Unit NTFSTypes
Return to Unit Reference
Description
Ultibo NTFS types unit
To be documented
Constants
None defined
Type definitions
NTFS specific types
TNTFSType = (ntNONE,ntNTFS12,ntNTFS30,ntNTFS31);
|
NTFS record number
PNTFSRecordNumber = ^TNTFSRecordNumber;
TNTFSRecordNumber = packed record
| Note: 48 bits (Read/Write as Word,LongWord) | |
RecordSegment:Word;
|
|
RecordNumber:LongWord;
|
|
NTFS file reference
PNTFSFileReference = ^TNTFSFileReference;
TNTFSFileReference = packed record
| Note: 64 bits (Read/Write as Int64) Note endian ordering | |
RecordNumber:LongWord;
|
|
RecordSegment:Word;
|
|
SequenceNumber:Word;
|
|
NTFS sub node record
PNTFSSubNodeRecord = ^TNTFSSubNodeRecord;
TNTFSSubNodeRecord = packed record
| Note: 8 bytes | |
SubNodeNumber:Int64;
|
|
NTFS update sequence record
PNTFSUpdateSequenceRecord = ^TNTFSUpdateSequenceRecord;
TNTFSUpdateSequenceRecord = packed record
| Note: 2 bytes | |
UpdateSequenceNumber:Word;
|
Update Sequence Number |
UpdateSequenceArray:array[0..0] of Word;
|
Update Sequence Array |
Padding
|
Padding (align to 8 bytes) |
NTFS12 file record
PNTFS12FileRecord = ^TNTFS12FileRecord;
TNTFS12FileRecord = packed record
| Note: 42 bytes (Includes NTFS 3.0) | |
MagicNumber:LongWord;
|
Magic number 'FILE' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LogFileSequenceNumber:Int64;
|
LogFile Sequence Number (LSN) |
SequenceNumber:Word;
|
Sequence number |
HardLinkCount:Word;
|
Hard link count |
AttributeOffset:Word;
|
Offset to the first Attribute |
RecordFlags:Word;
|
Flags |
RecordSize:LongWord;
|
Actual size of the FILE record |
RecordAllocated:LongWord;
|
Allocated size of the FILE record |
BaseReference:Int64;
|
File reference to the base FILE record |
NextAttributeId:Word;
|
Next Attribute Id |
UpdateSequenceRecord
|
|
NTFS31 file record
PNTFS31FileRecord = ^TNTFS31FileRecord;
TNTFS31FileRecord = packed record
| Note: 48 bytes | |
MagicNumber:LongWord;
|
Magic number 'FILE' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LogFileSequenceNumber:Int64;
|
LogFile Sequence Number (LSN) |
SequenceNumber:Word;
|
Sequence number |
HardLinkCount:Word;
|
Hard link count |
AttributeOffset:Word;
|
Offset to the first Attribute |
RecordFlags:Word;
|
Flags |
RecordSize:LongWord;
|
Actual size of the FILE record |
RecordAllocated:LongWord;
|
Allocated size of the FILE record |
BaseReference:Int64;
|
File reference to the base FILE record |
NextAttributeId:Word;
|
Next Attribute Id |
RecordSegment:Word;
|
Align to 4 byte boundary (Segment of this MFT Record) |
RecordNumber:LongWord;
|
Number of this MFT Record |
UpdateSequenceRecord
|
|
NTFS restart record
PNTFSRestartRecord = ^TNTFSRestartRecord;
TNTFSRestartRecord = packed record
| Note: 30 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32) | |
MagicNumber:LongWord;
|
Magic number 'RSTR' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LastSequenceNumber:Int64;
|
Last Log File Sequence Number (LSN) only used by Chkdsk when magic is CHKD otherwise 0 |
SystemPageSize:LongWord;
|
Must be >= 512 and a power of 2 (Normally 4096) |
LogPageSize:LongWord;
|
Must be >= 512 and a power of 2 (Normally 4096 if the SystemPageSize is 4096 to 8192 otherwise SystemPageSize) |
RestartAreaOffset:Word;
|
Absolute offset to the start of the restart area. Must be 8 byte aligned (After the Update Sequence Array) |
MinorVersion:Word;
|
|
MajorVersion:Word;
|
NTFS1.2 is version ?.? / NTFS3.0 is version ?.? / NTFS3.1 is Version 1.1 |
UpdateSequenceRecord
|
|
NTFS restart area
PNTFSRestartArea = ^TNTFSRestartArea;
TNTFSRestartArea = packed record
| Note: 48 Bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32) | |
CurrentSequenceNumber:Int64;
|
The Current (Last Written) Log File Sequence Number (LSN) on create this will be 0 |
LogClientCount:Word;
|
Must be 1 |
FirstFreeClient:Word;
|
The index of the first free log record (When clean normally 0 on Win2k or below and 0xFFFF on WinXP or above) |
FirstUsedClient:Word;
|
The index of the first used log record (When clean normally 0xFFFF on Win2k or below and 0 on WinXP or above) |
Flags:Word;
|
On Win2k or below always 0, on WinXP or above $0002 if clean |
SequenceNumberBits:LongWord;
|
The number of bits to use for the sequence number (67 - the number of bits to store the logfile size in bytes |
RestartAreaLength:Word;
|
Length of the restart area and log clients |
ClientArrayOffset:Word;
|
Offset from the start of the restart area to the first log client |
FileSize:Int64;
|
Usable byte size of the log file (rounded down to a multiple of LogPageSize, must be large enough to hold 2 restart records and 48 log records) |
LastSequenceDataLength:LongWord;
|
Length of data of last LSN not including log record header (On create this will be 0) |
LogRecordHeaderLength:Word;
|
Byte size of the log record header. Must be a multiple of 8. |
LogPageDataOffset:Word;
|
Offset to the start of data in a log record. Must be a multiple of 8. (After the Update Sequence Array) |
LogFileOpenCount:LongWord;
|
On create this will be a random value |
Reserved:LongWord;
|
Alignment to 8 bytes |
NTFS log client
PNTFSLogClient = ^TNTFSLogClient;
TNTFSLogClient = packed record
| Note: 160 bytes (http://www.disy.cse.unsw.edu.au/lxr/source/fs/ntfs/logfile.h?v=linux-2.6.32) | |
OldestSequenceNumber:Int64;
|
Oldest LSN of this log client (On create this will be 0) |
CurrentSequenceNumber:Int64;
|
Current LSN within the log client (On create this will be 0) |
PrevClient:Word;
|
Offset of the previous log client or 0xFFFF if first (Always 0xFFFF) |
NextClient:Word;
|
Offset of the next log client or 0xFFFF if last (Always 0xFFFF) |
SequenceNumber:Word;
|
On Win2K or below 0 when dirty and 1 when clean, on WinXP or above always 0 |
Reserved:array[0..5] of Byte;
|
Reserved/Alignment |
ClientNameLength:LongWord;
|
Client name length in bytes. Should always be 8 |
ClientName:array[0..63] of WideChar;
|
Should always be NTFS in unicode |
NTFS log record
PNTFSLogRecord = ^TNTFSLogRecord;
TNTFSLogRecord = packed record
| Note: ? Bytes | |
MagicNumber:LongWord;
|
Magic number 'RCRD' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LastLSN:Int64;
|
??????? |
Flags:LongWord;
|
??????? |
PageCount:Word;
|
??????? |
PagePosition:Word;
|
??????? |
NextRecordOffset:Int64;
|
??????? |
LastEndLSN:Int64;
|
??????? |
UpdateSequenceRecord
|
|
NTFS index record
PNTFSIndexRecord = ^TNTFSIndexRecord;
TNTFSIndexRecord = packed record
| Note: 24 bytes | |
MagicNumber:LongWord;
|
Magic number 'INDX' |
UpdateSequenceOffset:Word;
|
Offset to the Update Sequence Record |
UpdateSequenceLength:Word;
|
Size in words of the Update Sequence Record |
LogFileSequenceNumber:Int64;
|
LogFile sequence number |
RecordNumber:Int64;
|
Number of this INDX record in the Index Allocation |
IndexHeader
|
|
UpdateSequenceRecord
|
|
IndexEntry(s)
|
|
NTFS index header
PNTFSIndexHeader = ^TNTFSIndexHeader;
TNTFSIndexHeader = packed record
| Note: 16 bytes | |
EntryOffset:LongWord;
|
Offset to first Index Entry |
IndexSize:LongWord;
|
Total size of the Index Entries |
IndexAllocated:LongWord;
|
Allocated size of the Index Entries |
IndexFlags:Word;
|
Flags (See Consts) |
Reserved1:Word;
|
Padding (Align to 8 bytes) |
NTFS index entry
PNTFSIndexEntry = ^TNTFSIndexEntry;
TNTFSIndexEntry = packed record
| Note: 16 bytes (Not including Key of SubNodeNumber) | |
Reserved1:Int64;
|
Padding (Align to 8 bytes) |
EntrySize:Word;
|
Length of the index entry |
KeySize:Word;
|
Length of the key entry |
EntryFlags:Word;
|
Flags (See Consts) |
Reserved2:Word;
|
Padding (Align to 8 bytes) |
Key:array[0..0] of Byte;
|
Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location |
SubNodeNumber:Int64
|
Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set) |
NTFS data index entry
PNTFSDataIndexEntry = ^TNTFSDataIndexEntry;
TNTFSDataIndexEntry = packed record
| Note: 16 bytes (Not including Key, Data or SubNodeNumber) | |
DataOffset:Word;
|
Offset to the data (Only valid when the last entry flag is not set) |
DataSize:Word;
|
Size of the data (Only valid when the last entry flag is not set) |
Reserved1:LongWord;
|
Padding (Align to 8 bytes) |
EntrySize:Word;
|
Length of the index entry |
KeySize:Word;
|
Length of the key entry |
EntryFlags:Word;
|
Flags (See Consts) |
Reserved2:Word;
|
Padding (Align to 8 bytes) |
Key:array[0..0] of Byte;
|
Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location |
Data:array[0..0] of Byte
|
Data (Only present when the last entry flag is not set) |
SubNodeNumber:Int64
|
Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set)
Note: Key data depends on what is indexed (See ObjId/Quota/Owner/SecurityId/SecurityHash/Reparse structures below) |
NTFS attribute index entry
PNTFSAttributeIndexEntry = ^TNTFSAttributeIndexEntry;
TNTFSAttributeIndexEntry = packed record
| Note: 16 bytes (Not including Key of SubNodeNumber) | |
FileReference:Int64;
|
File reference (Only valid when the last entry flag is not set) |
EntrySize:Word;
|
Length of the index entry |
KeySize:Word;
|
Length of the key entry |
EntryFlags:Word;
|
Flags (See Consts) |
Reserved1:Word;
|
Padding (Align to 8 bytes) |
Key:array[0..0] of Byte;
|
Key (Only present when the last entry flag is not set) Note: No Offset so always in the same location |
SubNodeNumber:Int64
|
Number of the sub-node in the index allocation attribute (Only present when the sub-node flag is set)
Note: Key data depends on what is indexed but for an $I30 index it will be a FileName Attribute |
NTFS attribute header
PNTFSAttributeHeader = ^TNTFSAttributeHeader;
TNTFSAttributeHeader = packed record
| Note: 16 bytes | |
AttributeType:LongWord;
|
Attribute Type (e.g. 0x80, 0xA0) |
AttributeSize:LongWord;
|
Length of the Attribute (including header) |
NonResident:Byte;
|
Non-resident flag |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Word;
|
Offset to the Name |
AttributeFlags:Word;
|
Flags |
AttributeId:Word;
|
Attribute Id |
NTFS resident attribute header
PNTFSResidentAttributeHeader = ^TNTFSResidentAttributeHeader;
TNTFSResidentAttributeHeader = packed record
| Note: 24 bytes | |
AttributeType:LongWord;
|
Attribute Type (e.g. 0x80, 0xA0) |
AttributeSize:LongWord;
|
Length of the Attribute (including header) |
NonResident:Byte;
|
Non-resident flag (Always 0) |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Word;
|
Offset to the Name |
AttributeFlags:Word;
|
Flags |
AttributeId:Word;
|
Attribute Id |
DataSize:LongWord;
|
Length of the Attribute Data |
DataOffset:Word;
|
Offset to the Attribute Data |
Indexed:Byte;
|
Indexed flag |
Reserved1:Byte;
|
Padding |
AttributeName:array[0..0] of WideChar;
|
Unicode Attribute Name (if NameLength > 0) |
Data:array[0..0] of Byte
|
Attribute Data |
NTFS non resident attribute header
PNTFSNonResidentAttributeHeader = ^TNTFSNonResidentAttributeHeader;
TNTFSNonResidentAttributeHeader = packed record
| Note: 64 bytes | |
AttributeType:LongWord;
|
Attribute Type (e.g. 0x80, 0xA0) |
AttributeSize:LongWord;
|
Length of the Attribute (including header) |
NonResident:Byte;
|
Non-resident flag (Always 1) |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Word;
|
Offset to the Name |
AttributeFlags:Word;
|
Flags |
AttributeId:Word;
|
Attribute Id |
StartVCN:Int64;
|
Starting VCN |
LastVCN:Int64;
|
Last VCN |
RunOffset:Word;
|
Offset to the Data Run |
CompressionUnit:Word;
|
Compression Unit Size |
Reserved1:LongWord;
|
Padding |
StreamAllocated:Int64;
|
Allocated size of the attribute |
StreamSize:Int64;
|
Real size of the attribute |
InitializedSize:Int64;
|
Initialized data size of the stream (Portion which has been Written) |
AttributeName:array[0..0] of WideChar;
|
Unicode Attribute Name (if NameLength > 0) |
Run:array[0..0] of Byte
|
Attribute Data Runs |
NTFS compressed attribute header
PNTFSCompressedAttributeHeader = ^TNTFSCompressedAttributeHeader;
TNTFSCompressedAttributeHeader = packed record
| Note: 64 bytes | |
AttributeType:LongWord;
|
Attribute Type (e.g. 0x80, 0xA0) |
AttributeSize:LongWord;
|
Length of the Attribute (including header) |
NonResident:Byte;
|
Non-resident flag (Always 1) |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Word;
|
Offset to the Name |
AttributeFlags:Word;
|
Flags |
AttributeId:Word;
|
Attribute Id |
StartVCN:Int64;
|
Starting VCN |
LastVCN:Int64;
|
Last VCN |
RunOffset:Word;
|
Offset to the Data Run |
CompressionUnit:Word;
|
Compression Unit Size |
Reserved1:LongWord;
|
Padding |
StreamAllocated:Int64;
|
Allocated size of the attribute |
StreamSize:Int64;
|
Real size of the attribute |
InitializedSize:Int64;
|
Initialized data size of the stream (Portion which has been Written) |
StreamUsed:Int64;
|
The actual Allocated size of the attribute (Only present when compressed and only in the first instance) |
AttributeName:array[0..0] of WideChar;
|
Unicode Attribute Name (if NameLength > 0) |
Run:array[0..0] of Byte
|
Attribute Data Runs |
NTFS12 standard information
PNTFS12StandardInformation = ^TNTFS12StandardInformation;
TNTFS12StandardInformation = packed record
| Note: 48 bytes (0x10) | |
| Standard Attribute Header | |
CreateTime:TFileTime;
|
File Creation |
WriteTime:TFileTime;
|
File Altered |
ChangeTime:TFileTime;
|
MFT Changed |
AccessTime:TFileTime;
|
File Read |
Attributes:LongWord;
|
DOS File Permissions |
MaxVersions:LongWord;
|
Maximum Number of Versions |
VersionNo:LongWord;
|
Version Number |
ClassId:LongWord;
|
Class Id |
NTFS30 standard information
PNTFS30StandardInformation = ^TNTFS30StandardInformation;
TNTFS30StandardInformation = packed record
| Note: 72 bytes (0x10) Includes NTFS 3.1 | |
| Standard Attribute Header | |
CreateTime:TFileTime;
|
File Creation |
WriteTime:TFileTime;
|
File Altered |
ChangeTime:TFileTime;
|
MFT Changed |
AccessTime:TFileTime;
|
File Read |
Attributes:LongWord;
|
DOS File Permissions |
MaxVersions:LongWord;
|
Maximum Number of Versions |
VersionNo:LongWord;
|
Version Number |
ClassId:LongWord;
|
Class Id |
OwnerId:LongWord;
|
Owner Id |
SecurityId:LongWord;
|
Security Id |
QuotaCharge:Int64;
|
Quota Charged |
UpdateSequenceNumber:Int64;
|
Update Sequence Number |
NTFS attribute list
PNTFSAttributeList = ^TNTFSAttributeList;
TNTFSAttributeList = packed record
| Note: 0 bytes (0x20) | |
| Standard Attribute Header | |
Item:array[0..0] of Byte;
|
Attribute List Items |
NTFS file name
PNTFSFileName = ^TNTFSFileName;
TNTFSFileName = packed record
| Note: 66 bytes (0x30) | |
| Standard Attribute Header | |
ParentReference:Int64;
|
File reference to the parent directory. |
CreateTime:TFileTime;
|
C Time - File Creation Note: These fields are only updated when the filename is changed. See Standard Information instead. |
WriteTime:TFileTime;
|
A Time - File Altered Note: These fields are only updated when the filename is changed. See Standard Information instead. |
ChangeTime:TFileTime;
|
M Time - MFT Changed Note: These fields are only updated when the filename is changed. See Standard Information instead. |
AccessTime:TFileTime;
|
R Time - File Read |
FileAllocated:Int64;
|
Allocated size of the file |
FileSize:Int64;
|
Real size of the file |
FileFlags:LongWord;
|
Flags, e.g. Directory, Compressed, Hidden |
ReparseTag:LongWord;
|
Used by EAs and Reparse |
FileNameLength:Byte;
|
Filename length in characters |
NameSpace:Byte;
|
Filename namespace |
FileName:array[0..0] of WideChar;
|
File name in Unicode (not null terminated) Note: NameLength but no NameOffset so Name |
NTFS object ID
PNTFSObjectId = ^TNTFSObjectId;
TNTFSObjectId = packed record
| Note: 64 bytes (0x40) | |
| Standard Attribute Header | |
ObjectId:TGUID;
|
GUID Object Id Unique Id assigned to file |
BirthVolumeId:TGUID;
|
GUID Birth Volume Id Volume where file was created |
BirthObjectId:TGUID;
|
GUID Birth Object Id Original Object Id of file |
DomainId:TGUID;
|
GUID Domain Id Domain in which object was created |
NTFS volume version
PNTFSVolumeVersion = ^TNTFSVolumeVersion;
TNTFSVolumeVersion = packed record
| Note: 0 bytes (0x40) | |
| Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Unknown data (Structure to be determined) |
NTFS security descriptor
PNTFSSecurityDescriptor = ^TNTFSSecurityDescriptor;
TNTFSSecurityDescriptor = packed record
| Note: 0 bytes (0x50) | |
| Standard Attribute Header | |
Security:array[0..0] of Byte;
|
Security Descriptor |
NTFS volume name
PNTFSVolumeName = ^TNTFSVolumeName;
TNTFSVolumeName = packed record
| Note: 0 bytes (0x60) | |
| Standard Attribute Header | |
VolumeName:array[0..0] of WideChar;
|
Unicode name Note: The DataOffset and DataSize in the ? |
NTFS volume information
PNTFSVolumeInformation = ^TNTFSVolumeInformation;
TNTFSVolumeInformation = packed record
| Note: 16 bytes (0x70) | |
| Standard Attribute Header | |
Reserved1:Int64;
|
Always zero ? |
MajorVersion:Byte;
|
Major version number |
MinorVersion:Byte;
|
Minor version number |
VolumeFlags:Word;
|
Flags |
Reserved2:LongWord;
|
Always zero ? (Padding only, not part of data) |
NTFS data
PNTFSData = ^TNTFSData;
TNTFSData = packed record
| Note: 0 bytes (0x80) | |
| Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Any data Note: The DataOffset and DataSize in the header give the pointer to the Data |
NTFS index root
PNTFSIndexRoot = ^TNTFSIndexRoot;
TNTFSIndexRoot = packed record
| Note: 16 bytes (0x90) | |
| Standard Attribute Header | |
IndexType:LongWord;
|
Attribute Type |
CollateRule:LongWord;
|
Collation Rule |
IndexRecordSize:LongWord;
|
Size of Index Allocation Entry (bytes) |
IndexCounterOffset:LongWord;
|
Index Record Number increment |
IndexHeader
|
|
IndexEntry(s)
|
|
NTFS index allocation
PNTFSIndexAllocation = ^TNTFSIndexAllocation;
TNTFSIndexAllocation = packed record
| Note: 0 bytes (0xA0) | |
| Standard Attribute Header | |
Run:array[0..0] of Byte;
|
Data run Note: The RunOffset and AttributeSize in the header give the pointer to the Run |
NTFS bitmap
PNTFSBitmap = ^TNTFSBitmap;
TNTFSBitmap = packed record
| Note: 0 bytes (0xB0) | |
| Standard Attribute Header | |
Bitmap:array[0..0] of Int64;
|
Bit field Note: The DataOffset and DataSize in the header give the pointer to the Bitmap (Bit ordering works as an array of bytes) |
NTFS reparse point
PNTFSReparsePoint = ^TNTFSReparsePoint;
TNTFSReparsePoint = packed record
| Note: 8 bytes (0xC0) | |
| Standard Attribute Header | |
ReparseTag:LongWord;
|
Reparse Type (and Flags) |
ReparseSize:Word;
|
Reparse Data Length |
Reserved1:Word;
|
Padding (align to 8 bytes) |
ReparseData:array[0..0] of Byte;
|
Reparse Data |
NTFS reparse point Microsoft
PNTFSReparsePointMicrosoft = ^TNTFSReparsePointMicrosoft;
TNTFSReparsePointMicrosoft = TNTFSReparsePoint;
| Note: 8 bytes (0xC0) | |
NTFS reparse point other
PNTFSReparsePointOther = ^TNTFSReparsePointOther;
TNTFSReparsePointOther = packed record
| Note: 24 bytes (0xC0) | |
| Standard Attribute Header | |
ReparseTag:LongWord;
|
Reparse Type (and Flags) |
ReparseSize:Word;
|
Reparse Data Length |
Reserved1:Word;
|
Padding (align to 8 bytes) |
ReparseGUID:TGUID;
|
Reparse GUID |
ReparseData:array[0..0] of Byte;
|
Reparse Data |
NTFS symbolic link
PNTFSSymbolicLink = ^TNTFSSymbolicLink;
TNTFSSymbolicLink = packed record
| Note: 0 bytes (0xC0) | |
| Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Unknown data (Structure to be determined) |
NTFS extended attribute information
PNTFSExtendedAttrInformation = ^TNTFSExtendedAttrInformation;
TNTFSExtendedAttrInformation = packed record
| Note: 8 bytes (0xD0) | |
| Standard Attribute Header | |
PackedSize:Word;
|
Size of the packed Extended Attributes |
FlagCount:Word;
|
Number of Extended Attributes which have NEED_EA flag |
UnpackedSize:LongWord;
|
Size of the unpacked Extended Attributes |
NTFS extended attribute
PNTFSExtendedAttr = ^TNTFSExtendedAttr;
TNTFSExtendedAttr = packed record
| Note: 0 bytes (0xE0) | |
| Standard Attribute Header | |
Extended:array[0..0] of Byte;
|
Extended Attributes |
NTFS property set
PNTFSPropertySet = ^TNTFSPropertySet;
TNTFSPropertySet = packed record
| Note: 0 bytes (0xF0) | |
| Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Unknown data (Structure to be determined) |
NTFS logged utility stream
PNTFSLoggedUtilityStream = ^TNTFSLoggedUtilityStream;
TNTFSLoggedUtilityStream = packed record
| Note: 0 bytes (0x100) | |
| Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Any data Note: The DataOffset and DataSize in the header give the pointer to the Data |
NTFS unknown
PNTFSUnknown = ^TNTFSUnknown;
TNTFSUnknown = packed record
| Note: 0 bytes (0x100) | |
| Standard Attribute Header | |
Data:array[0..0] of Byte;
|
Any data Note: The DataOffset and DataSize in the header give the pointer to the Data |
NTFS end
PNTFSEnd = ^TNTFSEnd;
TNTFSEnd = packed record
| Note: 0 bytes (0xFFFFFFFF) | |
| Standard Attribute Header | |
NTFS run data
PNTFSRunData = ^TNTFSRunData;
TNTFSRunData = packed record
| Note: 0 bytes | |
Run:array[0..0] of Byte;
|
Data Run Note: The RunOffset and AttributeSize in the header give the pointer to the Run |
NTFS item data
PNTFSItemData = ^TNTFSItemData;
TNTFSItemData = packed record
| Note: 26 bytes (Data of attribute $ATTRIBUTE_LIST) | |
AttributeType:LongWord;
|
Type |
ItemSize:Word;
|
Record length |
AttributeNameLength:Byte;
|
Name length |
AttributeNameOffset:Byte;
|
Offset to Name |
StartVCN:Int64;
|
Starting VCN |
FileReference:Int64;
|
File Reference of the attribute |
AttributeId:Word;
|
Attribute Id |
AttributeName:array[0..0] of WideChar;
|
Name in Unicode (if NameLength > 0) |
NTFS object Id data
PNTFSObjIdData = ^TNTFSObjIdData;
TNTFSObjIdData = packed record
| Note: 56 bytes (Data of index $O in file $ObjId) Key is ObjectId | |
FileReference:Int64;
|
MFT Reference |
BirthVolumeId:TGUID;
|
GUID Birth Volume Id (This is the ObjectId from the file $Volume) |
BirthObjectId:TGUID;
|
GUID Birth Object Id |
DomainId:TGUID;
|
GUID Domain Id |
NTFS quota data
PNTFSQuotaData = ^TNTFSQuotaData;
TNTFSQuotaData = packed record
| Note: 48 bytes Not including SID (Data of index $Q in file $Quota) Key is OwnerId | |
Version:LongWord;
|
Version (0x02) |
Flags:LongWord;
|
Flags |
BytesUsed:Int64;
|
Bytes Used |
ChangeTime:TFileTime;
|
Change Time |
WarningLimit:Int64;
|
Warning Limit |
HardLimit:Int64;
|
Hard Limit |
ExceedTime:TFileTime;
|
Exceeded Time |
SID:array[0..0] of Byte;
|
SID |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS owner data
PNTFSOwnerData = ^TNTFSOwnerData;
TNTFSOwnerData = packed record
| Note: 4 bytes (Data of index $O in file $Quota) Key is SID | |
OwnerId:LongWord;
|
Owner Id |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS up case data
PNTFSUpCaseData = ^TNTFSUpCaseData;
TNTFSUpCaseData = packed record
| Note: 131072 bytes (Data of file $UpCase) | |
Data:array[0..65535] of Word;
|
Conversion data |
NTFS attribute definition data
PNTFSAttrDefData = ^TNTFSAttrDefData;
TNTFSAttrDefData = packed record
| Note: 160 bytes (Data of file $AttrDef) | |
AttributeName:array[0..63] of WideChar;
|
Label in Unicode |
AttributeType:LongWord;
|
Type |
DisplayRule:LongWord;
|
Display rule |
CollateRule:LongWord;
|
Collation rule |
AttrDefFlags:LongWord;
|
Flags (See Consts) |
MinimumSize:Int64;
|
Minimum size |
MaximumSize:Int64;
|
Maximum size |
NTFS reparse data
PNTFSReparseData = ^TNTFSReparseData;
TNTFSReparseData = packed record
| Note: 0 bytes Not including Data (Data of attribute $REPARSE_POINT) | |
Data:array[0..0] of Byte;
|
Any data |
NTFS reparse symbolic link data
PNTFSReparseSymLinkData = ^TNTFSReparseSymLinkData;
TNTFSReparseSymLinkData = packed record
| Note: 12 bytes Not including Names (Data of attribute $REPARSE_POINT) | |
SubstituteNameOffset:Word;
|
Substitute Name Offset |
SubstituteNameLength:Word;
|
Substitute Name Length (Length is in bytes not characters) |
PrintNameOffset:Word;
|
Print Name Offset |
PrintNameLength:Word;
|
Print Name Length (Length is in bytes not characters) |
Reserved1:LongWord;
|
Always Zero |
PrintName:array[0..0] of Byte
|
Path Buffer (Not Null terminated) |
SubstituteName:array[0..0] of Byte
|
Path Buffer (Not Null terminated) |
NTFS reparse mount point data
PNTFSReparseMountPointData = ^TNTFSReparseMountPointData;
TNTFSReparseMountPointData = packed record
| Note: 12 bytes (Minimum 8 bytes plus 2 unicode nulls) Not including Names (Data of attribute $REPARSE_POINT) | |
SubstituteNameOffset:Word;
|
Substitute Name Offset (Offset includes the null terminator) |
SubstituteNameLength:Word;
|
Substitute Name Length (Length is in bytes not characters and does not include the null terminator) |
PrintNameOffset:Word;
|
Print Name Offset (Offset includes the null terminator) |
PrintNameLength:Word;
|
Print Name Length (Length is in bytes not characters and does not include the null terminator) |
SubstituteName:array[0..0] of Byte
|
Path Buffer (Null terminated) |
PrintName:array[0..0] of Byte
|
Path Buffer (Null terminated) |
NTFS extended data
PNTFSExtendedData = ^TNTFSExtendedData;
TNTFSExtendedData = packed record
| Note: 8 bytes Not including Name (Data of attribute $EA) | |
ExtendedOffset:LongWord;
|
Offset to next Extended Attribute (Offset to next EA is the size of this EA) |
ExtendedFlags:Byte;
|
Flags |
ExtendedNameLength:Byte;
|
Name Length (N) |
ExtendedDataSize:Word;
|
Value Length (V) |
ExtendedName:array[0..0] of Char;
|
Name Note: No offset so always in the same location |
ExtendedData:array[0..0] of Byte
|
Value |
NTFS security data
PNTFSSecurityData = ^TNTFSSecurityData;
TNTFSSecurityData = packed record
| Note: 20 bytes Minimum (Data of attribute $SECURITY_DESCRIPTOR and stream $SDS in file $Secure) | |
Revision:Byte;
|
Revision |
Reserved1:Byte;
|
Padding |
Control:Word;
|
Control Flags |
OwnerOffset:LongWord;
|
Offset to Owner SID |
GroupOffset:LongWord;
|
Offset to Group SID |
SaclOffset:LongWord;
|
Offset to SACL |
DaclOffset:LongWord;
|
Offset to DACL |
NTFS SID identifier authority data
PNTFSSidIdentifierAuthorityData = ^TNTFSSidIdentifierAuthorityData;
TNTFSSidIdentifierAuthorityData = packed record
| Note: 6 Bytes | |
Value:array[0..5] of Byte;
|
|
NTFS SID data
PNTFSSidData = ^TNTFSSidData;
TNTFSSidData = packed record
| Note: 8 Bytes Minimum (Not including SubAuthority) | |
Revision:Byte;
|
|
SubAuthorityCount:Byte;
|
|
IdentifierAuthority:array[0..5] of Byte;
|
|
SubAuthority:array[0..0] of LongWord;
|
Not included in size |
NTFS acl data
PNTFSAclData = ^TNTFSAclData;
TNTFSAclData = packed record
| Note: 8 Bytes | |
AclRevision:Byte;
|
|
Reserved1:Byte;
|
Must be Zero |
AclSize:Word;
|
|
AceCount:Word;
|
|
Reserved2:Word;
|
Must be Zero |
NTFS ace header data
PNTFSAceHeaderData = ^TNTFSAceHeaderData;
TNTFSAceHeaderData = packed record
| Note: 4 Bytes | |
AceType:Byte;
|
|
AceFlags:Byte;
|
|
AceSize:Word;
|
|
NTFS ace data
PNTFSAceData = ^TNTFSAceData;
TNTFSAceData = packed record
| Note: 8 Bytes Minimum (Not including Sid) | |
Header:TNTFSAceHeaderData;
|
|
Mask:LongWord;
|
|
Sid:array[0..0] of Byte;
|
Not included in size |
NTFS object ace data
PNTFSObjectAceData = ^TNTFSObjectAceData;
TNTFSObjectAceData = packed record
| Note: 44 Bytes Minimum (Not including Sid) | |
Header:TNTFSAceHeaderData;
|
|
Mask:LongWord;
|
|
Flags:LongWord;
|
|
ObjectType:TGUID;
|
|
InheritedObjectType:TGUID;
|
|
Sid:array[0..0] of Byte;
|
Not included in size |
NTFS security item data
PNTFSSecurityItemData = ^TNTFSSecurityItemData;
TNTFSSecurityItemData = packed record
| Note: 40 Bytes Minimum Including Security (Data of stream $SDS in file $Secure) | |
SecurityHash:LongWord;
|
Hash of Security Descriptor |
SecurityId:LongWord;
|
Security Id |
SecurityOffset:Int64;
|
Offset of this entry in $SDS |
SecuritySize:LongWord;
|
Size of this entry in $SDS |
Security:TNTFSSecurityData;
|
Self-relative Security Descriptor |
Padding:array[0..0] of Byte
|
Padding (align to 16 bytes) Handled by Calculation of Stream Size |
NTFS security Id data
PNTFSSecurityIdData = ^TNTFSSecurityIdData;
TNTFSSecurityIdData = packed record
| Note: 20 Bytes (Data of index $SII in file $Secure) (Key is SecurityId) | |
SecurityHash:LongWord;
|
Hash of Security Descriptor |
SecurityId:LongWord;
|
Security Id |
SecurityOffset:Int64;
|
Offset of this entry in $SDS |
SecuritySize:LongWord;
|
Size of this entry in $SDS |
NTFS security hash data
PNTFSSecurityHashData = ^TNTFSSecurityHashData;
TNTFSSecurityHashData = packed record
| Note: 20 Bytes (Data of index $SDH in file $Secure) | |
SecurityHash:LongWord;
|
Hash of Security Descriptor |
SecurityId:LongWord;
|
Security Id |
SecurityOffset:Int64;
|
Offset of this entry in $SDS |
SecuritySize:LongWord;
|
Size of this entry in $SDS |
Padding:LongWord;
|
Padding (align to 8 bytes) Always 4 bytes and always appears to be the Unicode string "II" |
NTFS object Id key data
PNTFSObjIdKeyData = ^TNTFSObjIdKeyData;
TNTFSObjIdKeyData = packed record
| Note: 16 Bytes (Key of index $O in file $ObjId) | |
ObjectId:TGUID;
|
GUID Object Id |
Data:array[0..0] of Byte
|
Data (see above) |
NTFS quota key data
PNTFSQuotaKeyData = ^TNTFSQuotaKeyData;
TNTFSQuotaKeyData = packed record
| Note: 4 Bytes (Key of index $Q in file $Quota) | |
OwnerId:LongWord;
|
Owner Id |
Data:array[0..0] of Byte
|
Data (see above) |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS owner key data
PNTFSOwnerKeyData = ^TNTFSOwnerKeyData;
TNTFSOwnerKeyData = packed record
| Note: 0 Bytes Not including SID (Key of index $O in file $Quota) | |
SID:array[0..0] of Byte;
|
SID |
Data:array[0..0] of Byte
|
Data (see above) |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS security Id key data
PNTFSSecurityIdKeyData = ^TNTFSSecurityIdKeyData;
TNTFSSecurityIdKeyData = packed record
| Note: 4 Bytes (Key of index $SII in file $Secure) | |
SecurityId:LongWord;
|
Security Id |
Data:array[0..0] of Byte
|
Data (see above) |
NTFS security hash key data
PNTFSSecurityHashKeyData = ^TNTFSSecurityHashKeyData;
TNTFSSecurityHashKeyData = packed record
| Note: 8 Bytes (Key of index $SDH in file $Secure) | |
SecurityHash:LongWord;
|
Hash of Security Descriptor |
SecurityId:LongWord;
|
Security Id |
Data:array[0..0] of Byte
|
Data (see above) |
Padding:array[0..0] of Byte
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS reparse key data
PNTFSReparseKeyData = ^TNTFSReparseKeyData;
TNTFSReparseKeyData = packed record
| Note: 12 Bytes (Key of index $R in file $Reparse) This index contains no data | |
ReparseTag:LongWord;
|
Reparse Tag (and Flags) |
FileReference:Int64;
|
MFT Reference of Reparse Point |
Padding:LongWord;
|
Padding (align to 8 bytes) Handled by Calculation of Index Entry Size |
NTFS run offset
PNTFSRunOffset = ^TNTFSRunOffset;
TNTFSRunOffset = packed record
| Note: 8 Bytes | |
case Integer of
|
|
1:(Offset1:ShortInt);
|
|
2:(Offset2:SmallInt);
|
|
4:(Offset4:LongInt);
|
|
8:(Offset8:Int64);
|
|
NTFS run length
PNTFSRunLength = ^TNTFSRunLength;
TNTFSRunLength = packed record
| Note: 8 Bytes | |
case Integer of
|
|
1:(Length1:Byte);
|
|
2:(Length2:Word);
|
|
4:(Length4:LongWord);
|
|
8:(Length8:Int64);
|
|
Public variables
None defined
Function declarations
None defined
Return to Unit Reference
