MSDN Documentation

Master File Table (MFT)

The Master File Table (MFT) is the heart of an NTFS volume. It's a special file that contains records for every other file and directory on the volume. Each record in the MFT is typically 1 KB in size and describes a file or directory by storing its attributes.

• Attribute List: Describes the attributes of the file.
• File Name: The name of the file.
• Security Descriptor: Access control information.
• Data: The actual content of the file (if small enough to fit within the MFT record).

For larger files, the MFT record stores pointers to the file's data clusters on the disk.

File Attributes

NTFS uses a rich set of attributes to describe files and directories, providing flexibility beyond simple file storage.

• Standard Information: Timestamps (creation, modification, access), file attributes (read-only, hidden, system), and hard link count.
• Attribute List: Used when a file has too many attributes to fit in a single MFT record.
• File Name: Stores the name of the file, supporting long file names and multiple names (e.g., 8.3 aliases).
• Object ID: A unique identifier for the file, useful for distributed link tracking.
• Security Descriptor: Manages permissions and access control lists (ACLs).
• Volume Name: The name of the volume.
• Volume Information: Information about the volume.
• Data: The content of the file. Can be non-resident for larger files.
• Index Allocation: Used for directories to store index buffers.
• Bitmap: Tracks used and free clusters on the volume.
• Reparse Point: Used for features like symbolic links, junction points, and volume mount points.
• Extended Attributes: Allows for custom metadata.

Journaling

NTFS implements a log file ($LogFile) that records all metadata changes before they are written to the MFT or other files. This journaling mechanism ensures file system consistency and allows for quick recovery in case of system crashes or power failures.

When the system restarts, NTFS reads the log file to identify any operations that were interrupted and can either complete them or roll them back to restore the file system to a consistent state.

Security and Permissions

NTFS provides robust security features through Access Control Lists (ACLs). Each file and directory can have an ACL associated with it, specifying which users or groups have what level of access (e.g., read, write, execute, modify).

ACLs are stored in the Security Descriptor attribute of an MFT record. This granular control is fundamental to Windows security.

Hard Links and Symbolic Links

NTFS supports both hard links and symbolic links, offering powerful ways to manage file references:

• Hard Links: Multiple directory entries can point to the same MFT record. Deleting a hard link only removes one reference; the file data remains accessible as long as at least one link exists.
• Symbolic Links (Symlinks): These are special files that contain a path to another file or directory. They are more flexible than hard links and can point across different volumes or even to network locations.

Reparse Points are the NTFS mechanism used to implement these types of links.

Other Advanced Features

• File Compression: NTFS can compress files transparently to save disk space.
• Encryption File System (EFS): Allows files to be encrypted using public-key cryptography.
• Disk Quotas: Administrators can set storage limits for individual users.
• Sparse Files: Files that contain large blocks of zeros, which are not physically stored on disk, saving space.
• Alternate Data Streams (ADS): Allows files to have multiple data streams associated with them, beyond the main data stream. This can be used for metadata or by applications.