||
+ | | Allocated size of the FILE record | ||
+ | |- | ||
+ | | <code>BaseReference:Int64;</code> | ||
+ | | File reference to the base FILE record | ||
+ | |- | ||
+ | | <code>NextAttributeId:Word;</code> | ||
+ | | Next Attribute Id | ||
+ | |- | ||
+ | | <code>RecordSegment:Word;</code> | ||
+ | | Align to 4 byte boundary (Segment of this MFT Record) | ||
+ | |- | ||
+ | | <code>RecordNumber:LongWord;</code> | ||
+ | | Number of this MFT Record | ||
+ | |- | ||
+ | | <code>UpdateSequenceRecord</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS restart record''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSRestartRecord = ^TNTFSRestartRecord;</code> | ||
+ | |||
+ | <code>TNTFSRestartRecord = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 30 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32) | ||
+ | |- | ||
+ | | <code>MagicNumber:LongWord;</code> | ||
+ | | Magic number 'RSTR' | ||
+ | |- | ||
+ | | <code>UpdateSequenceOffset:Word;</code> | ||
+ | | Offset to the Update Sequence Record | ||
+ | |- | ||
+ | | <code>UpdateSequenceLength:Word;</code> | ||
+ | | Size in words of the Update Sequence Record | ||
+ | |- | ||
+ | | <code>LastSequenceNumber:Int64;</code> | ||
+ | | Last Log File Sequence Number (LSN) only used by Chkdsk when magic is CHKD otherwise 0 | ||
+ | |- | ||
+ | | <code>SystemPageSize:LongWord;</code> | ||
+ | | Must be >= 512 and a power of 2 (Normally 4096) | ||
+ | |- | ||
+ | | <code>LogPageSize:LongWord;</code> | ||
+ | | Must be >= 512 and a power of 2 (Normally 4096 if the SystemPageSize is 4096 to 8192 otherwise SystemPageSize) | ||
+ | |- | ||
+ | | <code>RestartAreaOffset:Word;</code> | ||
+ | | Absolute offset to the start of the restart area. Must be 8 byte aligned (After the Update Sequence Array) | ||
+ | |- | ||
+ | | <code>MinorVersion:Word;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>MajorVersion:Word;</code> | ||
+ | | NTFS1.2 is version ?.? / NTFS3.0 is version ?.? / NTFS3.1 is Version 1.1 | ||
+ | |- | ||
+ | | <code>UpdateSequenceRecord</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS restart area''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSRestartArea = ^TNTFSRestartArea;</code> | ||
+ | |||
+ | <code>TNTFSRestartArea = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 48 Bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32) | ||
+ | |- | ||
+ | | <code>CurrentSequenceNumber:Int64;</code> | ||
+ | | The Current (Last Written) Log File Sequence Number (LSN) on create this will be 0 | ||
+ | |- | ||
+ | | <code>LogClientCount:Word;</code> | ||
+ | | Must be 1 | ||
+ | |- | ||
+ | | <code>FirstFreeClient:Word;</code> | ||
+ | | The index of the first free log record (When clean normally 0 on Win2k or below and 0xFFFF on WinXP or above) | ||
+ | |- | ||
+ | | <code>FirstUsedClient:Word;</code> | ||
+ | | The index of the first used log record (When clean normally 0xFFFF on Win2k or below and 0 on WinXP or above) | ||
+ | |- | ||
+ | | <code>Flags:Word;</code> | ||
+ | | On Win2k or below always 0, on WinXP or above $0002 if clean | ||
+ | |- | ||
+ | | <code>SequenceNumberBits:LongWord;</code> | ||
+ | | The number of bits to use for the sequence number (67 - the number of bits to store the logfile size in bytes | ||
+ | |- | ||
+ | | <code>RestartAreaLength:Word;</code> | ||
+ | | Length of the restart area and log clients | ||
+ | |- | ||
+ | | <code>ClientArrayOffset:Word;</code> | ||
+ | | Offset from the start of the restart area to the first log client | ||
+ | |- | ||
+ | | <code>FileSize:Int64;</code> | ||
+ | | Usable byte size of the log file (rounded down to a multiple of LogPageSize, must be large enough to hold 2 restart records and 48 log records) | ||
+ | |- | ||
+ | | <code>LastSequenceDataLength:LongWord;</code> | ||
+ | | Length of data of last LSN not including log record header (On create this will be 0) | ||
+ | |- | ||
+ | | <code>LogRecordHeaderLength:Word;</code> | ||
+ | | Byte size of the log record header. Must be a multiple of 8. | ||
+ | |- | ||
+ | | <code>LogPageDataOffset:Word;</code> | ||
+ | | Offset to the start of data in a log record. Must be a multiple of 8. (After the Update Sequence Array) | ||
+ | |- | ||
+ | | <code>LogFileOpenCount:LongWord;</code> | ||
+ | | On create this will be a random value | ||
+ | |- | ||
+ | | <code>Reserved:LongWord;</code> | ||
+ | | Alignment to 8 bytes | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS log client''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSLogClient = ^TNTFSLogClient;</code> | ||
+ | |||
+ | <code>TNTFSLogClient = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 160 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32) | ||
+ | |- | ||
+ | | <code>OldestSequenceNumber:Int64;</code> | ||
+ | | Oldest LSN of this log client (On create this will be 0) | ||
+ | |- | ||
+ | | <code>CurrentSequenceNumber:Int64;</code> | ||
+ | | Current LSN within the log client (On create this will be 0) | ||
+ | |- | ||
+ | | <code>PrevClient:Word;</code> | ||
+ | | Offset of the previous log client or 0xFFFF if first (Always 0xFFFF) | ||
+ | |- | ||
+ | | <code>NextClient:Word;</code> | ||
+ | | Offset of the next log client or 0xFFFF if last (Always 0xFFFF) | ||
+ | |- | ||
+ | | <code>SequenceNumber:Word;</code> | ||
+ | | On Win2K or below 0 when dirty and 1 when clean, on WinXP or above always 0 | ||
+ | |- | ||
+ | | <code>Reserved:array[0..5] of Byte;</code> | ||
+ | | Reserved/Alignment | ||
+ | |- | ||
+ | | <code>ClientNameLength:LongWord;</code> | ||
+ | | Client name length in bytes. Should always be 8 | ||
+ | |- | ||
+ | | <code>ClientName:array[0..63] of WideChar;</code> | ||
+ | | Should always be NTFS in unicode | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS log record''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSLogRecord = ^TNTFSLogRecord;</code> | ||
+ | |||
+ | <code>TNTFSLogRecord = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: ? Bytes | ||
+ | |- | ||
+ | | <code>MagicNumber:LongWord;</code> | ||
+ | | Magic number 'RCRD' | ||
+ | |- | ||
+ | | <code>UpdateSequenceOffset:Word;</code> | ||
+ | | Offset to the Update Sequence Record | ||
+ | |- | ||
+ | | <code>UpdateSequenceLength:Word;</code> | ||
+ | | Size in words of the Update Sequence Record | ||
+ | |- | ||
+ | | <code>LastLSN:Int64;</code> | ||
+ | | ??????? | ||
+ | |- | ||
+ | | <code>Flags:LongWord;</code> | ||
+ | | ??????? | ||
+ | |- | ||
+ | | <code>PageCount:Word;</code> | ||
+ | | ??????? | ||
+ | |- | ||
+ | | <code>PagePosition:Word;</code> | ||
+ | | ??????? | ||
+ | |- | ||
+ | | <code>NextRecordOffset:Int64;</code> | ||
+ | | ??????? | ||
+ | |- | ||
+ | | <code>LastEndLSN:Int64;</code> | ||
+ | | ??????? | ||
+ | |- | ||
+ | | <code>UpdateSequenceRecord</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS index record''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSIndexRecord = ^TNTFSIndexRecord;</code> | ||
+ | |||
+ | <code>TNTFSIndexRecord = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 24 bytes | ||
+ | |- | ||
+ | | <code>MagicNumber:LongWord;</code> | ||
+ | | Magic number 'INDX' | ||
+ | |- | ||
+ | | <code>UpdateSequenceOffset:Word;</code> | ||
+ | | Offset to the Update Sequence Record | ||
+ | |- | ||
+ | | <code>UpdateSequenceLength:Word;</code> | ||
+ | | Size in words of the Update Sequence Record | ||
+ | |- | ||
+ | | <code>LogFileSequenceNumber:Int64;</code> | ||
+ | | LogFile sequence number | ||
+ | |- | ||
+ | | <code>RecordNumber:Int64;</code> | ||
+ | | Number of this INDX record in the Index Allocation | ||
+ | |- | ||
+ | | <code>IndexHeader</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>UpdateSequenceRecord</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>IndexEntry(s)</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS index header''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSIndexHeader = ^TNTFSIndexHeader;</code> | ||
+ | |||
+ | <code>TNTFSIndexHeader = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 16 bytes | ||
+ | |- | ||
+ | | <code>EntryOffset:LongWord;</code> | ||
+ | | Offset to first Index Entry | ||
+ | |- | ||
+ | | <code>IndexSize:LongWord;</code> | ||
+ | | Total size of the Index Entries | ||
+ | |- | ||
+ | | <code>IndexAllocated:LongWord;</code> | ||
+ | | Allocated size of the Index Entries | ||
+ | |- | ||
+ | | <code>IndexFlags:Word;</code> | ||
+ | | Flags (See Consts) | ||
+ | |- | ||
+ | | <code>Reserved1:Word;</code> | ||
+ | | Padding (Align to 8 bytes) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS index entry''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSIndexEntry = ^TNTFSIndexEntry;</code> | ||
+ | |||
+ | <code>TNTFSIndexEntry = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 16 bytes (Not including Key of SubNodeNumber) | ||
+ | |- | ||
+ | | <code>Reserved1:Int64;</code> | ||
+ | | Padding (Align to 8 bytes) | ||
+ | |- | ||
+ | | <code>EntrySize:Word;</code> | ||
+ | | Length of the index entry | ||
+ | |- | ||
+ | | <code>KeySize:Word;</code> | ||
+ | | Length of the key entry | ||
+ | |- | ||
+ | | <code>EntryFlags:Word;</code> | ||
+ | | Flags (See Consts) | ||
+ | |- | ||
+ | | <code>Reserved2:Word;</code> | ||
+ | | Padding (Align to 8 bytes) | ||
+ | |- | ||
+ | | <code>Key:array[0..0] of Byte;</code> | ||
+ | | Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location | ||
+ | |- | ||
+ | | <code>SubNodeNumber:Int64</code> | ||
+ | | Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS data index entry''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSDataIndexEntry = ^TNTFSDataIndexEntry;</code> | ||
+ | |||
+ | <code>TNTFSDataIndexEntry = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 16 bytes (Not including Key, Data or SubNodeNumber) | ||
+ | |- | ||
+ | | <code>DataOffset:Word;</code> | ||
+ | | Offset to the data (Only valid when the last entry flag is not set) | ||
+ | |- | ||
+ | | <code>DataSize:Word;</code> | ||
+ | | Size of the data (Only valid when the last entry flag is not set) | ||
+ | |- | ||
+ | | <code>Reserved1:LongWord;</code> | ||
+ | | Padding (Align to 8 bytes) | ||
+ | |- | ||
+ | | <code>EntrySize:Word;</code> | ||
+ | | Length of the index entry | ||
+ | |- | ||
+ | | <code>KeySize:Word;</code> | ||
+ | | Length of the key entry | ||
+ | |- | ||
+ | | <code>EntryFlags:Word;</code> | ||
+ | | Flags (See Consts) | ||
+ | |- | ||
+ | | <code>Reserved2:Word;</code> | ||
+ | | Padding (Align to 8 bytes) | ||
+ | |- | ||
+ | | <code>Key:array[0..0] of Byte;</code> | ||
+ | | Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte</code> | ||
+ | | Data (Only present when the last entry flag is not set) | ||
+ | |- | ||
+ | | <code>SubNodeNumber:Int64</code> | ||
+ | | Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set) | ||
+ | Note: Key data depends on what is indexed (See ObjId/Quota/Owner/SecurityId/SecurityHash/Reparse structures below) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS attribute index entry''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSAttributeIndexEntry = ^TNTFSAttributeIndexEntry;</code> | ||
+ | |||
+ | <code>TNTFSAttributeIndexEntry = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 16 bytes (Not including Key of SubNodeNumber) | ||
+ | |- | ||
+ | | <code>FileReference:Int64;</code> | ||
+ | | File reference (Only valid when the last entry flag is not set) | ||
+ | |- | ||
+ | | <code>EntrySize:Word;</code> | ||
+ | | Length of the index entry | ||
+ | |- | ||
+ | | <code>KeySize:Word;</code> | ||
+ | | Length of the key entry | ||
+ | |- | ||
+ | | <code>EntryFlags:Word;</code> | ||
+ | | Flags (See Consts) | ||
+ | |- | ||
+ | | <code>Reserved1:Word;</code> | ||
+ | | Padding (Align to 8 bytes) | ||
+ | |- | ||
+ | | <code>Key:array[0..0] of Byte;</code> | ||
+ | | Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location | ||
+ | |- | ||
+ | | <code>SubNodeNumber:Int64</code> | ||
+ | | Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set) | ||
+ | Note: Key data depends on what is indexed but for an $I30 index it will be a FileName Attribute | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS attribute header''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSAttributeHeader = ^TNTFSAttributeHeader;</code> | ||
+ | |||
+ | <code>TNTFSAttributeHeader = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 16 bytes | ||
+ | |- | ||
+ | | <code>AttributeType:LongWord;</code> | ||
+ | | Attribute Type (e.g. 0x80, 0xA0) | ||
+ | |- | ||
+ | | <code>AttributeSize:LongWord;</code> | ||
+ | | Length of the Attribute (including header) | ||
+ | |- | ||
+ | | <code>NonResident:Byte;</code> | ||
+ | | Non-resident flag | ||
+ | |- | ||
+ | | <code>AttributeNameLength:Byte;</code> | ||
+ | | Name length | ||
+ | |- | ||
+ | | <code>AttributeNameOffset:Word;</code> | ||
+ | | Offset to the Name | ||
+ | |- | ||
+ | | <code>AttributeFlags:Word;</code> | ||
+ | | Flags | ||
+ | |- | ||
+ | | <code>AttributeId:Word;</code> | ||
+ | | Attribute Id | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS resident attribute header''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSResidentAttributeHeader = ^TNTFSResidentAttributeHeader;</code> | ||
+ | |||
+ | <code>TNTFSResidentAttributeHeader = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 24 bytes | ||
+ | |- | ||
+ | | <code>AttributeType:LongWord;</code> | ||
+ | | Attribute Type (e.g. 0x80, 0xA0) | ||
+ | |- | ||
+ | | <code>AttributeSize:LongWord;</code> | ||
+ | | Length of the Attribute (including header) | ||
+ | |- | ||
+ | | <code>NonResident:Byte;</code> | ||
+ | | Non-resident flag (Always 0) | ||
+ | |- | ||
+ | | <code>AttributeNameLength:Byte;</code> | ||
+ | | Name length | ||
+ | |- | ||
+ | | <code>AttributeNameOffset:Word;</code> | ||
+ | | Offset to the Name | ||
+ | |- | ||
+ | | <code>AttributeFlags:Word;</code> | ||
+ | | Flags | ||
+ | |- | ||
+ | | <code>AttributeId:Word;</code> | ||
+ | | Attribute Id | ||
+ | |- | ||
+ | | <code>DataSize:LongWord;</code> | ||
+ | | Length of the Attribute Data | ||
+ | |- | ||
+ | | <code>DataOffset:Word;</code> | ||
+ | | Offset to the Attribute Data | ||
+ | |- | ||
+ | | <code>Indexed:Byte;</code> | ||
+ | | Indexed flag | ||
+ | |- | ||
+ | | <code>Reserved1:Byte;</code> | ||
+ | | Padding | ||
+ | |- | ||
+ | | <code>AttributeName:array[0..0] of WideChar;</code> | ||
+ | | Unicode Attribute Name (if NameLength > 0) | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte</code> | ||
+ | | Attribute Data | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS non resident attribute header''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSNonResidentAttributeHeader = ^TNTFSNonResidentAttributeHeader;</code> | ||
+ | |||
+ | <code>TNTFSNonResidentAttributeHeader = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 64 bytes | ||
+ | |- | ||
+ | | <code>AttributeType:LongWord;</code> | ||
+ | | Attribute Type (e.g. 0x80, 0xA0) | ||
+ | |- | ||
+ | | <code>AttributeSize:LongWord;</code> | ||
+ | | Length of the Attribute (including header) | ||
+ | |- | ||
+ | | <code>NonResident:Byte;</code> | ||
+ | | Non-resident flag (Always 1) | ||
+ | |- | ||
+ | | <code>AttributeNameLength:Byte;</code> | ||
+ | | Name length | ||
+ | |- | ||
+ | | <code>AttributeNameOffset:Word;</code> | ||
+ | | Offset to the Name | ||
+ | |- | ||
+ | | <code>AttributeFlags:Word;</code> | ||
+ | | Flags | ||
+ | |- | ||
+ | | <code>AttributeId:Word;</code> | ||
+ | | Attribute Id | ||
+ | |- | ||
+ | | <code>StartVCN:Int64;</code> | ||
+ | | Starting VCN | ||
+ | |- | ||
+ | | <code>LastVCN:Int64;</code> | ||
+ | | Last VCN | ||
+ | |- | ||
+ | | <code>RunOffset:Word;</code> | ||
+ | | Offset to the Data Run | ||
+ | |- | ||
+ | | <code>CompressionUnit:Word;</code> | ||
+ | | Compression Unit Size | ||
+ | |- | ||
+ | | <code>Reserved1:LongWord;</code> | ||
+ | | Padding | ||
+ | |- | ||
+ | | <code>StreamAllocated:Int64;</code> | ||
+ | | Allocated size of the attribute | ||
+ | |- | ||
+ | | <code>StreamSize:Int64;</code> | ||
+ | | Real size of the attribute | ||
+ | |- | ||
+ | | <code>InitializedSize:Int64;</code> | ||
+ | | Initialized data size of the stream (Portion which has been Written) | ||
+ | |- | ||
+ | | <code>AttributeName:array[0..0] of WideChar;</code> | ||
+ | | Unicode Attribute Name (if NameLength > 0) | ||
+ | |- | ||
+ | | <code>Run:array[0..0] of Byte</code> | ||
+ | | Attribute Data Runs | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS compressed attribute header''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSCompressedAttributeHeader = ^TNTFSCompressedAttributeHeader;</code> | ||
+ | |||
+ | <code>TNTFSCompressedAttributeHeader = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 64 bytes | ||
+ | |- | ||
+ | | <code>AttributeType:LongWord;</code> | ||
+ | | Attribute Type (e.g. 0x80, 0xA0) | ||
+ | |- | ||
+ | | <code>AttributeSize:LongWord;</code> | ||
+ | | Length of the Attribute (including header) | ||
+ | |- | ||
+ | | <code>NonResident:Byte;</code> | ||
+ | | Non-resident flag (Always 1) | ||
+ | |- | ||
+ | | <code>AttributeNameLength:Byte;</code> | ||
+ | | Name length | ||
+ | |- | ||
+ | | <code>AttributeNameOffset:Word;</code> | ||
+ | | Offset to the Name | ||
+ | |- | ||
+ | | <code>AttributeFlags:Word;</code> | ||
+ | | Flags | ||
+ | |- | ||
+ | | <code>AttributeId:Word;</code> | ||
+ | | Attribute Id | ||
+ | |- | ||
+ | | <code>StartVCN:Int64;</code> | ||
+ | | Starting VCN | ||
+ | |- | ||
+ | | <code>LastVCN:Int64;</code> | ||
+ | | Last VCN | ||
+ | |- | ||
+ | | <code>RunOffset:Word;</code> | ||
+ | | Offset to the Data Run | ||
+ | |- | ||
+ | | <code>CompressionUnit:Word;</code> | ||
+ | | Compression Unit Size | ||
+ | |- | ||
+ | | <code>Reserved1:LongWord;</code> | ||
+ | | Padding | ||
+ | |- | ||
+ | | <code>StreamAllocated:Int64;</code> | ||
+ | | Allocated size of the attribute | ||
+ | |- | ||
+ | | <code>StreamSize:Int64;</code> | ||
+ | | Real size of the attribute | ||
+ | |- | ||
+ | | <code>InitializedSize:Int64;</code> | ||
+ | | Initialized data size of the stream (Portion which has been Written) | ||
+ | |- | ||
+ | | <code>StreamUsed:Int64;</code> | ||
+ | | The actual Allocated size of the attribute (Only present when compressed and only in the first instance) | ||
+ | |- | ||
+ | | <code>AttributeName:array[0..0] of WideChar;</code> | ||
+ | | Unicode Attribute Name (if NameLength > 0) | ||
+ | |- | ||
+ | | <code>Run:array[0..0] of Byte</code> | ||
+ | | Attribute Data Runs | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS12 standard information''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFS12StandardInformation = ^TNTFS12StandardInformation;</code> | ||
+ | |||
+ | <code>TNTFS12StandardInformation = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 48 bytes (0x10) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>CreateTime:TFileTime;</code> | ||
+ | | File Creation | ||
+ | |- | ||
+ | | <code>WriteTime:TFileTime;</code> | ||
+ | | File Altered | ||
+ | |- | ||
+ | | <code>ChangeTime:TFileTime;</code> | ||
+ | | MFT Changed | ||
+ | |- | ||
+ | | <code>AccessTime:TFileTime;</code> | ||
+ | | File Read | ||
+ | |- | ||
+ | | <code>Attributes:LongWord;</code> | ||
+ | | DOS File Permissions | ||
+ | |- | ||
+ | | <code>MaxVersions:LongWord;</code> | ||
+ | | Maximum Number of Versions | ||
+ | |- | ||
+ | | <code>VersionNo:LongWord;</code> | ||
+ | | Version Number | ||
+ | |- | ||
+ | | <code>ClassId:LongWord;</code> | ||
+ | | Class Id | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS30 standard information''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFS30StandardInformation = ^TNTFS30StandardInformation;</code> | ||
+ | |||
+ | <code>TNTFS30StandardInformation = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 72 bytes (0x10) Includes NTFS 3.1 | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>CreateTime:TFileTime;</code> | ||
+ | | File Creation | ||
+ | |- | ||
+ | | <code>WriteTime:TFileTime;</code> | ||
+ | | File Altered | ||
+ | |- | ||
+ | | <code>ChangeTime:TFileTime;</code> | ||
+ | | MFT Changed | ||
+ | |- | ||
+ | | <code>AccessTime:TFileTime;</code> | ||
+ | | File Read | ||
+ | |- | ||
+ | | <code>Attributes:LongWord;</code> | ||
+ | | DOS File Permissions | ||
+ | |- | ||
+ | | <code>MaxVersions:LongWord;</code> | ||
+ | | Maximum Number of Versions | ||
+ | |- | ||
+ | | <code>VersionNo:LongWord;</code> | ||
+ | | Version Number | ||
+ | |- | ||
+ | | <code>ClassId:LongWord;</code> | ||
+ | | Class Id | ||
+ | |- | ||
+ | | <code>OwnerId:LongWord;</code> | ||
+ | | Owner Id | ||
+ | |- | ||
+ | | <code>SecurityId:LongWord;</code> | ||
+ | | Security Id | ||
+ | |- | ||
+ | | <code>QuotaCharge:Int64;</code> | ||
+ | | Quota Charged | ||
+ | |- | ||
+ | | <code>UpdateSequenceNumber:Int64;</code> | ||
+ | | Update Sequence Number | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS attribute list''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSAttributeList = ^TNTFSAttributeList;</code> | ||
+ | |||
+ | <code>TNTFSAttributeList = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0x20) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Item:array[0..0] of Byte;</code> | ||
+ | | Attribute List Items | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS file name''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSFileName = ^TNTFSFileName;</code> | ||
+ | |||
+ | <code>TNTFSFileName = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 66 bytes (0x30) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>ParentReference:Int64;</code> | ||
+ | | File reference to the parent directory. | ||
+ | |- | ||
+ | | <code>CreateTime:TFileTime;</code> | ||
+ | | C Time - File Creation Note: These fields are only updated when the filename is changed. See Standard Information instead. | ||
+ | |- | ||
+ | | <code>WriteTime:TFileTime;</code> | ||
+ | | A Time - File Altered Note: These fields are only updated when the filename is changed. See Standard Information instead. | ||
+ | |- | ||
+ | | <code>ChangeTime:TFileTime;</code> | ||
+ | | M Time - MFT Changed Note: These fields are only updated when the filename is changed. See Standard Information instead. | ||
+ | |- | ||
+ | | <code>AccessTime:TFileTime;</code> | ||
+ | | R Time - File Read | ||
+ | |- | ||
+ | | <code>FileAllocated:Int64;</code> | ||
+ | | Allocated size of the file | ||
+ | |- | ||
+ | | <code>FileSize:Int64;</code> | ||
+ | | Real size of the file | ||
+ | |- | ||
+ | | <code>FileFlags:LongWord;</code> | ||
+ | | Flags, e.g. Directory, Compressed, Hidden | ||
+ | |- | ||
+ | | <code>ReparseTag:LongWord;</code> | ||
+ | | Used by EAs and Reparse | ||
+ | |- | ||
+ | | <code>FileNameLength:Byte;</code> | ||
+ | | Filename length in characters | ||
+ | |- | ||
+ | | <code>NameSpace:Byte;</code> | ||
+ | | Filename namespace | ||
+ | |- | ||
+ | | <code>FileName:array[0..0] of WideChar;</code> | ||
+ | | File name in Unicode (not null terminated) Note: NameLength but no NameOffset so Name | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS object ID''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSObjectId = ^TNTFSObjectId;</code> | ||
+ | |||
+ | <code>TNTFSObjectId = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 64 bytes (0x40) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>ObjectId:TGUID;</code> | ||
+ | | GUID Object Id Unique Id assigned to file | ||
+ | |- | ||
+ | | <code>BirthVolumeId:TGUID;</code> | ||
+ | | GUID Birth Volume Id Volume where file was created | ||
+ | |- | ||
+ | | <code>BirthObjectId:TGUID;</code> | ||
+ | | GUID Birth Object Id Original Object Id of file | ||
+ | |- | ||
+ | | <code>DomainId:TGUID;</code> | ||
+ | | GUID Domain Id Domain in which object was created | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS volume version''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSVolumeVersion = ^TNTFSVolumeVersion;</code> | ||
+ | |||
+ | <code>TNTFSVolumeVersion = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0x40) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte;</code> | ||
+ | | Unknown data (Structure to be determined) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS security descriptor''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSecurityDescriptor = ^TNTFSSecurityDescriptor;</code> | ||
+ | |||
+ | <code>TNTFSSecurityDescriptor = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0x50) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Security:array[0..0] of Byte;</code> | ||
+ | | Security Descriptor | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS volume name''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSVolumeName = ^TNTFSVolumeName;</code> | ||
+ | |||
+ | <code>TNTFSVolumeName = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0x60) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>VolumeName:array[0..0] of WideChar;</code> | ||
+ | | Unicode name Note: The DataOffset and DataSize in the ? | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS volume information''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSVolumeInformation = ^TNTFSVolumeInformation;</code> | ||
+ | |||
+ | <code>TNTFSVolumeInformation = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 16 bytes (0x70) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Reserved1:Int64;</code> | ||
+ | | Always zero ? | ||
+ | |- | ||
+ | | <code>MajorVersion:Byte;</code> | ||
+ | | Major version number | ||
+ | |- | ||
+ | | <code>MinorVersion:Byte;</code> | ||
+ | | Minor version number | ||
+ | |- | ||
+ | | <code>VolumeFlags:Word;</code> | ||
+ | | Flags | ||
+ | |- | ||
+ | | <code>Reserved2:LongWord;</code> | ||
+ | | Always zero ? (Padding only, not part of data) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSData = ^TNTFSData;</code> | ||
+ | |||
+ | <code>TNTFSData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0x80) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte;</code> | ||
+ | | Any data Note: The DataOffset and DataSize in the header give the pointer to the Data | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS index root''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSIndexRoot = ^TNTFSIndexRoot;</code> | ||
+ | |||
+ | <code>TNTFSIndexRoot = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 16 bytes (0x90) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>IndexType:LongWord;</code> | ||
+ | | Attribute Type | ||
+ | |- | ||
+ | | <code>CollateRule:LongWord;</code> | ||
+ | | Collation Rule | ||
+ | |- | ||
+ | | <code>IndexRecordSize:LongWord;</code> | ||
+ | | Size of Index Allocation Entry (bytes) | ||
+ | |- | ||
+ | | <code>IndexCounterOffset:LongWord;</code> | ||
+ | | Index Record Number increment | ||
+ | |- | ||
+ | | <code>IndexHeader</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>IndexEntry(s)</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS index allocation''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSIndexAllocation = ^TNTFSIndexAllocation;</code> | ||
+ | |||
+ | <code>TNTFSIndexAllocation = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0xA0) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Run:array[0..0] of Byte;</code> | ||
+ | | Data run Note: The RunOffset and AttributeSize in the header give the pointer to the Run | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS bitmap''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSBitmap = ^TNTFSBitmap;</code> | ||
+ | |||
+ | <code>TNTFSBitmap = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0xB0) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Bitmap:array[0..0] of Int64;</code> | ||
+ | | Bit field Note: The DataOffset and DataSize in the header give the pointer to the Bitmap (Bit ordering works as an array of bytes) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS reparse point''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSReparsePoint = ^TNTFSReparsePoint;</code> | ||
+ | |||
+ | <code>TNTFSReparsePoint = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 bytes (0xC0) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>ReparseTag:LongWord;</code> | ||
+ | | Reparse Type (and Flags) | ||
+ | |- | ||
+ | | <code>ReparseSize:Word;</code> | ||
+ | | Reparse Data Length | ||
+ | |- | ||
+ | | <code>Reserved1:Word;</code> | ||
+ | | Padding (align to 8 bytes) | ||
+ | |- | ||
+ | | <code>ReparseData:array[0..0] of Byte;</code> | ||
+ | | Reparse Data | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS reparse point Microsoft''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSReparsePointMicrosoft = ^TNTFSReparsePointMicrosoft;</code> | ||
+ | |||
+ | <code>TNTFSReparsePointMicrosoft = TNTFSReparsePoint;</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 bytes (0xC0) | ||
+ | |- | ||
+ | | | ||
+ | | style="width: 50%;"| | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS reparse point other''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSReparsePointOther = ^TNTFSReparsePointOther;</code> | ||
+ | |||
+ | <code>TNTFSReparsePointOther = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 24 bytes (0xC0) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>ReparseTag:LongWord;</code> | ||
+ | | Reparse Type (and Flags) | ||
+ | |- | ||
+ | | <code>ReparseSize:Word;</code> | ||
+ | | Reparse Data Length | ||
+ | |- | ||
+ | | <code>Reserved1:Word;</code> | ||
+ | | Padding (align to 8 bytes) | ||
+ | |- | ||
+ | | <code>ReparseGUID:TGUID;</code> | ||
+ | | Reparse GUID | ||
+ | |- | ||
+ | | <code>ReparseData:array[0..0] of Byte;</code> | ||
+ | | Reparse Data | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS symbolic link''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSymbolicLink = ^TNTFSSymbolicLink;</code> | ||
+ | |||
+ | <code>TNTFSSymbolicLink = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0xC0) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte;</code> | ||
+ | | Unknown data (Structure to be determined) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS extended attribute information''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSExtendedAttrInformation = ^TNTFSExtendedAttrInformation;</code> | ||
+ | |||
+ | <code>TNTFSExtendedAttrInformation = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 bytes (0xD0) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>PackedSize:Word;</code> | ||
+ | | Size of the packed Extended Attributes | ||
+ | |- | ||
+ | | <code>FlagCount:Word;</code> | ||
+ | | Number of Extended Attributes which have NEED_EA flag | ||
+ | |- | ||
+ | | <code>UnpackedSize:LongWord;</code> | ||
+ | | Size of the unpacked Extended Attributes | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS extended attribute''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSExtendedAttr = ^TNTFSExtendedAttr;</code> | ||
+ | |||
+ | <code>TNTFSExtendedAttr = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0xE0) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Extended:array[0..0] of Byte;</code> | ||
+ | | Extended Attributes | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS property set''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSPropertySet = ^TNTFSPropertySet;</code> | ||
+ | |||
+ | <code>TNTFSPropertySet = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0xF0) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte;</code> | ||
+ | | Unknown data (Structure to be determined) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS logged utility stream''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSLoggedUtilityStream = ^TNTFSLoggedUtilityStream;</code> | ||
+ | |||
+ | <code>TNTFSLoggedUtilityStream = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0x100) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte;</code> | ||
+ | | Any data Note: The DataOffset and DataSize in the header give the pointer to the Data | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS unknown''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSUnknown = ^TNTFSUnknown;</code> | ||
+ | |||
+ | <code>TNTFSUnknown = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0x100) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte;</code> | ||
+ | | Any data Note: The DataOffset and DataSize in the header give the pointer to the Data | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS end''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSEnd = ^TNTFSEnd;</code> | ||
+ | |||
+ | <code>TNTFSEnd = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes (0xFFFFFFFF) | ||
+ | |- | ||
+ | |colspan="2"|''Standard Attribute Header'' | ||
+ | |- | ||
+ | | | ||
+ | | style="width: 50%;"| | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS run data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSRunData = ^TNTFSRunData;</code> | ||
+ | |||
+ | <code>TNTFSRunData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes | ||
+ | |- | ||
+ | | <code>Run:array[0..0] of Byte;</code> | ||
+ | | Data Run Note: The RunOffset and AttributeSize in the header give the pointer to the Run | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS item data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSItemData = ^TNTFSItemData;</code> | ||
+ | |||
+ | <code>TNTFSItemData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 26 bytes (Data of attribute $ATTRIBUTE_LIST) | ||
+ | |- | ||
+ | | <code>AttributeType:LongWord;</code> | ||
+ | | Type | ||
+ | |- | ||
+ | | <code>ItemSize:Word;</code> | ||
+ | | Record length | ||
+ | |- | ||
+ | | <code>AttributeNameLength:Byte;</code> | ||
+ | | Name length | ||
+ | |- | ||
+ | | <code>AttributeNameOffset:Byte;</code> | ||
+ | | Offset to Name | ||
+ | |- | ||
+ | | <code>StartVCN:Int64;</code> | ||
+ | | Starting VCN | ||
+ | |- | ||
+ | | <code>FileReference:Int64;</code> | ||
+ | | File Reference of the attribute | ||
+ | |- | ||
+ | | <code>AttributeId:Word;</code> | ||
+ | | Attribute Id | ||
+ | |- | ||
+ | | <code>AttributeName:array[0..0] of WideChar;</code> | ||
+ | | Name in Unicode (if NameLength > 0) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS object Id data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSObjIdData = ^TNTFSObjIdData;</code> | ||
+ | |||
+ | <code>TNTFSObjIdData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 56 bytes (Data of index $O in file $ObjId) Key is ObjectId | ||
+ | |- | ||
+ | | <code>FileReference:Int64;</code> | ||
+ | | MFT Reference | ||
+ | |- | ||
+ | | <code>BirthVolumeId:TGUID;</code> | ||
+ | | GUID Birth Volume Id (This is the ObjectId from the file $Volume) | ||
+ | |- | ||
+ | | <code>BirthObjectId:TGUID;</code> | ||
+ | | GUID Birth Object Id | ||
+ | |- | ||
+ | | <code>DomainId:TGUID;</code> | ||
+ | | GUID Domain Id | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS quota data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSQuotaData = ^TNTFSQuotaData;</code> | ||
+ | |||
+ | <code>TNTFSQuotaData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 48 bytes Not including SID (Data of index $Q in file $Quota) Key is OwnerId | ||
+ | |- | ||
+ | | <code>Version:LongWord;</code> | ||
+ | | Version (0x02) | ||
+ | |- | ||
+ | | <code>Flags:LongWord;</code> | ||
+ | | Flags | ||
+ | |- | ||
+ | | <code>BytesUsed:Int64;</code> | ||
+ | | Bytes Used | ||
+ | |- | ||
+ | | <code>ChangeTime:TFileTime;</code> | ||
+ | | Change Time | ||
+ | |- | ||
+ | | <code>WarningLimit:Int64;</code> | ||
+ | | Warning Limit | ||
+ | |- | ||
+ | | <code>HardLimit:Int64;</code> | ||
+ | | Hard Limit | ||
+ | |- | ||
+ | | <code>ExceedTime:TFileTime;</code> | ||
+ | | Exceeded Time | ||
+ | |- | ||
+ | | <code>SID:array[0..0] of Byte;</code> | ||
+ | | SID | ||
+ | |- | ||
+ | | <code>Padding:array[0..0] of Byte</code> | ||
+ | | Padding (align to 8 bytes) Handled by Calculation of Index Entry Size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS owner data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSOwnerData = ^TNTFSOwnerData;</code> | ||
+ | |||
+ | <code>TNTFSOwnerData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 4 bytes (Data of index $O in file $Quota) Key is SID | ||
+ | |- | ||
+ | | <code>OwnerId:LongWord;</code> | ||
+ | | Owner Id | ||
+ | |- | ||
+ | | <code>Padding:array[0..0] of Byte</code> | ||
+ | | Padding (align to 8 bytes) Handled by Calculation of Index Entry Size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS up case data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSUpCaseData = ^TNTFSUpCaseData;</code> | ||
+ | |||
+ | <code>TNTFSUpCaseData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 131072 bytes (Data of file $UpCase) | ||
+ | |- | ||
+ | | <code>Data:array[0..65535] of Word;</code> | ||
+ | | Conversion data | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS attribute definition data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSAttrDefData = ^TNTFSAttrDefData;</code> | ||
+ | |||
+ | <code>TNTFSAttrDefData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 160 bytes (Data of file $AttrDef) | ||
+ | |- | ||
+ | | <code>AttributeName:array[0..63] of WideChar;</code> | ||
+ | | Label in Unicode | ||
+ | |- | ||
+ | | <code>AttributeType:LongWord;</code> | ||
+ | | Type | ||
+ | |- | ||
+ | | <code>DisplayRule:LongWord;</code> | ||
+ | | Display rule | ||
+ | |- | ||
+ | | <code>CollateRule:LongWord;</code> | ||
+ | | Collation rule | ||
+ | |- | ||
+ | | <code>AttrDefFlags:LongWord;</code> | ||
+ | | Flags (See Consts) | ||
+ | |- | ||
+ | | <code>MinimumSize:Int64;</code> | ||
+ | | Minimum size | ||
+ | |- | ||
+ | | <code>MaximumSize:Int64;</code> | ||
+ | | Maximum size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS reparse data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSReparseData = ^TNTFSReparseData;</code> | ||
+ | |||
+ | <code>TNTFSReparseData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 bytes Not including Data (Data of attribute $REPARSE_POINT) | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte;</code> | ||
+ | | Any data | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS reparse symbolic link data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSReparseSymLinkData = ^TNTFSReparseSymLinkData;</code> | ||
+ | |||
+ | <code>TNTFSReparseSymLinkData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 12 bytes Not including Names (Data of attribute $REPARSE_POINT) | ||
+ | |- | ||
+ | | <code>SubstituteNameOffset:Word;</code> | ||
+ | | Substitute Name Offset | ||
+ | |- | ||
+ | | <code>SubstituteNameLength:Word;</code> | ||
+ | | Substitute Name Length (Length is in bytes not characters) | ||
+ | |- | ||
+ | | <code>PrintNameOffset:Word;</code> | ||
+ | | Print Name Offset | ||
+ | |- | ||
+ | | <code>PrintNameLength:Word;</code> | ||
+ | | Print Name Length (Length is in bytes not characters) | ||
+ | |- | ||
+ | | <code>Reserved1:LongWord;</code> | ||
+ | | Always Zero | ||
+ | |- | ||
+ | | <code>PrintName:array[0..0] of Byte</code> | ||
+ | | Path Buffer (Not Null terminated) | ||
+ | |- | ||
+ | | <code>SubstituteName:array[0..0] of Byte</code> | ||
+ | | Path Buffer (Not Null terminated) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS reparse mount point data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSReparseMountPointData = ^TNTFSReparseMountPointData;</code> | ||
+ | |||
+ | <code>TNTFSReparseMountPointData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 12 bytes (Minimum 8 bytes plus 2 unicode nulls) Not including Names (Data of attribute $REPARSE_POINT) | ||
+ | |- | ||
+ | | <code>SubstituteNameOffset:Word;</code> | ||
+ | | Substitute Name Offset (Offset includes the null terminator) | ||
+ | |- | ||
+ | | <code>SubstituteNameLength:Word;</code> | ||
+ | | Substitute Name Length (Length is in bytes not characters and does not include the null terminator) | ||
+ | |- | ||
+ | | <code>PrintNameOffset:Word;</code> | ||
+ | | Print Name Offset (Offset includes the null terminator) | ||
+ | |- | ||
+ | | <code>PrintNameLength:Word;</code> | ||
+ | | Print Name Length (Length is in bytes not characters and does not include the null terminator) | ||
+ | |- | ||
+ | | <code>SubstituteName:array[0..0] of Byte</code> | ||
+ | | Path Buffer (Null terminated) | ||
+ | |- | ||
+ | | <code>PrintName:array[0..0] of Byte</code> | ||
+ | | Path Buffer (Null terminated) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS extended data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSExtendedData = ^TNTFSExtendedData;</code> | ||
+ | |||
+ | <code>TNTFSExtendedData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 bytes Not including Name (Data of attribute $EA) | ||
+ | |- | ||
+ | | <code>ExtendedOffset:LongWord;</code> | ||
+ | | Offset to next Extended Attribute (Offset to next EA is the size of this EA) | ||
+ | |- | ||
+ | | <code>ExtendedFlags:Byte;</code> | ||
+ | | Flags | ||
+ | |- | ||
+ | | <code>ExtendedNameLength:Byte;</code> | ||
+ | | Name Length (N) | ||
+ | |- | ||
+ | | <code>ExtendedDataSize:Word;</code> | ||
+ | | Value Length (V) | ||
+ | |- | ||
+ | | <code>ExtendedName:array[0..0] of Char;</code> | ||
+ | | Name Note: No offset so always in the same location | ||
+ | |- | ||
+ | | <code>ExtendedData:array[0..0] of Byte</code> | ||
+ | | Value | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS security data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSecurityData = ^TNTFSSecurityData;</code> | ||
+ | |||
+ | <code>TNTFSSecurityData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 20 bytes Minimum (Data of attribute $SECURITY_DESCRIPTOR and stream $SDS in file $Secure) | ||
+ | |- | ||
+ | | <code>Revision:Byte;</code> | ||
+ | | Revision | ||
+ | |- | ||
+ | | <code>Reserved1:Byte;</code> | ||
+ | | Padding | ||
+ | |- | ||
+ | | <code>Control:Word;</code> | ||
+ | | Control Flags | ||
+ | |- | ||
+ | | <code>OwnerOffset:LongWord;</code> | ||
+ | | Offset to Owner SID | ||
+ | |- | ||
+ | | <code>GroupOffset:LongWord;</code> | ||
+ | | Offset to Group SID | ||
+ | |- | ||
+ | | <code>SaclOffset:LongWord;</code> | ||
+ | | Offset to SACL | ||
+ | |- | ||
+ | | <code>DaclOffset:LongWord;</code> | ||
+ | | Offset to DACL | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS SID identifier authority data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSidIdentifierAuthorityData = ^TNTFSSidIdentifierAuthorityData;</code> | ||
+ | |||
+ | <code>TNTFSSidIdentifierAuthorityData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 6 Bytes | ||
+ | |- | ||
+ | | <code>Value:array[0..5] of Byte;</code> | ||
+ | | style="width: 50%;"| | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS SID data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSidData = ^TNTFSSidData;</code> | ||
+ | |||
+ | <code>TNTFSSidData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 Bytes Minimum (Not including SubAuthority) | ||
+ | |- | ||
+ | | <code>Revision:Byte;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>SubAuthorityCount:Byte;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>IdentifierAuthority:array[0..5] of Byte;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>SubAuthority:array[0..0] of LongWord;</code> | ||
+ | | Not included in size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS acl data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSAclData = ^TNTFSAclData;</code> | ||
+ | |||
+ | <code>TNTFSAclData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 Bytes | ||
+ | |- | ||
+ | | <code>AclRevision:Byte;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>Reserved1:Byte;</code> | ||
+ | | Must be Zero | ||
+ | |- | ||
+ | | <code>AclSize:Word;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>AceCount:Word;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>Reserved2:Word;</code> | ||
+ | | Must be Zero | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS ace header data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSAceHeaderData = ^TNTFSAceHeaderData;</code> | ||
+ | |||
+ | <code>TNTFSAceHeaderData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 4 Bytes | ||
+ | |- | ||
+ | | <code>AceType:Byte;</code> | ||
+ | | style="width: 50%;"| | ||
+ | |- | ||
+ | | <code> AceFlags:Byte;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>AceSize:Word;</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS ace data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSAceData = ^TNTFSAceData;</code> | ||
+ | |||
+ | <code>TNTFSAceData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 Bytes Minimum (Not including Sid) | ||
+ | |- | ||
+ | | <code>Header:TNTFSAceHeaderData;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>Mask:LongWord;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>Sid:array[0..0] of Byte;</code> | ||
+ | | Not included in size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS object ace data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSObjectAceData = ^TNTFSObjectAceData;</code> | ||
+ | |||
+ | <code>TNTFSObjectAceData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 44 Bytes Minimum (Not including Sid) | ||
+ | |- | ||
+ | | <code>Header:TNTFSAceHeaderData;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>Mask:LongWord;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>Flags:LongWord;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>ObjectType:TGUID;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>InheritedObjectType:TGUID;</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>Sid:array[0..0] of Byte;</code> | ||
+ | | Not included in size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS security item data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSecurityItemData = ^TNTFSSecurityItemData;</code> | ||
+ | |||
+ | <code>TNTFSSecurityItemData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 40 Bytes Minimum Including Security (Data of stream $SDS in file $Secure) | ||
+ | |- | ||
+ | | <code>SecurityHash:LongWord;</code> | ||
+ | | Hash of Security Descriptor | ||
+ | |- | ||
+ | | <code>SecurityId:LongWord;</code> | ||
+ | | Security Id | ||
+ | |- | ||
+ | | <code>SecurityOffset:Int64;</code> | ||
+ | | Offset of this entry in $SDS | ||
+ | |- | ||
+ | | <code>SecuritySize:LongWord;</code> | ||
+ | | Size of this entry in $SDS | ||
+ | |- | ||
+ | | <code>Security:TNTFSSecurityData;</code> | ||
+ | | Self-relative Security Descriptor | ||
+ | |- | ||
+ | | <code>Padding:array[0..0] of Byte</code> | ||
+ | | Padding (align to 16 bytes) Handled by Calculation of Stream Size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS security Id data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSecurityIdData = ^TNTFSSecurityIdData;</code> | ||
+ | |||
+ | <code>TNTFSSecurityIdData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 20 Bytes (Data of index $SII in file $Secure) (Key is SecurityId) | ||
+ | |- | ||
+ | | <code>SecurityHash:LongWord;</code> | ||
+ | | Hash of Security Descriptor | ||
+ | |- | ||
+ | | <code>SecurityId:LongWord;</code> | ||
+ | | Security Id | ||
+ | |- | ||
+ | | <code>SecurityOffset:Int64;</code> | ||
+ | | Offset of this entry in $SDS | ||
+ | |- | ||
+ | | <code>SecuritySize:LongWord;</code> | ||
+ | | Size of this entry in $SDS | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS security hash data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSecurityHashData = ^TNTFSSecurityHashData;</code> | ||
+ | |||
+ | <code>TNTFSSecurityHashData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 20 Bytes (Data of index $SDH in file $Secure) | ||
+ | |- | ||
+ | | <code>SecurityHash:LongWord;</code> | ||
+ | | Hash of Security Descriptor | ||
+ | |- | ||
+ | | <code>SecurityId:LongWord;</code> | ||
+ | | Security Id | ||
+ | |- | ||
+ | | <code>SecurityOffset:Int64;</code> | ||
+ | | Offset of this entry in $SDS | ||
+ | |- | ||
+ | | <code>SecuritySize:LongWord;</code> | ||
+ | | Size of this entry in $SDS | ||
+ | |- | ||
+ | | <code>Padding:LongWord;</code> | ||
+ | | Padding (align to 8 bytes) Always 4 bytes and always appears to be the Unicode string "II" | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS object Id key data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSObjIdKeyData = ^TNTFSObjIdKeyData;</code> | ||
+ | |||
+ | <code>TNTFSObjIdKeyData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 16 Bytes (Key of index $O in file $ObjId) | ||
+ | |- | ||
+ | | <code>ObjectId:TGUID;</code> | ||
+ | | GUID Object Id | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte</code> | ||
+ | | Data (see above) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS quota key data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSQuotaKeyData = ^TNTFSQuotaKeyData;</code> | ||
+ | |||
+ | <code>TNTFSQuotaKeyData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 4 Bytes (Key of index $Q in file $Quota) | ||
+ | |- | ||
+ | | <code>OwnerId:LongWord;</code> | ||
+ | | Owner Id | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte</code> | ||
+ | | Data (see above) | ||
+ | |- | ||
+ | | <code>Padding:array[0..0] of Byte</code> | ||
+ | | Padding (align to 8 bytes) Handled by Calculation of Index Entry Size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS owner key data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSOwnerKeyData = ^TNTFSOwnerKeyData;</code> | ||
+ | |||
+ | <code>TNTFSOwnerKeyData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 0 Bytes Not including SID (Key of index $O in file $Quota) | ||
+ | |- | ||
+ | | <code>SID:array[0..0] of Byte;</code> | ||
+ | | SID | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte</code> | ||
+ | | Data (see above) | ||
+ | |- | ||
+ | | <code>Padding:array[0..0] of Byte</code> | ||
+ | | Padding (align to 8 bytes) Handled by Calculation of Index Entry Size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS security Id key data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSecurityIdKeyData = ^TNTFSSecurityIdKeyData;</code> | ||
+ | |||
+ | <code>TNTFSSecurityIdKeyData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 4 Bytes (Key of index $SII in file $Secure) | ||
+ | |- | ||
+ | | <code>SecurityId:LongWord;</code> | ||
+ | | Security Id | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte</code> | ||
+ | | Data (see above) | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS security hash key data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSSecurityHashKeyData = ^TNTFSSecurityHashKeyData;</code> | ||
+ | |||
+ | <code>TNTFSSecurityHashKeyData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 Bytes (Key of index $SDH in file $Secure) | ||
+ | |- | ||
+ | | <code>SecurityHash:LongWord;</code> | ||
+ | | Hash of Security Descriptor | ||
+ | |- | ||
+ | | <code>SecurityId:LongWord;</code> | ||
+ | | Security Id | ||
+ | |- | ||
+ | | <code>Data:array[0..0] of Byte</code> | ||
+ | | Data (see above) | ||
+ | |- | ||
+ | | <code>Padding:array[0..0] of Byte</code> | ||
+ | | Padding (align to 8 bytes) Handled by Calculation of Index Entry Size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS reparse key data''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSReparseKeyData = ^TNTFSReparseKeyData;</code> | ||
+ | |||
+ | <code>TNTFSReparseKeyData = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 12 Bytes (Key of index $R in file $Reparse) This index contains no data | ||
+ | |- | ||
+ | | <code>ReparseTag:LongWord;</code> | ||
+ | | Reparse Tag (and Flags) | ||
+ | |- | ||
+ | | <code>FileReference:Int64;</code> | ||
+ | | MFT Reference of Reparse Point | ||
+ | |- | ||
+ | | <code>Padding:LongWord;</code> | ||
+ | | Padding (align to 8 bytes) Handled by Calculation of Index Entry Size | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS run offset''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSRunOffset = ^TNTFSRunOffset;</code> | ||
+ | |||
+ | <code>TNTFSRunOffset = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 Bytes | ||
+ | |- | ||
+ | | <code>case Integer of</code> | ||
+ | | style="width: 50%;"| | ||
+ | |- | ||
+ | | <code>1:(Offset1:ShortInt);</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>2:(Offset2:SmallInt);</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>4:(Offset4:LongInt);</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>8:(Offset8:Int64);</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | |||
+ | '''NTFS run length''' | ||
+ | |||
+ | <div class="toccolours mw-collapsible mw-collapsed" style="border: 1; font-family: arial;"> | ||
+ | <code>PNTFSRunLength = ^TNTFSRunLength;</code> | ||
+ | |||
+ | <code>TNTFSRunLength = packed record</code> | ||
+ | <div class="mw-collapsible-content" style="text-align: left; padding-left: 5px;"> | ||
+ | {| class="wikitable" style="font-size: 14px; background: white;" | ||
+ | |- | ||
+ | |colspan="2"|Note: 8 Bytes | ||
+ | |- | ||
+ | | <code>case Integer of</code> | ||
+ | | style="width: 50%;"| | ||
+ | |- | ||
+ | | <code>1:(Length1:Byte);</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>2:(Length2:Word);</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>4:(Length4:LongWord);</code> | ||
+ | | | ||
+ | |- | ||
+ | | <code>8:(Length8:Int64);</code> | ||
+ | | | ||
+ | |- | ||
+ | |} | ||
+ | </div></div> | ||
+ | <br /> | ||
=== Public variables === | === Public variables === |
Revision as of 05:24, 23 January 2017
Return to Unit Reference
Description
Ultibo NTFS types unit
To be documented
Constants
None defined
Type definitions
NTFS specific types
TNTFSType = (ntNONE,ntNTFS12,ntNTFS30,ntNTFS31);
|
NTFS record number
PNTFSRecordNumber = ^TNTFSRecordNumber;
TNTFSRecordNumber = packed record
Note: 48 bits (Read/Write as Word,LongWord) | |
RecordSegment:Word;
|
|
RecordNumber:LongWord;
|
NTFS file reference
PNTFSFileReference = ^TNTFSFileReference;
TNTFSFileReference = packed record
Note: 64 bits (Read/Write as Int64) Note endian ordering | |
RecordNumber:LongWord;
|
|
RecordSegment:Word;
|
|
SequenceNumber:Word;
|
NTFS sub node record
PNTFSSubNodeRecord = ^TNTFSSubNodeRecord;
TNTFSSubNodeRecord = packed record
Note: 8 bytes | |
SubNodeNumber:Int64;
|
NTFS update sequence record
PNTFSUpdateSequenceRecord = ^TNTFSUpdateSequenceRecord;
TNTFSUpdateSequenceRecord = packed record
Note: 2 bytes | |
UpdateSequenceNumber:Word;
|
Update Sequence Number |
UpdateSequenceArray:array[0..0] of Word;
|
Update Sequence Array |
Padding
|
Padding (align to 8 bytes) |
NTFS12 file record
PNTFS12FileRecord = ^TNTFS12FileRecord;
TNTFS12FileRecord = packed record
Note: 42 bytes (Includes NTFS 3.0) | |
MagicNumber:LongWord;
|
Magic number 'FILE' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LogFileSequenceNumber:Int64;
|
LogFile Sequence Number (LSN) |
SequenceNumber:Word;
|
Sequence number |
HardLinkCount:Word;
|
Hard link count |
AttributeOffset:Word;
|
Offset to the first Attribute |
RecordFlags:Word;
|
Flags |
RecordSize:LongWord;
|
Actual size of the FILE record |
RecordAllocated:LongWord;
|
Allocated size of the FILE record |
BaseReference:Int64;
|
File reference to the base FILE record |
NextAttributeId:Word;
|
Next Attribute Id |
UpdateSequenceRecord
|
NTFS31 file record
PNTFS31FileRecord = ^TNTFS31FileRecord;
TNTFS31FileRecord = packed record
Note: 48 bytes | |
MagicNumber:LongWord;
|
Magic number 'FILE' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LogFileSequenceNumber:Int64;
|
LogFile Sequence Number (LSN) |
SequenceNumber:Word;
|
Sequence number |
HardLinkCount:Word;
|
Hard link count |
AttributeOffset:Word;
|
Offset to the first Attribute |
RecordFlags:Word;
|
Flags |
RecordSize:LongWord;
|
Actual size of the FILE record |
RecordAllocated:LongWord;
|
Allocated size of the FILE record |
BaseReference:Int64;
|
File reference to the base FILE record |
NextAttributeId:Word;
|
Next Attribute Id |
RecordSegment:Word;
|
Align to 4 byte boundary (Segment of this MFT Record) |
RecordNumber:LongWord;
|
Number of this MFT Record |
UpdateSequenceRecord
|
NTFS restart record
PNTFSRestartRecord = ^TNTFSRestartRecord;
TNTFSRestartRecord = packed record
Note: 30 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32) | |
MagicNumber:LongWord;
|
Magic number 'RSTR' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LastSequenceNumber:Int64;
|
Last Log File Sequence Number (LSN) only used by Chkdsk when magic is CHKD otherwise 0 |
SystemPageSize:LongWord;
|
Must be >= 512 and a power of 2 (Normally 4096) |
LogPageSize:LongWord;
|
Must be >= 512 and a power of 2 (Normally 4096 if the SystemPageSize is 4096 to 8192 otherwise SystemPageSize) |
RestartAreaOffset:Word;
|
Absolute offset to the start of the restart area. Must be 8 byte aligned (After the Update Sequence Array) |
MinorVersion:Word;
|
|
MajorVersion:Word;
|
NTFS1.2 is version ?.? / NTFS3.0 is version ?.? / NTFS3.1 is Version 1.1 |
UpdateSequenceRecord
|
NTFS restart area
PNTFSRestartArea = ^TNTFSRestartArea;
TNTFSRestartArea = packed record
Note: 48 Bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32) | |
CurrentSequenceNumber:Int64;
|
The Current (Last Written) Log File Sequence Number (LSN) on create this will be 0 |
LogClientCount:Word;
|
Must be 1 |
FirstFreeClient:Word;
|
The index of the first free log record (When clean normally 0 on Win2k or below and 0xFFFF on WinXP or above) |
FirstUsedClient:Word;
|
The index of the first used log record (When clean normally 0xFFFF on Win2k or below and 0 on WinXP or above) |
Flags:Word;
|
On Win2k or below always 0, on WinXP or above $0002 if clean |
SequenceNumberBits:LongWord;
|
The number of bits to use for the sequence number (67 - the number of bits to store the logfile size in bytes |
RestartAreaLength:Word;
|
Length of the restart area and log clients |
ClientArrayOffset:Word;
|
Offset from the start of the restart area to the first log client |
FileSize:Int64;
|
Usable byte size of the log file (rounded down to a multiple of LogPageSize, must be large enough to hold 2 restart records and 48 log records) |
LastSequenceDataLength:LongWord;
|
Length of data of last LSN not including log record header (On create this will be 0) |
LogRecordHeaderLength:Word;
|
Byte size of the log record header. Must be a multiple of 8. |
LogPageDataOffset:Word;
|
Offset to the start of data in a log record. Must be a multiple of 8. (After the Update Sequence Array) |
LogFileOpenCount:LongWord;
|
On create this will be a random value |
Reserved:LongWord;
|
Alignment to 8 bytes |
NTFS log client
PNTFSLogClient = ^TNTFSLogClient;
TNTFSLogClient = packed record
Note: 160 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32) | |
OldestSequenceNumber:Int64;
|
Oldest LSN of this log client (On create this will be 0) |
CurrentSequenceNumber:Int64;
|
Current LSN within the log client (On create this will be 0) |
PrevClient:Word;
|
Offset of the previous log client or 0xFFFF if first (Always 0xFFFF) |
NextClient:Word;
|
Offset of the next log client or 0xFFFF if last (Always 0xFFFF) |
SequenceNumber:Word;
|
On Win2K or below 0 when dirty and 1 when clean, on WinXP or above always 0 |
Reserved:array[0..5] of Byte;
|
Reserved/Alignment |
ClientNameLength:LongWord;
|
Client name length in bytes. Should always be 8 |
ClientName:array[0..63] of WideChar;
|
Should always be NTFS in unicode |
NTFS log record
PNTFSLogRecord = ^TNTFSLogRecord;
TNTFSLogRecord = packed record
Note: ? Bytes | |
MagicNumber:LongWord;
|
Magic number 'RCRD' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LastLSN:Int64;
|
??????? |
Flags:LongWord;
|
??????? |
PageCount:Word;
|
??????? |
PagePosition:Word;
|
??????? |
NextRecordOffset:Int64;
|
??????? |
LastEndLSN:Int64;
|
??????? |
UpdateSequenceRecord
|
NTFS index record
PNTFSIndexRecord = ^TNTFSIndexRecord;
TNTFSIndexRecord = packed record
Note: 24 bytes | |
MagicNumber:LongWord;
|
Magic number 'INDX' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LogFileSequenceNumber:Int64;
|
LogFile sequence number |
RecordNumber:Int64;
|
Number of this INDX record in the Index Allocation |
IndexHeader
|
|
UpdateSequenceRecord
|
|
IndexEntry(s)
|
NTFS index header
PNTFSIndexHeader = ^TNTFSIndexHeader;
TNTFSIndexHeader = packed record
Note: 16 bytes | |
EntryOffset:LongWord;
|
Offset to first Index Entry |
IndexSize:LongWord;
|
Total size of the Index Entries |
IndexAllocated:LongWord;
|
Allocated size of the Index Entries |
IndexFlags:Word;
|
Flags (See Consts) |
Reserved1:Word;
|
Padding (Align to 8 bytes) |
NTFS index entry
PNTFSIndexEntry = ^TNTFSIndexEntry;
TNTFSIndexEntry = packed record
Note: 16 bytes (Not including Key of SubNodeNumber) | |
Reserved1:Int64;
|
Padding (Align to 8 bytes) |
EntrySize:Word;
|
Length of the index entry |
KeySize:Word;
|
Length of the key entry |
EntryFlags:Word;
|
Flags (See Consts) |
Reserved2:Word;
|
Padding (Align to 8 bytes) |
Key:array[0..0] of Byte;
|
Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location |
SubNodeNumber:Int64
|
Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set) |
NTFS data index entry
PNTFSDataIndexEntry = ^TNTFSDataIndexEntry;
TNTFSDataIndexEntry = packed record
Note: 16 bytes (Not including Key, Data or SubNodeNumber) | |
DataOffset:Word;
|
Offset to the data (Only valid when the last entry flag is not set) |
DataSize:Word;
|
Size of the data (Only valid when the last entry flag is not set) |
Reserved1:LongWord;
|
Padding (Align to 8 bytes) |
EntrySize:Word;
|
Length of the index entry |
KeySize:Word;
|
Length of the key entry |
EntryFlags:Word;
|
Flags (See Consts) |
Reserved2:Word;
|
Padding (Align to 8 bytes) |
Key:array[0..0] of Byte;
|
Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location |
Data:array[0..0] of Byte
|
Data (Only present when the last entry flag is not set) |
SubNodeNumber:Int64
|
Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set)
Note: Key data depends on what is indexed (See ObjId/Quota/Owner/SecurityId/SecurityHash/Reparse structures below) |
NTFS attribute index entry
PNTFSAttributeIndexEntry = ^TNTFSAttributeIndexEntry;
TNTFSAttributeIndexEntry = packed record
Note: 16 bytes (Not including Key of SubNodeNumber) | |
FileReference:Int64;
|
File reference (Only valid when the last entry flag is not set) |
EntrySize:Word;
|
Length of the index entry |
KeySize:Word;
|
Length of the key entry |
EntryFlags:Word;
|
Flags (See Consts) |
Reserved1:Word;
|
Padding (Align to 8 bytes) |
Key:array[0..0] of Byte;
|
Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location |
SubNodeNumber:Int64
|
Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set)
Note: Key data depends on what is indexed but for an $I30 index it will be a FileName Attribute |
NTFS attribute header
PNTFSAttributeHeader = ^TNTFSAttributeHeader;
TNTFSAttributeHeader = packed record
Note: 16 bytes | |
AttributeType:LongWord;
|
Attribute Type (e.g. 0x80, 0xA0) |
AttributeSize:LongWord;
|
Length of the Attribute (including header) |
NonResident:Byte;
|
Non-resident flag |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Word;
|
Offset to the Name |
AttributeFlags:Word;
|
Flags |
AttributeId:Word;
|
Attribute Id |
NTFS resident attribute header
PNTFSResidentAttributeHeader = ^TNTFSResidentAttributeHeader;
TNTFSResidentAttributeHeader = packed record
Note: 24 bytes | |
AttributeType:LongWord;
|
Attribute Type (e.g. 0x80, 0xA0) |
AttributeSize:LongWord;
|
Length of the Attribute (including header) |
NonResident:Byte;
|
Non-resident flag (Always 0) |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Word;
|
Offset to the Name |
AttributeFlags:Word;
|
Flags |
AttributeId:Word;
|
Attribute Id |
DataSize:LongWord;
|
Length of the Attribute Data |
DataOffset:Word;
|
Offset to the Attribute Data |
Indexed:Byte;
|
Indexed flag |
Reserved1:Byte;
|
Padding |
AttributeName:array[0..0] of WideChar;
|
Unicode Attribute Name (if NameLength > 0) |
Data:array[0..0] of Byte
|
Attribute Data |
NTFS non resident attribute header
PNTFSNonResidentAttributeHeader = ^TNTFSNonResidentAttributeHeader;
TNTFSNonResidentAttributeHeader = packed record
Note: 64 bytes | |
AttributeType:LongWord;
|
Attribute Type (e.g. 0x80, 0xA0) |
AttributeSize:LongWord;
|
Length of the Attribute (including header) |
NonResident:Byte;
|
Non-resident flag (Always 1) |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Word;
|
Offset to the Name |
AttributeFlags:Word;
|
Flags |
AttributeId:Word;
|
Attribute Id |
StartVCN:Int64;
|
Starting VCN |
LastVCN:Int64;
|
Last VCN |
RunOffset:Word;
|
Offset to the Data Run |
CompressionUnit:Word;
|
Compression Unit Size |
Reserved1:LongWord;
|
Padding |
StreamAllocated:Int64;
|
Allocated size of the attribute |
StreamSize:Int64;
|
Real size of the attribute |
InitializedSize:Int64;
|
Initialized data size of the stream (Portion which has been Written) |
AttributeName:array[0..0] of WideChar;
|
Unicode Attribute Name (if NameLength > 0) |
Run:array[0..0] of Byte
|
Attribute Data Runs |
NTFS compressed attribute header
PNTFSCompressedAttributeHeader = ^TNTFSCompressedAttributeHeader;
TNTFSCompressedAttributeHeader = packed record
Note: 64 bytes | |
AttributeType:LongWord;
|
Attribute Type (e.g. 0x80, 0xA0) |
AttributeSize:LongWord;
|
Length of the Attribute (including header) |
NonResident:Byte;
|
Non-resident flag (Always 1) |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Word;
|
Offset to the Name |
AttributeFlags:Word;
|
Flags |
AttributeId:Word;
|
Attribute Id |
StartVCN:Int64;
|
Starting VCN |
LastVCN:Int64;
|
Last VCN |
RunOffset:Word;
|
Offset to the Data Run |
CompressionUnit:Word;
|
Compression Unit Size |
Reserved1:LongWord;
|
Padding |
StreamAllocated:Int64;
|
Allocated size of the attribute |
StreamSize:Int64;
|
Real size of the attribute |
InitializedSize:Int64;
|
Initialized data size of the stream (Portion which has been Written) |
StreamUsed:Int64;
|
The actual Allocated size of the attribute (Only present when compressed and only in the first instance) |
AttributeName:array[0..0] of WideChar;
|
Unicode Attribute Name (if NameLength > 0) |
Run:array[0..0] of Byte
|
Attribute Data Runs |
NTFS12 standard information
PNTFS12StandardInformation = ^TNTFS12StandardInformation;
TNTFS12StandardInformation = packed record
Note: 48 bytes (0x10) | |
Standard Attribute Header | |
CreateTime:TFileTime;
|
File Creation |
WriteTime:TFileTime;
|
File Altered |
ChangeTime:TFileTime;
|
MFT Changed |
AccessTime:TFileTime;
|
File Read |
Attributes:LongWord;
|
DOS File Permissions |
MaxVersions:LongWord;
|
Maximum Number of Versions |
VersionNo:LongWord;
|
Version Number |
ClassId:LongWord;
|
Class Id |
NTFS30 standard information
PNTFS30StandardInformation = ^TNTFS30StandardInformation;
TNTFS30StandardInformation = packed record
Note: 72 bytes (0x10) Includes NTFS 3.1 | |
Standard Attribute Header | |
CreateTime:TFileTime;
|
File Creation |
WriteTime:TFileTime;
|
File Altered |
ChangeTime:TFileTime;
|
MFT Changed |
AccessTime:TFileTime;
|
File Read |
Attributes:LongWord;
|
DOS File Permissions |
MaxVersions:LongWord;
|
Maximum Number of Versions |
VersionNo:LongWord;
|
Version Number |
ClassId:LongWord;
|
Class Id |
OwnerId:LongWord;
|
Owner Id |
SecurityId:LongWord;
|
Security Id |
QuotaCharge:Int64;
|
Quota Charged |
UpdateSequenceNumber:Int64;
|
Update Sequence Number |
NTFS attribute list
PNTFSAttributeList = ^TNTFSAttributeList;
TNTFSAttributeList = packed record
Note: 0 bytes (0x20) | |
Standard Attribute Header | |
Item:array[0..0] of Byte;
|
Attribute List Items |
NTFS file name
PNTFSFileName = ^TNTFSFileName;
TNTFSFileName = packed record
Note: 66 bytes (0x30) | |
Standard Attribute Header | |
ParentReference:Int64;
|
File reference to the parent directory. |
CreateTime:TFileTime;
|
C Time - File Creation Note: These fields are only updated when the filename is changed. See Standard Information instead. |
WriteTime:TFileTime;
|
A Time - File Altered Note: These fields are only updated when the filename is changed. See Standard Information instead. |
ChangeTime:TFileTime;
|
M Time - MFT Changed Note: These fields are only updated when the filename is changed. See Standard Information instead. |
AccessTime:TFileTime;
|
R Time - File Read |
FileAllocated:Int64;
|
Allocated size of the file |
FileSize:Int64;
|
Real size of the file |
FileFlags:LongWord;
|
Flags, e.g. Directory, Compressed, Hidden |
ReparseTag:LongWord;
|
Used by EAs and Reparse |
FileNameLength:Byte;
|
Filename length in characters |
NameSpace:Byte;
|
Filename namespace |
FileName:array[0..0] of WideChar;
|
File name in Unicode (not null terminated) Note: NameLength but no NameOffset so Name |
NTFS object ID
PNTFSObjectId = ^TNTFSObjectId;
TNTFSObjectId = packed record
Note: 64 bytes (0x40) | |
Standard Attribute Header | |
ObjectId:TGUID;
|
GUID Object Id Unique Id assigned to file |
BirthVolumeId:TGUID;
|
GUID Birth Volume Id Volume where file was created |
BirthObjectId:TGUID;
|
GUID Birth Object Id Original Object Id of file |
DomainId:TGUID;
|
GUID Domain Id Domain in which object was created |
NTFS volume version
PNTFSVolumeVersion = ^TNTFSVolumeVersion;
TNTFSVolumeVersion = packed record
Note: 0 bytes (0x40) | |
Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Unknown data (Structure to be determined) |
NTFS security descriptor
PNTFSSecurityDescriptor = ^TNTFSSecurityDescriptor;
TNTFSSecurityDescriptor = packed record
Note: 0 bytes (0x50) | |
Standard Attribute Header | |
Security:array[0..0] of Byte;
|
Security Descriptor |
NTFS volume name
PNTFSVolumeName = ^TNTFSVolumeName;
TNTFSVolumeName = packed record
Note: 0 bytes (0x60) | |
Standard Attribute Header | |
VolumeName:array[0..0] of WideChar;
|
Unicode name Note: The DataOffset and DataSize in the ? |
NTFS volume information
PNTFSVolumeInformation = ^TNTFSVolumeInformation;
TNTFSVolumeInformation = packed record
Note: 16 bytes (0x70) | |
Standard Attribute Header | |
Reserved1:Int64;
|
Always zero ? |
MajorVersion:Byte;
|
Major version number |
MinorVersion:Byte;
|
Minor version number |
VolumeFlags:Word;
|
Flags |
Reserved2:LongWord;
|
Always zero ? (Padding only, not part of data) |
NTFS data
PNTFSData = ^TNTFSData;
TNTFSData = packed record
Note: 0 bytes (0x80) | |
Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Any data Note: The DataOffset and DataSize in the header give the pointer to the Data |
NTFS index root
PNTFSIndexRoot = ^TNTFSIndexRoot;
TNTFSIndexRoot = packed record
Note: 16 bytes (0x90) | |
Standard Attribute Header | |
IndexType:LongWord;
|
Attribute Type |
CollateRule:LongWord;
|
Collation Rule |
IndexRecordSize:LongWord;
|
Size of Index Allocation Entry (bytes) |
IndexCounterOffset:LongWord;
|
Index Record Number increment |
IndexHeader
|
|
IndexEntry(s)
|
NTFS index allocation
PNTFSIndexAllocation = ^TNTFSIndexAllocation;
TNTFSIndexAllocation = packed record
Note: 0 bytes (0xA0) | |
Standard Attribute Header | |
Run:array[0..0] of Byte;
|
Data run Note: The RunOffset and AttributeSize in the header give the pointer to the Run |
NTFS bitmap
PNTFSBitmap = ^TNTFSBitmap;
TNTFSBitmap = packed record
Note: 0 bytes (0xB0) | |
Standard Attribute Header | |
Bitmap:array[0..0] of Int64;
|
Bit field Note: The DataOffset and DataSize in the header give the pointer to the Bitmap (Bit ordering works as an array of bytes) |
NTFS reparse point
PNTFSReparsePoint = ^TNTFSReparsePoint;
TNTFSReparsePoint = packed record
Note: 8 bytes (0xC0) | |
Standard Attribute Header | |
ReparseTag:LongWord;
|
Reparse Type (and Flags) |
ReparseSize:Word;
|
Reparse Data Length |
Reserved1:Word;
|
Padding (align to 8 bytes) |
ReparseData:array[0..0] of Byte;
|
Reparse Data |
NTFS reparse point Microsoft
PNTFSReparsePointMicrosoft = ^TNTFSReparsePointMicrosoft;
TNTFSReparsePointMicrosoft = TNTFSReparsePoint;
Note: 8 bytes (0xC0) | |
NTFS reparse point other
PNTFSReparsePointOther = ^TNTFSReparsePointOther;
TNTFSReparsePointOther = packed record
Note: 24 bytes (0xC0) | |
Standard Attribute Header | |
ReparseTag:LongWord;
|
Reparse Type (and Flags) |
ReparseSize:Word;
|
Reparse Data Length |
Reserved1:Word;
|
Padding (align to 8 bytes) |
ReparseGUID:TGUID;
|
Reparse GUID |
ReparseData:array[0..0] of Byte;
|
Reparse Data |
NTFS symbolic link
PNTFSSymbolicLink = ^TNTFSSymbolicLink;
TNTFSSymbolicLink = packed record
Note: 0 bytes (0xC0) | |
Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Unknown data (Structure to be determined) |
NTFS extended attribute information
PNTFSExtendedAttrInformation = ^TNTFSExtendedAttrInformation;
TNTFSExtendedAttrInformation = packed record
Note: 8 bytes (0xD0) | |
Standard Attribute Header | |
PackedSize:Word;
|
Size of the packed Extended Attributes |
FlagCount:Word;
|
Number of Extended Attributes which have NEED_EA flag |
UnpackedSize:LongWord;
|
Size of the unpacked Extended Attributes |
NTFS extended attribute
PNTFSExtendedAttr = ^TNTFSExtendedAttr;
TNTFSExtendedAttr = packed record
Note: 0 bytes (0xE0) | |
Standard Attribute Header | |
Extended:array[0..0] of Byte;
|
Extended Attributes |
NTFS property set
PNTFSPropertySet = ^TNTFSPropertySet;
TNTFSPropertySet = packed record
Note: 0 bytes (0xF0) | |
Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Unknown data (Structure to be determined) |
NTFS logged utility stream
PNTFSLoggedUtilityStream = ^TNTFSLoggedUtilityStream;
TNTFSLoggedUtilityStream = packed record
Note: 0 bytes (0x100) | |
Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Any data Note: The DataOffset and DataSize in the header give the pointer to the Data |
NTFS unknown
PNTFSUnknown = ^TNTFSUnknown;
TNTFSUnknown = packed record
Note: 0 bytes (0x100) | |
Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Any data Note: The DataOffset and DataSize in the header give the pointer to the Data |
NTFS end
PNTFSEnd = ^TNTFSEnd;
TNTFSEnd = packed record
Note: 0 bytes (0xFFFFFFFF) | |
Standard Attribute Header | |
NTFS run data
PNTFSRunData = ^TNTFSRunData;
TNTFSRunData = packed record
Note: 0 bytes | |
Run:array[0..0] of Byte;
|
Data Run Note: The RunOffset and AttributeSize in the header give the pointer to the Run |
NTFS item data
PNTFSItemData = ^TNTFSItemData;
TNTFSItemData = packed record
Note: 26 bytes (Data of attribute $ATTRIBUTE_LIST) | |
AttributeType:LongWord;
|
Type |
ItemSize:Word;
|
Record length |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Byte;
|
Offset to Name |
StartVCN:Int64;
|
Starting VCN |
FileReference:Int64;
|
File Reference of the attribute |
AttributeId:Word;
|
Attribute Id |
AttributeName:array[0..0] of WideChar;
|
Name in Unicode (if NameLength > 0) |
NTFS object Id data
PNTFSObjIdData = ^TNTFSObjIdData;
TNTFSObjIdData = packed record
Note: 56 bytes (Data of index $O in file $ObjId) Key is ObjectId | |
FileReference:Int64;
|
MFT Reference |
BirthVolumeId:TGUID;
|
GUID Birth Volume Id (This is the ObjectId from the file $Volume) |
BirthObjectId:TGUID;
|
GUID Birth Object Id |
DomainId:TGUID;
|
GUID Domain Id |
NTFS quota data
PNTFSQuotaData = ^TNTFSQuotaData;
TNTFSQuotaData = packed record
Note: 48 bytes Not including SID (Data of index $Q in file $Quota) Key is OwnerId | |
Version:LongWord;
|
Version (0x02) |
Flags:LongWord;
|
Flags |
BytesUsed:Int64;
|
Bytes Used |
ChangeTime:TFileTime;
|
Change Time |
WarningLimit:Int64;
|
Warning Limit |
HardLimit:Int64;
|
Hard Limit |
ExceedTime:TFileTime;
|
Exceeded Time |
SID:array[0..0] of Byte;
|
SID |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS owner data
PNTFSOwnerData = ^TNTFSOwnerData;
TNTFSOwnerData = packed record
Note: 4 bytes (Data of index $O in file $Quota) Key is SID | |
OwnerId:LongWord;
|
Owner Id |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS up case data
PNTFSUpCaseData = ^TNTFSUpCaseData;
TNTFSUpCaseData = packed record
Note: 131072 bytes (Data of file $UpCase) | |
Data:array[0..65535] of Word;
|
Conversion data |
NTFS attribute definition data
PNTFSAttrDefData = ^TNTFSAttrDefData;
TNTFSAttrDefData = packed record
Note: 160 bytes (Data of file $AttrDef) | |
AttributeName:array[0..63] of WideChar;
|
Label in Unicode |
AttributeType:LongWord;
|
Type |
DisplayRule:LongWord;
|
Display rule |
CollateRule:LongWord;
|
Collation rule |
AttrDefFlags:LongWord;
|
Flags (See Consts) |
MinimumSize:Int64;
|
Minimum size |
MaximumSize:Int64;
|
Maximum size |
NTFS reparse data
PNTFSReparseData = ^TNTFSReparseData;
TNTFSReparseData = packed record
Note: 0 bytes Not including Data (Data of attribute $REPARSE_POINT) | |
Data:array[0..0] of Byte;
|
Any data |
NTFS reparse symbolic link data
PNTFSReparseSymLinkData = ^TNTFSReparseSymLinkData;
TNTFSReparseSymLinkData = packed record
Note: 12 bytes Not including Names (Data of attribute $REPARSE_POINT) | |
SubstituteNameOffset:Word;
|
Substitute Name Offset |
SubstituteNameLength:Word;
|
Substitute Name Length (Length is in bytes not characters) |
PrintNameOffset:Word;
|
Print Name Offset |
PrintNameLength:Word;
|
Print Name Length (Length is in bytes not characters) |
Reserved1:LongWord;
|
Always Zero |
PrintName:array[0..0] of Byte
|
Path Buffer (Not Null terminated) |
SubstituteName:array[0..0] of Byte
|
Path Buffer (Not Null terminated) |
NTFS reparse mount point data
PNTFSReparseMountPointData = ^TNTFSReparseMountPointData;
TNTFSReparseMountPointData = packed record
Note: 12 bytes (Minimum 8 bytes plus 2 unicode nulls) Not including Names (Data of attribute $REPARSE_POINT) | |
SubstituteNameOffset:Word;
|
Substitute Name Offset (Offset includes the null terminator) |
SubstituteNameLength:Word;
|
Substitute Name Length (Length is in bytes not characters and does not include the null terminator) |
PrintNameOffset:Word;
|
Print Name Offset (Offset includes the null terminator) |
PrintNameLength:Word;
|
Print Name Length (Length is in bytes not characters and does not include the null terminator) |
SubstituteName:array[0..0] of Byte
|
Path Buffer (Null terminated) |
PrintName:array[0..0] of Byte
|
Path Buffer (Null terminated) |
NTFS extended data
PNTFSExtendedData = ^TNTFSExtendedData;
TNTFSExtendedData = packed record
Note: 8 bytes Not including Name (Data of attribute $EA) | |
ExtendedOffset:LongWord;
|
Offset to next Extended Attribute (Offset to next EA is the size of this EA) |
ExtendedFlags:Byte;
|
Flags |
ExtendedNameLength:Byte;
|
Name Length (N) |
ExtendedDataSize:Word;
|
Value Length (V) |
ExtendedName:array[0..0] of Char;
|
Name Note: No offset so always in the same location |
ExtendedData:array[0..0] of Byte
|
Value |
NTFS security data
PNTFSSecurityData = ^TNTFSSecurityData;
TNTFSSecurityData = packed record
Note: 20 bytes Minimum (Data of attribute $SECURITY_DESCRIPTOR and stream $SDS in file $Secure) | |
Revision:Byte;
|
Revision |
Reserved1:Byte;
|
Padding |
Control:Word;
|
Control Flags |
OwnerOffset:LongWord;
|
Offset to Owner SID |
GroupOffset:LongWord;
|
Offset to Group SID |
SaclOffset:LongWord;
|
Offset to SACL |
DaclOffset:LongWord;
|
Offset to DACL |
NTFS SID identifier authority data
PNTFSSidIdentifierAuthorityData = ^TNTFSSidIdentifierAuthorityData;
TNTFSSidIdentifierAuthorityData = packed record
Note: 6 Bytes | |
Value:array[0..5] of Byte;
|
NTFS SID data
PNTFSSidData = ^TNTFSSidData;
TNTFSSidData = packed record
Note: 8 Bytes Minimum (Not including SubAuthority) | |
Revision:Byte;
|
|
SubAuthorityCount:Byte;
|
|
IdentifierAuthority:array[0..5] of Byte;
|
|
SubAuthority:array[0..0] of LongWord;
|
Not included in size |
NTFS acl data
PNTFSAclData = ^TNTFSAclData;
TNTFSAclData = packed record
Note: 8 Bytes | |
AclRevision:Byte;
|
|
Reserved1:Byte;
|
Must be Zero |
AclSize:Word;
|
|
AceCount:Word;
|
|
Reserved2:Word;
|
Must be Zero |
NTFS ace header data
PNTFSAceHeaderData = ^TNTFSAceHeaderData;
TNTFSAceHeaderData = packed record
Note: 4 Bytes | |
AceType:Byte;
|
|
AceFlags:Byte;
|
|
AceSize:Word;
|
NTFS ace data
PNTFSAceData = ^TNTFSAceData;
TNTFSAceData = packed record
Note: 8 Bytes Minimum (Not including Sid) | |
Header:TNTFSAceHeaderData;
|
|
Mask:LongWord;
|
|
Sid:array[0..0] of Byte;
|
Not included in size |
NTFS object ace data
PNTFSObjectAceData = ^TNTFSObjectAceData;
TNTFSObjectAceData = packed record
Note: 44 Bytes Minimum (Not including Sid) | |
Header:TNTFSAceHeaderData;
|
|
Mask:LongWord;
|
|
Flags:LongWord;
|
|
ObjectType:TGUID;
|
|
InheritedObjectType:TGUID;
|
|
Sid:array[0..0] of Byte;
|
Not included in size |
NTFS security item data
PNTFSSecurityItemData = ^TNTFSSecurityItemData;
TNTFSSecurityItemData = packed record
Note: 40 Bytes Minimum Including Security (Data of stream $SDS in file $Secure) | |
SecurityHash:LongWord;
|
Hash of Security Descriptor |
SecurityId:LongWord;
|
Security Id |
SecurityOffset:Int64;
|
Offset of this entry in $SDS |
SecuritySize:LongWord;
|
Size of this entry in $SDS |
Security:TNTFSSecurityData;
|
Self-relative Security Descriptor |
Padding:array[0..0] of Byte
|
Padding (align to 16 bytes) Handled by Calculation of Stream Size |
NTFS security Id data
PNTFSSecurityIdData = ^TNTFSSecurityIdData;
TNTFSSecurityIdData = packed record
Note: 20 Bytes (Data of index $SII in file $Secure) (Key is SecurityId) | |
SecurityHash:LongWord;
|
Hash of Security Descriptor |
SecurityId:LongWord;
|
Security Id |
SecurityOffset:Int64;
|
Offset of this entry in $SDS |
SecuritySize:LongWord;
|
Size of this entry in $SDS |
NTFS security hash data
PNTFSSecurityHashData = ^TNTFSSecurityHashData;
TNTFSSecurityHashData = packed record
Note: 20 Bytes (Data of index $SDH in file $Secure) | |
SecurityHash:LongWord;
|
Hash of Security Descriptor |
SecurityId:LongWord;
|
Security Id |
SecurityOffset:Int64;
|
Offset of this entry in $SDS |
SecuritySize:LongWord;
|
Size of this entry in $SDS |
Padding:LongWord;
|
Padding (align to 8 bytes) Always 4 bytes and always appears to be the Unicode string "II" |
NTFS object Id key data
PNTFSObjIdKeyData = ^TNTFSObjIdKeyData;
TNTFSObjIdKeyData = packed record
Note: 16 Bytes (Key of index $O in file $ObjId) | |
ObjectId:TGUID;
|
GUID Object Id |
Data:array[0..0] of Byte
|
Data (see above) |
NTFS quota key data
PNTFSQuotaKeyData = ^TNTFSQuotaKeyData;
TNTFSQuotaKeyData = packed record
Note: 4 Bytes (Key of index $Q in file $Quota) | |
OwnerId:LongWord;
|
Owner Id |
Data:array[0..0] of Byte
|
Data (see above) |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS owner key data
PNTFSOwnerKeyData = ^TNTFSOwnerKeyData;
TNTFSOwnerKeyData = packed record
Note: 0 Bytes Not including SID (Key of index $O in file $Quota) | |
SID:array[0..0] of Byte;
|
SID |
Data:array[0..0] of Byte
|
Data (see above) |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS security Id key data
PNTFSSecurityIdKeyData = ^TNTFSSecurityIdKeyData;
TNTFSSecurityIdKeyData = packed record
Note: 4 Bytes (Key of index $SII in file $Secure) | |
SecurityId:LongWord;
|
Security Id |
Data:array[0..0] of Byte
|
Data (see above) |
NTFS security hash key data
PNTFSSecurityHashKeyData = ^TNTFSSecurityHashKeyData;
TNTFSSecurityHashKeyData = packed record
Note: 8 Bytes (Key of index $SDH in file $Secure) | |
SecurityHash:LongWord;
|
Hash of Security Descriptor |
SecurityId:LongWord;
|
Security Id |
Data:array[0..0] of Byte
|
Data (see above) |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS reparse key data
PNTFSReparseKeyData = ^TNTFSReparseKeyData;
TNTFSReparseKeyData = packed record
Note: 12 Bytes (Key of index $R in file $Reparse) This index contains no data | |
ReparseTag:LongWord;
|
Reparse Tag (and Flags) |
FileReference:Int64;
|
MFT Reference of Reparse Point |
Padding:LongWord;
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS run offset
PNTFSRunOffset = ^TNTFSRunOffset;
TNTFSRunOffset = packed record
Note: 8 Bytes | |
case Integer of
|
|
1:(Offset1:ShortInt);
|
|
2:(Offset2:SmallInt);
|
|
4:(Offset4:LongInt);
|
|
8:(Offset8:Int64);
|
NTFS run length
PNTFSRunLength = ^TNTFSRunLength;
TNTFSRunLength = packed record
Note: 8 Bytes | |
case Integer of
|
|
1:(Length1:Byte);
|
|
2:(Length2:Word);
|
|
4:(Length4:LongWord);
|
|
8:(Length8:Int64);
|
Public variables
None defined
Function declarations
None defined
Return to Unit Reference