Linked by Andrew Hudson on Mon 29th Nov 2010 21:50 UTC
Windows NTFS is the file system used by Windows. It is a powerful and complicated file system. There are few file systems that provide as many features and to fully cover them all would require a book. And in fact there is a book detailing NTFS, and it's already out of date. The purpose of this article is not to cover all of the features of NTFS, nor will it exhaustively cover NTFS features in detail. Instead we will cover its basic structure and then describe some of its more advanced features and provide use examples where possible. We will focus more on what it does, rather than how it does it. Trying to walk the line between informative and detailed is difficult and so this article contains a lot of references for people who hunger for more detail.
Permalink for comment 451592
To read all comments associated with this story, please click here.
malxau
Member since:
2005-12-04

I don't like the master file table, because it doesn't seem to be duplicated anywhere although it's possible to manually do that. The reason is that I've seen what happens when it gets corrupt, especially when the information about free and used space becomes inconsistent. This gives you the disappearing file effect, where by some of your files get accidentally replaced with newly created files because the mft had the wrong information. Usually this is fixable in the sense that you can stop the corruption and return the information to a consistent state, but no amount of fixing gets you those files back again. The mft should auto-duplicate every so often so that if the main one becomes inconsistent the fs can look to the backups and automatically bring it back into line. It's possible to manually do this, but it should be done constantly.


This post seems to be confusing a lot of different issues.

Firstly, the MFT doesn't track free space; the volume bitmap does. If you have two files that exist on a volume that both believe they own the same cluster, that's corruption in the volume bitmap, not the MFT.

Making a file disappear requires lot of changes. It needs to clear an MFT bitmap entry, the MFT record, the index entry/entries, etc. There is some level of redundancy here: if an MFT bitmap entry is marked as available, NTFS will try to allocate it, then realize the MFT record is still in use and will abort the transaction.

If I had to speculate, I'd say you're seeing the effects of NTFS selfhealing, which attempts to resolve on disk inconsistencies automatically. If it really annoys you, you might want to turn it off.

Oh, and NTFS does duplicate the first four MFT records. Originally (back in Gary's time) this spanned the whole MFT, but that didn't seem like a valuable way to spend space. Most notably, there's always the issue of knowing when information is wrong - having two copies is great, but you still need to know which copy (if any) to trust. Reading both would be very expensive, so this really needs a checksum, and you start getting into substantial changes after that.

- M

Reply Parent Score: 5