NTFS: Difference between revisions

NT File System^[1]
Developer(s)	Microsoft
Full name	NT File System
Introduced	July 27, 1993; 31 years ago with Windows NT 3.1
Partition IDs	0x07 (MBR); EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (GPT)
Structures
Directory contents	B-tree variant
File allocation	Bitmap
Bad blocks	$BadClus (MFT Record)
Limits
Max volume size	264 clusters − 1 cluster (format);; 256 TB − 64 KB (Windows 10 version 1703, Windows Server 2016 or earlier implementation); 8 PB − 2 MB (Windows 10 version 1709, Windows Server 2019 or later implementation)
Max file size	16 EB − 1 KB (format);; 16 TB − 64 KB (Windows 7, Windows Server 2008 R2 or earlier implementation); 256 TB − 64 KB (Windows 8, Windows Server 2012 or later implementation); 8 PB − 2 MB (Windows 10 version 1709, Windows Server 2019 or later implementation)
Max no. of files	4,294,967,295 (232−1)
Max filename length	255 UTF-16 code units
Allowed filename; characters	In Win32 namespace: any UTF-16 code unit (case-insensitive) except /\:*"?<>\| as well as NUL; In POSIX namespace: any UTF-16 code unit (case-sensitive) except / as well as NUL;
Features
Dates recorded	Creation, modification, POSIX change, access
Date range	1 January 1601 – 14 Sept 30828 (File times are 64-bit positive signed numbers counting 100-nanosecond intervals (ten million per second) since 1601, which is more than 32,000 years)
Date resolution	100 ns
Forks	Yes (see § Alternate data stream (ADS) below)
Attributes	Read-only, hidden, system, archive, not content indexed, off-line, temporary, compressed, encrypted
File system; permissions	ACLs
Transparent; compression	Per-file, LZ77 (Windows NT 3.51 onward)
Transparent; encryption	Per-file,; DESX (Windows 2000 onward),; Triple DES (Windows XP onward),; AES (Windows XP Service Pack 1, Windows Server 2003 onward)
Data deduplication	Yes (Windows Server 2012)
Other
Supported; operating systems	Windows NT 3.1 and later; Mac OS X 10.3 and later (read-only); Linux kernel version 2.6 and later; Linux kernel versions 2.2-2.4 (read-only); FreeBSD; NetBSD; OpenBSD (read-only); ChromeOS; Solaris; ReactOS (read-only)

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Inline

Latest revision as of 20:41, 27 November 2024

NT File System (NTFS) (commonly called New Technology File System) is a proprietary journaling file system developed by Microsoft in the 1990s.^[11]^[12]^[2]

It was developed to overcome scalability, security and other limitations with FAT.^[13] NTFS adds several features that FAT and HPFS lack, including: access control lists (ACLs); filesystem encryption; transparent compression; sparse files; file system journaling and volume shadow copy, a feature that allows backups of a system while in use.

Starting with Windows NT 3.1, it is the default file system of the Windows NT family superseding the File Allocation Table (FAT) file system.^[14] NTFS read/write support is available on Linux and BSD using NTFS3 in Linux and NTFS-3G in BSD.^[15]^[16]

NTFS uses several files hidden from the user to store metadata about other files stored on the drive which can help improve speed and performance when reading data.^[1]

History

In the mid-1980s, Microsoft and IBM formed a joint project to create the next generation of graphical operating system; the result was OS/2 and HPFS. Because Microsoft disagreed with IBM on many important issues, they eventually separated; OS/2 remained an IBM project and Microsoft worked to develop Windows NT and NTFS.

The HPFS file system for OS/2 contained several important new features. When Microsoft created their new operating system, they borrowed many of these concepts for NTFS.^[17] The original NTFS developers were Tom Miller, Gary Kimura, Brian Andrew, and David Goebel.^[18]

Probably as a result of this common ancestry, HPFS and NTFS use the same disk partition identification type code (07). Using the same Partition ID Record Number is highly unusual, since there were dozens of unused code numbers available, and other major file systems have their own codes. For example, FAT has more than nine (one each for FAT12, FAT16, FAT32, etc.). Algorithms identifying the file system in a partition type 07 must perform additional checks to distinguish between HPFS and NTFS.

Versions

Microsoft has released five versions of NTFS:

NTFS version number	First operating system	Release date	New features	Remarks
1.0	Windows NT 3.1	1993^[14]	Initial version	NTFS 1.0 is incompatible with 1.1 and newer: volumes written by Windows NT 3.5x cannot be read by Windows NT 3.1 until an update (available on the NT 3.5x installation media) is installed.^[19]
1.1	Windows NT 3.5	1994	Named streams and access control lists^[20]	NTFS compression support was added in Windows NT 3.51
1.2	Windows NT 4.0	1996	Security descriptors	Commonly called NTFS 4.0 after the OS release
3.0	Windows 2000	2000	Disk quotas, file-level encryption in a form of Encrypting File System, sparse files, reparse points, update sequence number (USN) journaling, distributed link tracking, the `$Extend` folder and its files	Compatibility was also made available for Windows NT 4.0 with the Service Pack 4 update. Commonly called NTFS 5.0 after the OS release.^[21]
3.1	Windows XP	October 2001	Expanded the Master File Table (MFT) entries with redundant MFT record number (useful for recovering damaged MFT files)	Commonly called NTFS 5.1 after the OS release. LFS version 1.1 was replaced by version 2.0 as of Windows 8 to improve performance.

The NTFS.sys version number (e.g. v5.0 in Windows 2000) is based on the operating system version; it should not be confused with the NTFS version number (v3.1 since Windows XP).^[22]^[23]

Although subsequent versions of Windows added new file system-related features, they did not change NTFS itself. For example, Windows Vista implemented NTFS symbolic links, Transactional NTFS, partition shrinking, and self-healing.^[24] NTFS symbolic links are a new feature in the file system; all the others are new operating system features that make use of NTFS features already in place.

Scalability

NTFS is optimized for 4 KB^[a] clusters, but supports a maximum cluster size of 2 MB^[a]. (Earlier implementations support up to 64 KB)^[6] The maximum NTFS volume size that the specification can support is 2⁶⁴ − 1 clusters, but not all implementations achieve this theoretical maximum, as discussed below.

The maximum NTFS volume size implemented in Windows XP Professional is 2³² − 1 clusters, partly due to partition table limitations. For example, using 64 KB clusters, the maximum size Windows XP NTFS volume is 256 TB minus 64 KB. Using the default cluster size of 4 KB, the maximum NTFS volume size is 16 TB minus 4 KB. Both of these are vastly higher than the 128 GB^[a] limit in Windows XP SP1. The size of a partition in the Master Boot Record (MBR) is limited to 2 TiB with a hard drive with 512-byte physical sectors,^[25]^[26] although for a 4 KiB physical sector the MBR partition size limit is 16 TiB. An alternative is to use multiple GUID Partition Table (GPT or "dynamic") volumes for be combined to create a single NTFS volume larger than 2 TiB. Booting from a GPT volume to a Windows environment in a Microsoft supported way requires a system with Unified Extensible Firmware Interface (UEFI) and 64-bit^[b] support.^[27] GPT data disks are supported on systems with BIOS.

The NTFS maximum theoretical limit on the size of individual files is 16 EB^[a]^[28] (16 × 1024⁶ or 2⁶⁴ bytes) minus 1 KB, which totals 18,446,744,073,709,550,592 bytes. With Windows 10 version 1709 and Windows Server 2019, the maximum implemented file size is 8 PB^[a] minus 2 MB or 9,007,199,252,643,840 bytes.^[6]

Interoperability

Windows

While the different NTFS versions are for the most part fully forward- and backward-compatible, there are technical considerations for mounting newer NTFS volumes in older versions of Microsoft Windows. This affects dual-booting, and external portable hard drives. For example, attempting to use an NTFS partition with "Previous Versions" (Volume Shadow Copy) on an operating system that does not support it will result in the contents of those previous versions being lost.^[29] A Windows command-line utility called convert.exe can convert supporting file systems to NTFS, including HPFS (only on Windows NT 3.1, 3.5, and 3.51), FAT16 and FAT32 (on Windows 2000 and later).^[30]^[31]

FreeBSD

FreeBSD 3.2 released in May 1999 included read-only NTFS support written by Semen Ustimenko.^[32]^[33] This implementation was ported to NetBSD by Christos Zoulas and Jaromir Dolecek and released with NetBSD 1.5 in December 2000.^[34] The FreeBSD implementation of NTFS was also ported to OpenBSD by Julien Bordet and offers native read-only NTFS support by default on i386 and amd64 platforms as of version 4.9 released 1 May 2011.^[update]^[35]^[33]

Linux

Linux kernel versions 2.1.74 and later include a driver written by Martin von Löwis which has the ability to read NTFS partitions;^[36] kernel versions 2.5.11 and later contain a new driver written by Anton Altaparmakov (University of Cambridge) and Richard Russon which supports file read.^[37]^[38]^[36] The ability to write to files was introduced with kernel version 2.6.15 in 2006 which allows users to write to existing files but does not allow the creation of new ones.^[39] Paragon's NTFS driver (see below) has been merged into kernel version 5.15, and it supports read/write on normal, compressed and sparse files, as well as journal replaying.^[40]

NTFS-3G is a free GPL-licensed FUSE implementation of NTFS that was initially developed as a Linux kernel driver by Szabolcs Szakacsits. It was re-written as a FUSE program to work on other systems that FUSE supports like macOS, FreeBSD, NetBSD, OpenBSD,^[41] Solaris, QNX, and Haiku^[42] and allows reading and writing to NTFS partitions. A performance enhanced commercial version of NTFS-3G, called "Tuxera NTFS for Mac", is also available from the NTFS-3G developers.^[43]

Captive NTFS, a 'wrapping' driver that uses Windows' own driver ntfs.sys, exists for Linux. It was built as a Filesystem in Userspace (FUSE) program and released under the GPL but work on Captive NTFS ceased in 2006.^[44]

Linux kernel versions 5.15 onwards carry NTFS3, a fully functional NTFS Read-Write driver which works on NTFS versions up to 3.1 and is maintained primarily by the Paragon Software Group.

macOS

Mac OS X 10.3 included Ustimenko's read-only implementation of NTFS from FreeBSD. Then in 2006 Apple hired Anton Altaparmakov to write a new NTFS implementation for Mac OS X 10.6.^[45] Native NTFS write support is included in 10.6 and later, but is not activated by default, although workarounds do exist to enable the functionality. However, user reports indicate the functionality is unstable and tends to cause kernel panics.^[46]

Paragon Software Group sells a read-write driver named NTFS for Mac,^[47] which is also included on some models of Seagate hard drives.^[48]

OS/2

The NetDrive package for OS/2 (and derivatives such as eComStation and ArcaOS) supports a plugin which allows read and write access to NTFS volumes.^[49]^[50]

DOS

There is a free-for-personal-use read/write driver for MS-DOS by Avira called "NTFS4DOS".^[51]^[52]

Ahead Software developed a "NTFSREAD" driver (version 1.200) for DR-DOS 7.0x between 2002 and 2004. It was part of their Nero Burning ROM software.

Security

NTFS uses access control lists and user-level encryption to help secure user data.

Access control lists (ACLs)

NTFS file system permissions on a modern Windows system

In NTFS, each file or folder is assigned a security descriptor that defines its owner and contains two access control lists (ACLs). The first ACL, called discretionary access control list (DACL), defines exactly what type of interactions (e.g. reading, writing, executing or deleting) are allowed or forbidden by which user or groups of users. For example, files in the C:\Program Files folder may be read and executed by all users but modified only by a user holding administrative privileges.^[53] Windows Vista adds mandatory access control info to DACLs. DACLs are the primary focus of User Account Control in Windows Vista and later.

The second ACL, called system access control list (SACL), defines which interactions with the file or folder are to be audited and whether they should be logged when the activity is successful, failed or both. For example, auditing can be enabled on sensitive files of a company, so that its managers get to know when someone tries to delete them or make a copy of them, and whether they succeed.^[53]

Encryption

Encrypting File System (EFS) provides user-transparent encryption of any file or folder on an NTFS volume.^[54] EFS works in conjunction with the EFS service, Microsoft's CryptoAPI and the EFS File System Run-Time Library (FSRTL). EFS works by encrypting a file with a bulk symmetric key (also known as the File Encryption Key, or FEK), which is used because it takes a relatively small amount of time to encrypt and decrypt large amounts of data than if an asymmetric key cipher is used. The symmetric key that is used to encrypt the file is then encrypted with a public key that is associated with the user who encrypted the file, and this encrypted data is stored in an alternate data stream of the encrypted file. To decrypt the file, the file system uses the private key of the user to decrypt the symmetric key that is stored in the data stream. It then uses the symmetric key to decrypt the file. Because this is done at the file system level, it is transparent to the user.^[55] Also, in case of a user losing access to their key, support for additional decryption keys has been built into the EFS system, so that a recovery agent can still access the files if needed. NTFS-provided encryption and NTFS-provided compression are mutually exclusive; however, NTFS can be used for one and a third-party tool for the other.

The support of EFS is not available in Basic, Home, and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate, and Server versions of Windows or by using enterprise deployment tools within Windows domains.

Features

Journaling

NTFS is a journaling file system and uses the NTFS Log ($LogFile) to record metadata changes to the volume. It is a feature that FAT does not provide and is critical for NTFS to ensure that its complex internal data structures will remain consistent in case of system crashes or data moves performed by the defragmentation API, and allow easy rollback of uncommitted changes to these critical data structures when the volume is remounted. Notably affected structures are the volume allocation bitmap, modifications to MFT records such as moves of some variable-length attributes stored in MFT records and attribute lists, and indices for directories and security descriptors.

The ($LogFile) format has evolved through several versions:

Windows Version	$LogFile format version
Windows NT 4.0	1.1
Windows 2000
Windows XP
Windows Vista
Windows 7
Windows 8	2.0
Windows 8.1
Windows 10

The incompatibility of the $LogFile versions implemented by Windows 8, Windows 10, Windows 11 prevents Windows 7 (and earlier versions of Windows) from recognizing version 2.0 of the $LogFile. Backward compatibility is provided by downgrading the $LogFile to version 1.1 when an NTFS volume is cleanly dismounted. It is again upgraded to version 2.0 when mounting on a compatible version of Windows. However, when hibernating to disk in the logoff state (a.k.a. Hybrid Boot or Fast Boot, which is enabled by default), mounted file systems are not dismounted, and thus the $LogFiles of any active file systems are not downgraded to version 1.1. The inability to process version 2.0 of the $LogFile by versions of Windows older than 8.0 results in an unnecessary invocation of the CHKDSK disk repair utility. This is particularly a concern in a multi-boot scenario involving pre- and post-8.0 versions of Windows, or when frequently moving a storage device between older and newer versions. A Windows Registry setting exists to prevent the automatic upgrade of the $LogFile to the newer version. The problem can also be dealt with by disabling Hybrid Boot.^[56]

The USN Journal (Update Sequence Number Journal) is a system management feature that records (in $Extend\$UsnJrnl) changes to files, streams and directories on the volume, as well as their various attributes and security settings. The journal is made available for applications to track changes to the volume.^[57] This journal can be enabled or disabled on non-system volumes.^[58]

Hard links

The hard link feature allows different file names to directly refer to the same file contents. Hard links may link only to files in the same volume, because each volume has its own MFT. Hard links were originally included to support the POSIX subsystem in Windows NT.^[59]

Although hard links use the same MFT record (inode) which records file metadata such as file size, modification date, and attributes, NTFS also caches this data in the directory entry as a performance enhancement. This means that when listing the contents of a directory using FindFirstFile/FindNextFile family of APIs, (equivalent to the POSIX opendir/readdir APIs) you will also receive this cached information, in addition to the name and inode. However, you may not see up-to-date information, as this information is only guaranteed to be updated when a file is closed, and then only for the directory from which the file was opened.^[60] This means where a file has multiple names via hard links, updating a file via one name does not update the cached data associated with the other name. You can always obtain up-to-date data using GetFileInformationByHandle (which is the true equivalent of POSIX stat function). This can be done using a handle which has no access to the file itself (passing zero to CreateFile for dwDesiredAccess), and closing this handle has the incidental effect of updating the cached information.

Windows uses hard links to support short (8.3) filenames in NTFS. Operating system support is needed because there are legacy applications that can work only with 8.3 filenames, but support can be disabled. In this case, an additional filename record and directory entry is added, but both 8.3 and long file name are linked and updated together, unlike a regular hard link.

The NTFS file system has a limit of 1024 hard links on a file.^[61]

Alternate data stream (ADS)

Alternate data streams allow more than one data stream to be associated with a filename (a fork), using the format "filename:streamname" (e.g., "text.txt:extrastream"). These streams are not shown to or made editable by users through any typical GUI application built into Windows by default, disguising their existence from most users. Although intended for helpful metadata, their arcane nature makes them a potential hiding place for malware, spyware, unseen browser history, and other potentially unwanted information.

Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. When the file is copied or moved to another file system without ADS support the user is warned that alternate data streams cannot be preserved. No such warning is typically provided if the file is attached to an e-mail, or uploaded to a website. Thus, using alternate streams for critical data may cause problems. Microsoft provides a downloadable tool called Streams^[62] to view streams on a selected volume. Starting with Windows PowerShell 3.0, it is possible to manage ADS natively with six cmdlets: Add-Content, Clear-Content, Get-Content, Get-Item, Remove-Item, Set-Content.^[63]

A small ADS named Zone.Identifier is added by Internet Explorer and by most browsers to mark files downloaded from external sites as possibly unsafe to run; the local shell would then require user confirmation before opening them.^[64] When the user indicates that they no longer want this confirmation dialog, this ADS is deleted. This functionality is also known as "Mark of the Web".^[65]^[66] Without deep modifications to the source code, all Chromium (e.g. Google Chrome) and Firefox-based web browsers also write the Zone.Identifier stream to downloaded files. As of Windows 10, the contents of the Zone.Identifer stream are structured like an INI file (i.e. a key-value store) that includes the keys HostIpAddress, HostUrl, and ReferrerUrl. To some extent, these are implementation-defined fields, but they typically contain the domain name and exact URL of the original online download location, potentially offering a deeply esoteric method of tracking browsing history with concomitant privacy risks.^[67] If the downloaded file is executable (e.g. an installer), the Zone ADS can be used for reflection, enabling the program to identify where it was downloaded from, which may occasionally be used for telemetry and/or security purposes, whereby a program can attempt to verify that it was downloaded from an official source (assuming the stream has not been removed or spoofed) and can transmit the information back over the internet (an example of this in action is BiglyBT's installer).

Malware has used alternate data streams to hide code.^[68] Since the late 2000s, some malware scanners and other special tools check for alternate data streams. Due to the risks associated with ADS, particularly involving privacy and the Zone.Identifier stream, there exists software specifically designed to strip streams from files (certain streams with perceived risk or all of them) in a user-friendly way.^[69]

NTFS Streams were introduced in Windows NT 3.1, to enable Services for Macintosh (SFM) to store resource forks. Although current versions of Windows Server no longer include SFM, third-party Apple Filing Protocol (AFP) products (such as GroupLogic's ExtremeZ-IP) still use this feature of the file system.

File compression

Compression is enabled on a per-folder or per-file basis by setting the 'compressed' attribute. When compression is enabled on a folder, any files moved or saved to that folder will be automatically compressed using LZNT1 algorithm (a variant of LZ77).^[70] The compression algorithm is designed to support cluster sizes of up to 4 KB; when the cluster size is greater than 4 KB on an NTFS volume, NTFS compression is not available.^[71] Data is compressed in 16-cluster chunks (up to 64 KB in size); if the compression reduces 64 KB of data to 60 KB or less, NTFS treats the unneeded 4 KB pages like empty sparse file clusters—they are not written. This allows for reasonable random-access times as the OS merely has to follow the chain of fragments.

Compression works best with files that have repetitive content, are seldom written, are usually accessed sequentially, and are not themselves compressed. Single-user systems with limited hard disk space can benefit from NTFS compression for small files, from 4 KB to 64 KB or more, depending on compressibility. Files smaller than approximately 900 bytes are stored within the directory entry of the MFT.^[72]

Advantages

Users of fast multi-core processors will find improvements in application speed by compressing their applications and data as well as a reduction in space used. Even when SSD controllers already compress data, there is still a reduction in I/Os since less data is transferred.^[73]

According to research by Microsoft's NTFS Development team, 50–60 GB is a reasonable maximum size for a compressed file on an NTFS volume with a 4 KB (default) cluster (block) size. This reasonable maximum size decreases sharply for volumes with smaller cluster sizes.^[74]

Disadvantages

Large compressible files become highly fragmented since every chunk smaller than 64 KB becomes a fragment.^[74]^[75] Flash memory, such as SSD drives do not have the head movement delays and high access time of mechanical hard disk drives, so fragmentation has only a smaller penalty.

If system files that are needed at boot time (such as drivers, NTLDR, winload.exe, or BOOTMGR) are compressed, the system may fail to boot correctly, because decompression filters are not yet loaded.^[76]^{[failed verification]} Later editions of Windows^[which?] do not allow important system files to be compressed.

System compression

Since Windows 10, Microsoft has introduced new file compression scheme based on the XPRESS algorithm with 4K/8K/16K block size^[77] and the LZX algorithm;^[78] both are variants of LZ77 updated with Huffman entropy coding and range coding, which LZNT1 lacked. These compression algorithms were taken from Windows Imaging Format (WIM file).

The new compression scheme is used by CompactOS feature, which reduces disk usage by compressing Windows system files.^[79] CompactOS is not an extension of NTFS file compression and does not use the 'compressed' attribute; instead, it sets a reparse point on each compressed file with a WOF (Windows Overlay Filter) tag,^[80] but the actual data is stored in an alternate data stream named "WofCompressedData", which is decompressed on-the-fly by a WOF filesystem filter driver, and the main file is an empty sparse file.^[80] This design is meant purely for read-only access, so any writes to compressed files result in an automatic decompression.^[80]^[81]^[82]

CompactOS compression is intended for OEMs who prepare OS images with the /compact flag of the DISM tool in Windows ADK,^[83] but it can also be manually turned on per file with the /exe flag of the compact command.^[84] CompactOS algorithm avoids file fragmentation by writing compressed data in contiguously allocated chunks, unlike core NTFS compression.^{[citation needed]}

CompactOS file compression is an improved version of WIMBoot feature introduced in Windows 8.1. WIMBoot reduces Windows disk usage by keeping system files in a compressed WIM image on a separate hidden disk partition.^[85] Similarly to CompactOS, Windows system directories only contain sparse files marked by a reparse point with a WOF tag, and Windows Overlay Filter driver decompresses file contents on-the-fly from the WIM image. WIMBoot is less effective than CompactOS though, as new updated versions of system files need to be written to the system partition, consuming disk space.^[80]

Sparse files

Sparse files are files interspersed with empty segments for which no actual storage space is used. To the applications, the file looks like an ordinary file with empty regions seen as regions filled with zeros; the file system maintains an internal list of such regions for each sparse file.^[86] A sparse file does not necessarily include sparse zeros areas; the "sparse file" attribute just means that the file is allowed to have them.

Database applications, for instance, may use sparse files.^[87] As with compressed files, the actual sizes of sparse files are not taken into account when determining quota limits.^[88]

Volume Shadow Copy

The Volume Shadow Copy Service (VSS) keeps historical versions of files and folders on NTFS volumes by copying old, newly overwritten data to shadow copy via copy-on-write technique. The user may later request an earlier version to be recovered. This also allows data backup programs to archive files currently in use by the file system.

Windows Vista also introduced persistent shadow copies for use with System Restore and Previous Versions features. Persistent shadow copies, however, are deleted when an older operating system mounts that NTFS volume. This happens because the older operating system does not understand the newer format of persistent shadow copies.^[29]

Transactions

As of Windows Vista, applications can use Transactional NTFS (TxF) to group multiple changes to files together into a single transaction. The transaction will guarantee that either all of the changes happen, or none of them do, and that no application outside the transaction will see the changes until they are committed.^[89]

It uses similar techniques as those used for Volume Shadow Copies (i.e. copy-on-write) to ensure that overwritten data can be safely rolled back, and a CLFS log to mark the transactions that have still not been committed, or those that have been committed but still not fully applied (in case of system crash during a commit by one of the participants).

Transactional NTFS does not restrict transactions to just the local NTFS volume, but also includes other transactional data or operations in other locations such as data stored in separate volumes, the local registry, or SQL databases, or the current states of system services or remote services. These transactions are coordinated network-wide with all participants using a specific service, the DTC, to ensure that all participants will receive same commit state, and to transport the changes that have been validated by any participant (so that the others can invalidate their local caches for old data or rollback their ongoing uncommitted changes). Transactional NTFS allows, for example, the creation of network-wide consistent distributed file systems, including with their local live or offline caches.

Microsoft now advises against using TxF: "Microsoft strongly recommends developers utilize alternative means" since "TxF may not be available in future versions of Microsoft Windows".^[90]

Quotas

Disk quotas were introduced in NTFS v3. They allow the administrator of a computer that runs a version of Windows that supports NTFS to set a threshold of disk space that users may use. It also allows administrators to keep track of how much disk space each user is using. An administrator may specify a certain level of disk space that a user may use before they receive a warning, and then deny access to the user once they hit their upper limit of space. Disk quotas do not take into account NTFS's transparent file-compression, should this be enabled. Applications that query the amount of free space will also see the amount of free space left to the user who has a quota applied to them.

Reparse points

Introduced in NTFS v3, NTFS reparse points are used by associating a reparse tag in the user space attribute of a file or directory. Microsoft includes several default tags including symbolic links, directory junction points and volume mount points. When the Object Manager parses a file system name lookup and encounters a reparse attribute, it will reparse the name lookup, passing the user controlled reparse data to every file system filter driver that is loaded into Windows. Each filter driver examines the reparse data to see whether it is associated with that reparse point, and if that filter driver determines a match, then it intercepts the file system request and performs its special functionality.

Limitations

Resizing

Starting with Windows Vista Microsoft added the built-in ability to shrink or expand a partition. However, this ability does not relocate page file fragments or files that have been marked as unmovable, so shrinking a volume will often require relocating or disabling any page file, the index of Windows Search, and any Shadow Copy used by System Restore. Various third-party tools are capable of resizing NTFS partitions.

OneDrive

Since 2017, Microsoft requires the OneDrive file structure to reside on an NTFS disk.^[91] This is because OneDrive Files On-Demand feature uses NTFS reparse points to link files and folders that are stored in OneDrive to the local filesystem, making the file or folder unusable with any previous version of Windows, with any other NTFS file system driver, or any file system and backup utilities not updated to support it.^[92]

Structure

NTFS is made up of several components including: a partition boot sector (PBS) that holds boot information; the master file table that stores a record of all files and folders in the filesystem; a series of meta files that help structure meta data more efficiently; data streams and locking mechanisms.

Internally, NTFS uses B-trees to index file system data. A file system journal is used to guarantee the integrity of the file system metadata but not individual files' content. Systems using NTFS are known to have improved reliability compared to FAT file systems.^[93]

NTFS allows any sequence of 16-bit values for name encoding (e.g. file names, stream names or index names) except 0x0000. This means UTF-16 code units are supported, but the file system does not check whether a sequence is valid UTF-16 (it allows any sequence of short values, not restricted to those in the Unicode standard). In Win32 namespace, any UTF-16 code units are case insensitive whereas in POSIX namespace they are case sensitive. File names are limited to 255 UTF-16 code units. Certain names are reserved in the volume root directory and cannot be used for files. These are $MFT, $MFTMirr, $LogFile, $Volume, $AttrDef, . (dot), $Bitmap, $Boot, $BadClus, $Secure, $UpCase, and $Extend.^[5] . (dot) and $Extend are both directories; the others are files. The NT kernel limits full paths to 32,767 UTF-16 code units. There are some additional restrictions on code points and file names.^[94]

Partition Boot Sector (PBS)

NTFS boot sector contents^[95]^[96] (All values except strings are stored in little endian order.)
Byte offset	Field length	Typical value	Field name		Purpose
0x00	3 bytes	0xEB5290	x86 JMP and NOP instructions		Causes execution to continue after the data structures in this boot sector.
0x03	8 bytes	"`NTFS` " Word "NTFS" followed by four trailing spaces (0x20)	OEM ID		This is the magic number that indicates this is an NTFS file system.
0x0B	2 bytes	0x0200	BPB	Bytes per sector	The number of bytes in a disk sector.
0x0D	1 byte	0x08		Sectors Per Cluster	The number of sectors in a cluster. If the value is greater than 0x80, the amount of sectors is 2 to the power of the absolute value of considering this field to be negative.
0x0E	2 bytes	0x0000		Reserved Sectors, unused
0x10	3 bytes	0x000000		Unused	This field is always 0
0x13	2 bytes	0x0000		Unused by NTFS	This field is always 0
0x15	1 byte	0xF8		Media Descriptor	The type of drive. 0xF8 is used to denote a hard drive (in contrast to the several sizes of floppy).
0x16	2 bytes	0x0000		Unused	This field is always 0
0x18	2 bytes	0x003F		Sectors Per Track	The number of disk sectors in a drive track.
0x1A	2 bytes	0x00FF		Number Of Heads	The number of heads on the drive.
0x1C	4 bytes	0x0000003F		Hidden Sectors	The number of sectors preceding the partition.
0x20	4 bytes	0x00000000		Unused	Not used by NTFS
0x24	4 bytes	0x00800080	EBPB	Unused	Not used by NTFS
0x28	8 bytes	0x00000000007FF54A		Total sectors	The partition size in sectors.
0x30	8 bytes	0x0000000000000004		$MFT cluster number	The cluster that contains the Master File Table
0x38	8 bytes	0x000000000007FF54		$MFTMirr cluster number	The cluster that contains a backup of the Master File Table
0x40	1 byte	0xF6		Bytes or Clusters Per File Record Segment	A positive value denotes the number of clusters in a File Record Segment. A negative value denotes the amount of bytes in a File Record Segment, in which case the size is 2 to the power of the absolute value. (0xF6 = -10 → 2¹⁰ = 1024).
0x41	3 bytes	0x000000		Unused	This field is not used by NTFS
0x44	1 byte	0x01		Bytes or Clusters Per Index Buffer	A positive value denotes the number of clusters in an Index Buffer. A negative value denotes the amount of bytes and it uses the same algorithm for negative numbers as the "Bytes or Clusters Per File Record Segment."
0x45	3 bytes	0x000000		Unused	This field is not used by NTFS
0x48	8 bytes	0x1C741BC9741BA514		Volume Serial Number	A unique random number assigned to this partition, to keep things organized.
0x50	4 bytes	0x00000000		Checksum, unused	Supposedly a checksum.
0x54	426 bytes		Bootstrap Code		The code that loads the rest of the operating system. This is pointed to by the first 3 bytes of this sector.
0x01FE	2 bytes	0xAA55	End-of-sector Marker		This flag indicates that this is a valid boot sector.

This boot partition format is roughly based upon the earlier FAT filesystem, but the fields are in different locations. Some of these fields, especially the "sectors per track", "number of heads" and "hidden sectors" fields may contain dummy values on drives where they either do not make sense or are not determinable.

The OS first looks at the 8 bytes at 0x30 to find the cluster number of the $MFT, then multiplies that number by the number of sectors per cluster (1 byte found at 0x0D). This value is the sector offset (LBA) to the $MFT, which is described below.

Master File Table

In NTFS, all file, directory and metafile data—file name, creation date, access permissions (by the use of access control lists), and size—are stored as metadata in the Master File Table (MFT). This abstract approach allowed easy addition of file system features during Windows NT's development—an example is the addition of fields for indexing used by the Active Directory and the Windows Search. This also enables fast file search software to locate named local files and folders included in the MFT very quickly, without requiring any other index.

The MFT structure supports algorithms which minimize disk fragmentation.^[97] A directory entry consists of a filename and a "file ID" (analogous to the inode number), which is the record number representing the file in the Master File Table. The file ID also contains a reuse count to detect stale references. While this strongly resembles the W_FID of Files-11, other NTFS structures radically differ.

A partial copy of the MFT, called the MFT mirror, is stored to be used in case of corruption.^[98] If the first record of the MFT is corrupted, NTFS reads the second record to find the MFT mirror file. Locations for both files are stored in the boot sector.^[99]

Metafiles

NTFS contains several files that define and organize the file system. In all respects, most of these files are structured like any other user file ($Volume being the most peculiar), but are not of direct interest to file system clients.^[100] These metafiles define files, back up critical file system data, buffer file system changes, manage free space allocation, satisfy BIOS expectations, track bad allocation units, and store security and disk space usage information. All content is in an unnamed data stream, unless otherwise indicated.

MFT (entries 0–26 are the NTFS metafiles)
Segment number	File name	Purpose
0	`$MFT`	Describes all files on the volume, including file names, timestamps, stream names, and lists of cluster numbers where data streams reside, indexes, security identifiers, and file attributes like "read only", "compressed", "encrypted", etc.
1	`$MFTMirr`	Duplicate of the first vital entries of $MFT, usually 4 entries (4 kilobytes).
2	`$LogFile`	Contains transaction log of file system metadata changes.
3	`$Volume`	Contains information about the volume, namely the volume object identifier, volume label, file system version, and volume flags (mounted, chkdsk requested, requested $LogFile resize, mounted on NT 4, volume serial number updating, structure upgrade request). This data is not stored in a data stream, but in special MFT attributes: If present, a volume object ID is stored in an $OBJECT_ID record; the volume label is stored in a $VOLUME_NAME record, and the remaining volume data is in a $VOLUME_INFORMATION record. Note: volume serial number is stored in file $Boot (below).
4	`$AttrDef`	A table of MFT attributes that associates numeric identifiers with names.
5	`.`	Root directory. Directory data is stored in $INDEX_ROOT and $INDEX_ALLOCATION attributes both named $I30.
6	`$Bitmap`	An array of bit entries: each bit indicates whether its corresponding cluster is used (allocated) or free (available for allocation).
7	`$Boot`	Volume boot record (VBR). This file is always located at the first clusters on the volume. It contains bootstrap code (see NTLDR/BOOTMGR) and a BIOS parameter block including a volume serial number and cluster numbers of $MFT and $MFTMirr.
8	`$BadClus`	A file that contains all the clusters marked as having bad sectors. This file simplifies cluster management by the chkdsk utility, both as a place to put newly discovered bad sectors, and for identifying unreferenced clusters. This file contains two data streams, even on volumes with no bad sectors: an unnamed stream contains bad sectors—it is zero length for perfect volumes; the second stream is named $Bad and contains all clusters on the volume not in the first stream.
9	`$Secure`	Access control list database that reduces overhead having many identical ACLs stored with each file, by uniquely storing these ACLs only in this database (contains two indices: $SII (Standard_Information ID) and $SDH (Security Descriptor Hash), which index the stream named $SDS containing actual ACL table).^[20]
10	`$UpCase`	A table of unicode uppercase characters for ensuring case-insensitivity in Win32 and DOS namespaces.
11	`$Extend`	A file system directory containing various optional extensions, such as $Quota, $ObjId, $Reparse or $UsnJrnl.
12–23	Reserved for $MFT extension entries. Extension entries are additional MFT records that contain additional attributes that do not fit in the primary record. This could occur if the file is sufficiently fragmented, has many streams, long filenames, complex security, or other rare situations.
24	`$Extend\$Quota`	Holds disk quota information. Contains two index roots, named $O and $Q.
25	`$Extend\$ObjId`	Holds link tracking information. Contains an index root and allocation named $O.
26	`$Extend\$Reparse`	Holds reparse point data (such as symbolic links). Contains an index root and allocation named $R.
27–	Beginning of regular file entries.

These metafiles are treated specially by Windows, handled directly by the NTFS.SYS driver and are difficult to directly view: special purpose-built tools are needed.^[c] As of Windows 7, the NTFS driver completely prohibits user access, resulting in a BSoD whenever an attempt to execute a metadata file is made. One such tool is the nfi.exe ("NTFS File Sector Information Utility") that is freely distributed as part of the Microsoft "OEM Support Tools". For example, to obtain information on the "$MFT"-Master File Table Segment the following command is used: nfi.exe c:\$MFT^[101] Another way to bypass the restriction is to use 7-Zip's file manager and go to the low-level NTFS path \\.\X:\ (where X:\ resembles any drive/partition). Here, 3 new folders will appear: $EXTEND, [DELETED] (a pseudo-folder that 7-Zip uses to attach files deleted from the file system to view), and [SYSTEM] (another pseudo-folder that contains all the NTFS metadata files). This trick can be used from removable devices (USB flash drives, external hard drives, SD Cards, etc.) inside Windows, but doing this on the active partition requires offline access (namely WinRE).

Attribute lists, attributes, and streams

For each file (or directory) described in the MFT record, there is a linear repository of stream descriptors (also named attributes), packed together in one or more MFT records (containing the so-called attributes list), with extra padding to fill the fixed 1 KB size of every MFT record, and that fully describes the effective streams associated with that file.

Each attribute has an attribute type (a fixed-size integer mapping to an attribute definition in file $AttrDef), an optional attribute name (for example, used as the name for an alternate data stream), and a value, represented in a sequence of bytes. For NTFS, the standard data of files, the alternate data streams, or the index data for directories are stored as attributes.

According to $AttrDef, some attributes can be either resident or non-resident. The $DATA attribute, which contains file data, is such an example. When the attribute is resident (which is represented by a flag), its value is stored directly in the MFT record. Otherwise, clusters are allocated for the data, and the cluster location information is stored as data runs in the attribute.

For each file in the MFT, the attributes identified by attribute type, attribute name must be unique. Additionally, NTFS has some ordering constraints for these attributes.
There is a predefined null attribute type, used to indicate the end of the list of attributes in one MFT record. It must be present as the last attribute in the record (all other storage space available after it will be ignored and just consists of padding bytes to match the record size in the MFT).
Some attribute types are required and must be present in each MFT record, except unused records that are just indicated by null attribute types.
- This is the case for the $STANDARD_INFORMATION attribute that is stored as a fixed-size record and contains the timestamps and other basic single-bit attributes (compatible with those managed by FAT in DOS or Windows 9x).
Some attribute types cannot have a name and must remain anonymous.
- This is the case for the standard attributes, or for the preferred NTFS "filename" attribute type, or the "short filename" attribute type, when it is also present (for compatibility with DOS-like applications, see below). It is also possible for a file to contain only a short filename, in which case it will be the preferred one, as listed in the Windows Explorer.
- The filename attributes stored in the attribute list do not make the file immediately accessible through the hierarchical file system. In fact, all the filenames must be indexed separately in at least one other directory on the same volume. There it must have its own MFT record and its own security descriptors and attributes that reference the MFT record number for this file. This allows the same file or directory to be "hardlinked" several times from several containers on the same volume, possibly with distinct filenames.
The default data stream of a regular file is a stream of type $DATA but with an anonymous name, and the ADSs are similar but must be named.
On the other hand, the default data stream of directories has a distinct type, but are not anonymous: they have an attribute name ("$I30" in NTFS 3+) that reflects its indexing format.

All attributes of a given file may be displayed by using the nfi.exe ("NTFS File Sector Information Utility") that is freely distributed as part of the Microsoft "OEM Support Tools".^[101]

Windows system calls may handle alternate data streams.^[5] Depending on the operating system, utility and remote file system, a file transfer might silently strip data streams.^[5] A safe way of copying or moving files is to use the BackupRead and BackupWrite system calls, which allow programs to enumerate streams, to verify whether each stream should be written to the destination volume and to knowingly skip unwanted streams.^[5]

Resident vs. non-resident attributes

To optimize the storage and reduce the I/O overhead for the very common case of attributes with very small associated value, NTFS prefers to place the value within the attribute itself (if the size of the attribute does not then exceed the maximum size of an MFT record), instead of using the MFT record space to list clusters containing the data; in that case, the attribute will not store the data directly but will just store an allocation map (in the form of data runs) pointing to the actual data stored elsewhere on the volume.^[102] When the value can be accessed directly from within the attribute, it is called "resident data" (by computer forensics workers). The amount of data that fits is highly dependent on the file's characteristics, but 700 to 800 bytes is common in single-stream files with non-lengthy filenames and no ACLs.

Some attributes (such as the preferred filename, the basic file attributes) cannot be made non-resident. For non-resident attributes, their allocation map must fit within MFT records.
Encrypted-by-NTFS, sparse data streams, or compressed data streams cannot be made resident.
The format of the allocation map for non-resident attributes depends on its capability of supporting sparse data storage. In the current implementation of NTFS, once a non-resident data stream has been marked and converted as sparse, it cannot be changed back to non-sparse data, so it cannot become resident again, unless this data is fully truncated, discarding the sparse allocation map completely.
When a non-resident attribute is so fragmented that its effective allocation map cannot fit entirely within one MFT record, NTFS stores the attribute in multiple records. The first one among them is called the base record, while the others are called extension records. NTFS creates a special attribute $ATTRIBUTE_LIST to store information mapping different parts of the long attribute to the MFT records, which means the allocation map may be split into multiple records. The $ATTRIBUTE_LIST itself can also be non-resident, but its own allocation map must fit within one MFT record.
When there are too many attributes for a file (including ADS's, extended attributes, or security descriptors), so that they cannot fit all within the MFT record, extension records may also be used to store the other attributes, using the same format as the one used in the base MFT record, but without the space constraints of one MFT record.

The allocation map is stored in a form of data runs with compressed encoding. Each data run represents a contiguous group of clusters that store the attribute value. For files on a multi-GB volume, each entry can be encoded as 5 to 7 bytes, which means a 1 KB MFT record can store about 100 such data runs. However, as the $ATTRIBUTE_LIST also has a size limit, it is dangerous to have more than 1 million fragments of a single file on an NTFS volume, which also implies that it is in general not a good idea to use NTFS compression on a file larger than 10 GB.^[103]

The NTFS file system driver will sometimes attempt to relocate the data of some of the attributes that can be made non-resident into the clusters, and will also attempt to relocate the data stored in clusters back to the attribute inside the MFT record, based on priority and preferred ordering rules, and size constraints.

Since resident files do not directly occupy clusters ("allocation units"), it is possible for an NTFS volume to contain more files on a volume than there are clusters. For example, a 74.5 GB partition NTFS formats with 19,543,064 clusters of 4 KB. Subtracting system files (a 64 MB log file, a 2,442,888-byte Bitmap file, and about 25 clusters of fixed overhead) leaves 19,526,158 clusters free for files and indices. Since there are four MFT records per cluster, this volume theoretically could hold almost 4 × 19,526,158 = 78,104,632 resident files.

Opportunistic locks

Opportunistic file locks (oplocks) allow clients to alter their buffering strategy for a given file or stream in order to increase performance and reduce network use.^[104] Oplocks apply to the given open stream of a file and do not affect oplocks on a different stream.

Oplocks can be used to transparently access files in the background. A network client may avoid writing information into a file on a remote server if no other process is accessing the data, or it may buffer read-ahead data if no other process is writing data.

Windows supports four different types of oplocks:

Level 2 (or shared) oplock: multiple readers, no writers (i.e. read caching).
Level 1 (or exclusive) oplock: exclusive access with arbitrary buffering (i.e. read and write caching).
Batch oplock (also exclusive): a stream is opened on the server, but closed on the client machine (i.e. read, write and handle caching).
Filter oplock (also exclusive): applications and file system filters can "back out" when others try to access the same stream (i.e. read and write caching) (since Windows 2000)

Opportunistic locks have been enhanced in Windows 7 and Windows Server 2008 R2 with per-client oplock keys.^[105]

Time

Windows NT and its descendants keep internal timestamps as UTC and make the appropriate conversions for display purposes; all NTFS timestamps are in UTC.^{[citation needed]}

For historical reasons, the versions of Windows that do not support NTFS all keep time internally as local zone time, and therefore so do all file systems – other than NTFS – that are supported by current versions of Windows. This means that when files are copied or moved between NTFS and non-NTFS partitions, the OS needs to convert timestamps on the fly. But if some files are moved when daylight saving time (DST) is in effect, and other files are moved when standard time is in effect, there can be some ambiguities in the conversions. As a result, especially shortly after one of the days on which local zone time changes, users may observe that some files have timestamps that are incorrect by one hour. Due to the differences in implementation of DST in different jurisdictions, this can result in a potential timestamp error of up to 4 hours in any given 12 months.^[106]

Notes

^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j 1 byte = 8 bits
1 KB = 1,024 bytes
1 MB = 1,048,576 bytes
1 GB = 1,073,741,824 bytes
1 TB = 1,099,511,627,776 bytes
1 PB = 1,125,899,906,842,624 bytes
1 EB = 1,152,921,504,606,846,976 bytes
^ Can also be 32-bit, provided that the firmware and operating system loader are size-matched.
^ Since Windows XP, it is very difficult to view a listing of these files: they exist in the root directory's index, but the Win32 interface filters them out. In NT 4.0, the command line dir command would list the metafiles in the root directory if /a were specified. In Windows 2000, dir /a stopped working, but dir /a \$MFT worked.

References

^ ^a ^b Karresand, Martin; Axelsson, Stefan; Dyrkolbotn, Geir Olav (2019-07-01). "Using NTFS Cluster Allocation Behavior to Find the Location of User Data". Digital Investigation. 29: –51–S60. doi:10.1016/j.diin.2019.04.018. hdl:11250/2631756. ISSN 1742-2876. S2CID 199004263.
^ ^a ^b "Glossary". [MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol. Microsoft. 14 November 2013.
^ "How NTFS Works". TechNet. Microsoft. 8 October 2009. Retrieved 2 December 2017.
^ "B*Trees - NTFS Directory Trees - Concept - NTFS Documentation". flatcap.org. Archived from the original on 2019-05-13. Retrieved 2019-05-13.
^ ^a ^b ^c ^d ^e ^f ^g "How NTFS Works". Windows Server 2003 Technical Reference. 2003-03-28. Retrieved 2011-09-12.
^ ^a ^b ^c ^d "Appendix A: Product Behavior". [MS-FSA]: File System Algorithms. Microsoft. 2018-09-12. Retrieved 2018-10-01. NTFS uses a default cluster size of 4 KB, a maximum cluster size of 64 KB on Windows 10 v1703 operating system and Windows Server 2016 and prior, and 2 MB on Windows 10 v1709 operating system and Windows Server 2019 and later, and a minimum cluster size of 512 bytes.
^ "Appendix A: Product Behavior". [MS-FSA]: File System Algorithms. Microsoft. 14 November 2013. Retrieved 2012-09-21.
^ ^a ^b Russon, Richard; Fledel, Yuval. "NTFS Documentation" (PDF). Archived (PDF) from the original on 2022-10-09. Retrieved 2011-06-26.
^ "SYSTEMTIME structure (minwinbase.h)". Microsoft. October 5, 2021. Retrieved January 7, 2024.
^ Rick Vanover (14 September 2011). "Windows Server 8 data deduplication". Archived from the original on 2016-07-18. Retrieved 2011-12-02.
^ Sammes, Tony; Jenkinson, Brian, eds. (2007), "The New Technology File System", Forensic Computing, London: Springer, pp. 215–275, doi:10.1007/978-1-84628-732-9_6, ISBN 978-1-84628-732-9, retrieved 2024-08-14
^ Weiss, David (2022-08-01). "What Is NTFS and How Does It Work?". Datto. Retrieved 2024-08-14.
^ "New Technology File System - an overview | ScienceDirect Topics". www.sciencedirect.com. Retrieved 2024-08-14.
^ ^a ^b Custer, Helen (1994). Inside the Windows NT File System. Microsoft Press. ISBN 978-1-55615-660-1.
^ "NTFS3 — The Linux Kernel documentation". www.kernel.org. Retrieved 2021-12-02.
^ "ntfs-3g". www.freebsd.org. Retrieved 2021-12-02.
^ Kozierok, Charles (14 February 2018). "Overview and History of NTFS". The PC Guide. Retrieved May 30, 2019.
^ Custer, Helen (1994). Inside the Windows NT File System. Microsoft Press. p. vii. ISBN 978-1-55615-660-1.
^ "Recovering Windows NT After a Boot Failure on an NTFS Drive". Microsoft. November 1, 2006.
^ ^a ^b Russinovich, Mark (30 June 2006). "Inside Win2K NTFS, Part 1". MSDN. Microsoft. Retrieved 2008-04-18.
^ "What's New in Windows NT 4.0 Service Pack 4?". Microsoft.com. 12 January 1999. Archived from the original on 17 January 1999. Retrieved 17 August 2018.
^ "New Capabilities and Features of the NTFS 3.1 File System". Microsoft. 1 December 2007. Archived from the original on Nov 16, 2006.
^ "NTFS Overview". LSoft Technologies Inc.
^ Loveall, John (2006). "Storage improvements in Windows Vista and Windows Server 2008" (PowerPoint). Microsoft. pp. 14–20. Retrieved 2007-09-04.
^ "Windows support for hard disks that are larger than 2 TB". Microsoft Learn. 2013-06-26. Retrieved 2024-08-08.
^ "Default cluster size for NTFS, FAT, and exFAT". Microsoft Support. Archived from the original on 2024-03-09.
^ "Booting from GPT". Rodsbooks.com. Retrieved 22 September 2018.
^ "NTFS vs FAT vs exFAT - NTFS.com". www.ntfs.com. Retrieved 2021-01-19.
^ ^a ^b cfsbloggers (July 14, 2006). "How restore points and other recovery features in Windows Vista are affected when dual-booting with Windows XP". The Filing Cabinet. Archived from the original on 2006-07-18. Retrieved 2007-03-21.
^ "How to Convert FAT Disks to NTFS". Microsoft. 18 December 2017. Retrieved May 30, 2019.
^ "FAQ: How to use Convert.exe to convert a partition to the NTFS file system". The Educationsl University of Hong Kong. 2007-02-12. Archived from the original on 2023-12-06. Retrieved 2010-12-26.
^ "FreeBSD 3.2 Release Notes". 17 May 1999. Retrieved 2020-06-15.
^ ^a ^b "mount_ntfs - OpenBSD manual pages". Retrieved 2020-06-15.
^ "Announcing NetBSD 1.5". 6 December 2000. Retrieved 2020-06-15.
^ "OpenBSD 4.9". Openbsd.com. Retrieved 22 September 2018.
^ ^a ^b "NTFS Credits and History". Linux-NTFS Project. Archived from the original on 2021-09-24. Retrieved 2021-09-24.
^ "Kernel development". lwn.net. 2 May 2002. Retrieved 2021-09-05.
^ "Release notes for v2.5.11". 29 April 2002. Retrieved 2021-09-05.
^ "2.6.15 changelog". Linux project. 3 January 2006. Retrieved 2021-09-05.
^ Anderson, Tim (2021-09-06). "GitHub merges 'useless garbage' says Linus Torvalds as new NTFS support added to Linux kernel 5.15". The Register. Retrieved 2021-09-07.
^ "OpenBSD adds fuse(4) support for adding file systems in userland". OpenBSD Journal. 2013-11-08. Retrieved 2013-11-08.
^ "NTFS-3G Stable Read/Write Driver". 2009-07-25.
^ "Tuxera NTFS for Mac". Tuxera. August 30, 2011. Retrieved September 20, 2011.
^ "Jan Kratochvil: Captive: The first free NTFS read/write filesystem for GNU/Linux". Retrieved 2020-06-15.
^ "About Tuxera". Retrieved 2020-06-15.
^ "10.6: Enable native NTFS read/write support". 1 October 2009. Archived from the original on 5 September 2021. Retrieved 5 September 2021.
^ "Microsoft NTFS for Mac". Paragon Software Group. Retrieved August 8, 2024.
^ "The Leader in Mass Data Storage Solutions | Seagate US". Seagate.com. Archived from the original on February 10, 2011.
^ "NTFS plugin for NetDrive". ecsoft2.org. Retrieved 2020-09-09.
^ "NetDrive for OS/2". arcanoae.com. Retrieved 2020-09-09.
^ "Avira NTFS4DOS Personal". Archived from the original on June 19, 2010. Retrieved 2009-07-25.
^ "Download Avira NTFS4DOS Personal 1.9". Archived from the original on 10 November 2013. Retrieved 22 September 2018.
^ ^a ^b "How Security Descriptors and Access Control Lists Work". TechNet. Microsoft. Retrieved 4 September 2015.
^ Morello, John (February 2007). "Security Watch Deploying EFS: Part 1". Technet Magazine. Microsoft. Retrieved 2009-01-25.
^ "How EFS Works". Windows 2000 Resource Kit. Microsoft. 18 July 2012. Retrieved 25 February 2014.
^ "Windows 8 volume compatibility considerations with prior versions of Windows". 17 January 2024. Retrieved 2024-08-08.
^ "Change Journals". Microsoft Docs. 7 January 2021. Retrieved 2023-08-12.
^ "Creating, Modifying, and Deleting a Change Journal (Windows)". Microsoft Docs. 7 January 2021. Retrieved 2023-08-12.
^ "Chapter 29 – POSIX Compatibility". MS Windows NT Workstation 4.0 Resource Guide. Microsoft. 1995. Retrieved 21 October 2013.
^ "Hard Links and Junctions". MSDN. Microsoft. 12 October 2013. Retrieved 21 October 2013.
^ "MSDN – CreateHardLink function". Retrieved 14 January 2016.
^ "Streams - Sysinternals". Microsoft Docs. 23 March 2021. Retrieved 12 August 2023.
^ "FileSystem Provider". Microsoft. 9 August 2012. Archived from the original on 23 January 2015. Retrieved 23 January 2015.
^ Russinovich, Mark E.; Solomon, David A.; Ionescu, Alex (2009). "File Systems". Windows Internals (5th ed.). Microsoft Press. p. 921. ISBN 978-0-7356-2530-3. One component in Windows that uses multiple data streams is the Attachment Execution Service[...] depending on which zone the file was downloaded from [...] Windows Explorer might warn the user
^ Boyd, Christopher (26 October 2022). "Malformed signature trick can bypass Mark of the Web". Malwarebytes. Retrieved 2023-05-15.
^ DHB-MSFT (28 February 2023). "Macros from the internet are blocked by default in Office - Deploy Office". learn.microsoft.com. Retrieved 2023-05-15.
^ https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)?redirectedfrom=MSDN
^ "Malware utilising Alternate Data Streams?". AusCERT Web Log. 21 August 2007. Archived from the original on 2011-02-23.
^ https://github.com/fafalone/ZoneStripper
^ "File Compression and Decompression". MSDN Platform SDK: File Systems. Retrieved 2005-08-18.
^ "The Default Cluster Size for the NTFS and FAT File Systems". Microsoft. January 31, 2002. Retrieved 2012-01-10.
^ "How NTFS Works". 2003-03-28. Retrieved 2011-10-24.
^ Masiero, Manuel (2011-12-01). "Should You Compress Data On Your SSD?". Tom's Hardware. Bestofmedia Group. Retrieved 2013-04-05.
^ ^a ^b Middleton, Dennis. "Understanding NTFS Compression". Ntdebugging Blog. Microsoft. Archived from the original on 29 June 2011. Retrieved 2011-03-16.
^ "Shrinking the gap: carving NTFS-compressed files". Retrieved 2011-05-29.
^ "Disk Concepts and Troubleshooting". Microsoft. 11 September 2008. Retrieved 2012-03-26.
^ "[MS-XCA]: Xpress Compression Algorithm". 31 January 2023.
^ "wimlib: the open source Windows Imaging (WIM) library - Compression algorithm".
^ "Compact OS, single-instancing, and image optimization". Microsoft. Retrieved 1 October 2019.
^ ^a ^b ^c ^d Raymond Chen (18 June 2019). "What is WofCompressedData? Does WOF mean that Windows is a dog?". Microsoft DevBlogs.
^ Biggers, Eric (29 April 2019). "NTFS-3G plugin for reading "system compressed" files". GitHub. Retrieved 1 October 2019.
^ "Re: [ntfs-3g-devel] Experimental support for Windows 10 "System Compressed" files". SourceForge.net. Retrieved 1 October 2019.
^ "DISM Overview". 15 December 2021.
^ "Compact". 3 February 2023.
^ "Windows Image File Boot (WIMBoot) Overview". 10 March 2015.
^ "Sparse Files". MSDN. Microsoft. 12 October 2013. Retrieved 21 October 2013.
^ Kandoth, Suresh B. (4 March 2009). "Sparse File Errors: 1450 or 665 due to file fragmentation: Fixes and Workarounds". CSS SQL Server Engineers. Microsoft. Archived from the original on 21 October 2013. Retrieved 21 October 2013.
^ "Sparse Files and Disk Quotas". MSDN Library. Microsoft. 12 October 2013. Retrieved 21 October 2013.
^ "Transactional NTFS". MSDN. Microsoft. Archived from the original on 2007-02-21. Retrieved 2007-02-02.
^ "Transactional NTFS (TxF)". Microsoft Docs. Microsoft. 20 July 2022. Retrieved 12 August 2023.
^ "Unable to open content synced in a OneDrive folder on an external drive". Microsoft Support. Retrieved 2021-04-03.
^ André, Jean-Pierre (March 1, 2019). "NTFS-3G: Junction Points, Symbolic Links and Reparse Points". jp-andre.pagesperso-orange.fr. Archived from the original on Aug 28, 2022.
^ "Chapter 18 – Choosing a File System". MS Windows NT Workstation 4.0 Resource Guide. Microsoft. 20 February 2014. Retrieved 25 February 2014.
^ "Naming Files, Paths, and Namespaces". MSDN. Microsoft. Naming Conventions. Retrieved 25 February 2014.
^ "NTFS. Partition Boot Sector". Ntfs.com. Retrieved 22 September 2018.
^ "Boot Sector". Technet.microsoft.com. September 11, 2008. Table 1.13 BPB and Extended BPB Fields on NTFS Volumes. Retrieved 22 September 2018.
^ "Master File Table". MSDN. July 2, 2012.
^ "Forensics: What is the MFT Mirror?". Where is Your Data?. 2009-06-05. Retrieved 2021-07-30.
^ "NTFS Master File Table (MFT)". Ntfs.com. Retrieved 22 September 2018.
^ Schwarz, Thomas. "COEN 252 Computer Forensics NTFS". Faculty of Organization and Informatics University of Zagreb. Archived from the original on 2021-02-27. Retrieved May 30, 2019.
^ ^a ^b "OEM Support Tools Phase 3 Service Release 2 Availability". Microsoft Corporation. 2007-02-21. Archived from the original on 2015-02-23. Retrieved 2010-06-16. Windows NT File System (NTFS) File Sector Information Utility ... A tool used to dump information about an NTFS volume
^ "The Four Stages of NTFS File Growth". Archived from the original on 23 September 2018. Retrieved 22 September 2018.
^ "A heavily fragmented file in an NTFS volume may not grow beyond a certain size". Archived from the original on 2021-05-06. Retrieved 2021-05-19.
^ "How Oplocks function in the Windows Environment: Overview". Archived from the original on 2010-08-23. Retrieved 2018-12-19.
^ "What's New in NTFS". Technet.microsoft.com. 2 July 2012. Retrieved 22 September 2018.
^ Gilligan, Jonathan (28 May 2001). "Beating the Daylight Saving Time bug and getting correct file modification times". The Code Project.

External links

[units-5] ^ ^a ^b ^c ^d ^e ^f ^g ^h ⁱ ^j 1 byte = 8 bits
1 KB = 1,024 bytes
1 MB = 1,048,576 bytes
1 GB = 1,073,741,824 bytes
1 TB = 1,099,511,627,776 bytes
1 PB = 1,125,899,906,842,624 bytes
1 EB = 1,152,921,504,606,846,976 bytes

[28] Can also be 32-bit, provided that the firmware and operating system loader are size-matched.

[103] Since Windows XP, it is very difficult to view a listing of these files: they exist in the root directory's index, but the Win32 interface filters them out. In NT 4.0, the command line dir command would list the metafiles in the root directory if /a were specified. In Windows 2000, dir /a stopped working, but dir /a \$MFT worked.

[karresand2019-1] Karresand, Martin; Axelsson, Stefan; Dyrkolbotn, Geir Olav (2019-07-01). "Using NTFS Cluster Allocation Behavior to Find the Location of User Data". Digital Investigation. 29: –51–S60. doi:10.1016/j.diin.2019.04.018. hdl:11250/2631756. ISSN 1742-2876. S2CID 199004263.

[ntfs_abbr-2] "Glossary". [MS-EFSR]: Encrypting File System Remote (EFSRPC) Protocol. Microsoft. 14 November 2013.

[3] "How NTFS Works". TechNet. Microsoft. 8 October 2009. Retrieved 2 December 2017.

[4] "B*Trees - NTFS Directory Trees - Concept - NTFS Documentation". flatcap.org. Archived from the original on 2019-05-13. Retrieved 2019-05-13.

[How_NTFS_Works-6] ^ ^a ^b ^c ^d ^e ^f ^g "How NTFS Works". Windows Server 2003 Technical Reference. 2003-03-28. Retrieved 2011-09-12.

[MS-FSA_id_1-7] "Appendix A: Product Behavior". [MS-FSA]: File System Algorithms. Microsoft. 2018-09-12. Retrieved 2018-10-01. NTFS uses a default cluster size of 4 KB, a maximum cluster size of 64 KB on Windows 10 v1703 operating system and Windows Server 2016 and prior, and 2 MB on Windows 10 v1709 operating system and Windows Server 2019 and later, and a minimum cluster size of 512 bytes.

[MS-FSA-8] "Appendix A: Product Behavior". [MS-FSA]: File System Algorithms. Microsoft. 14 November 2013. Retrieved 2012-09-21.

[ntfsdoc-9] Russon, Richard; Fledel, Yuval. "NTFS Documentation" (PDF). Archived (PDF) from the original on 2022-10-09. Retrieved 2011-06-26.

[10] "SYSTEMTIME structure (minwinbase.h)". Microsoft. October 5, 2021. Retrieved January 7, 2024.

[singleinstancestorage-11] Rick Vanover (14 September 2011). "Windows Server 8 data deduplication". Archived from the original on 2016-07-18. Retrieved 2011-12-02.

[12] Sammes, Tony; Jenkinson, Brian, eds. (2007), "The New Technology File System", Forensic Computing, London: Springer, pp. 215–275, doi:10.1007/978-1-84628-732-9_6, ISBN 978-1-84628-732-9, retrieved 2024-08-14

[13] Weiss, David (2022-08-01). "What Is NTFS and How Does It Work?". Datto. Retrieved 2024-08-14.

[14] "New Technology File System - an overview | ScienceDirect Topics". www.sciencedirect.com. Retrieved 2024-08-14.

[Custer,_Helen-15] Custer, Helen (1994). Inside the Windows NT File System. Microsoft Press. ISBN 978-1-55615-660-1.

[16] "NTFS3 — The Linux Kernel documentation". www.kernel.org. Retrieved 2021-12-02.

[17] "ntfs-3g". www.freebsd.org. Retrieved 2021-12-02.

[18] Kozierok, Charles (14 February 2018). "Overview and History of NTFS". The PC Guide. Retrieved May 30, 2019.

[19] Custer, Helen (1994). Inside the Windows NT File System. Microsoft Press. p. vii. ISBN 978-1-55615-660-1.

[20] "Recovering Windows NT After a Boot Failure on an NTFS Drive". Microsoft. November 1, 2006.

[insidewin2kntfs-21] Russinovich, Mark (30 June 2006). "Inside Win2K NTFS, Part 1". MSDN. Microsoft. Retrieved 2008-04-18.

[22] "What's New in Windows NT 4.0 Service Pack 4?". Microsoft.com. 12 January 1999. Archived from the original on 17 January 1999. Retrieved 17 August 2018.

[23] "New Capabilities and Features of the NTFS 3.1 File System". Microsoft. 1 December 2007. Archived from the original on Nov 16, 2006.

[24] "NTFS Overview". LSoft Technologies Inc.

[25] Loveall, John (2006). "Storage improvements in Windows Vista and Windows Server 2008" (PowerPoint). Microsoft. pp. 14–20. Retrieved 2007-09-04.

[26] "Windows support for hard disks that are larger than 2 TB". Microsoft Learn. 2013-06-26. Retrieved 2024-08-08.

[27] "Default cluster size for NTFS, FAT, and exFAT". Microsoft Support. Archived from the original on 2024-03-09.

[29] "Booting from GPT". Rodsbooks.com. Retrieved 22 September 2018.

[30] "NTFS vs FAT vs exFAT - NTFS.com". www.ntfs.com. Retrieved 2021-01-19.

[techBlog2007-31] sbloggers (July 14, 2006). "How restore points and other recovery features in Windows Vista are affected when dual-booting with Windows XP". The Filing Cabinet. Archived from the original on 2006-07-18. Retrieved 2007-03-21.

[32] "How to Convert FAT Disks to NTFS". Microsoft. 18 December 2017. Retrieved May 30, 2019.

[33] "FAQ: How to use Convert.exe to convert a partition to the NTFS file system". The Educationsl University of Hong Kong. 2007-02-12. Archived from the original on 2023-12-06. Retrieved 2010-12-26.

[34] "FreeBSD 3.2 Release Notes". 17 May 1999. Retrieved 2020-06-15.

[OpenBSDman-35] "mount_ntfs - OpenBSD manual pages". Retrieved 2020-06-15.

[36] "Announcing NetBSD 1.5". 6 December 2000. Retrieved 2020-06-15.

[37] "OpenBSD 4.9". Openbsd.com. Retrieved 22 September 2018.

[LinuxNTFSCredits-38] "NTFS Credits and History". Linux-NTFS Project. Archived from the original on 2021-09-24. Retrieved 2021-09-24.

[39] "Kernel development". lwn.net. 2 May 2002. Retrieved 2021-09-05.

[40] "Release notes for v2.5.11". 29 April 2002. Retrieved 2021-09-05.

[41] "2.6.15 changelog". Linux project. 3 January 2006. Retrieved 2021-09-05.

[42] Anderson, Tim (2021-09-06). "GitHub merges 'useless garbage' says Linus Torvalds as new NTFS support added to Linux kernel 5.15". The Register. Retrieved 2021-09-07.

[43] "OpenBSD adds fuse(4) support for adding file systems in userland". OpenBSD Journal. 2013-11-08. Retrieved 2013-11-08.

[44] "NTFS-3G Stable Read/Write Driver". 2009-07-25.

[45] "Tuxera NTFS for Mac". Tuxera. August 30, 2011. Retrieved September 20, 2011.

[46] "Jan Kratochvil: Captive: The first free NTFS read/write filesystem for GNU/Linux". Retrieved 2020-06-15.

[47] "About Tuxera". Retrieved 2020-06-15.

[48] "10.6: Enable native NTFS read/write support". 1 October 2009. Archived from the original on 5 September 2021. Retrieved 5 September 2021.

[49] "Microsoft NTFS for Mac". Paragon Software Group. Retrieved August 8, 2024.

[50] "The Leader in Mass Data Storage Solutions | Seagate US". Seagate.com. Archived from the original on February 10, 2011.

[51] "NTFS plugin for NetDrive". ecsoft2.org. Retrieved 2020-09-09.

[52] "NetDrive for OS/2". arcanoae.com. Retrieved 2020-09-09.

[53] "Avira NTFS4DOS Personal". Archived from the original on June 19, 2010. Retrieved 2009-07-25.

[54] "Download Avira NTFS4DOS Personal 1.9". Archived from the original on 10 November 2013. Retrieved 22 September 2018.

[:0-55] "How Security Descriptors and Access Control Lists Work". TechNet. Microsoft. Retrieved 4 September 2015.

[56] Morello, John (February 2007). "Security Watch Deploying EFS: Part 1". Technet Magazine. Microsoft. Retrieved 2009-01-25.

[57] "How EFS Works". Windows 2000 Resource Kit. Microsoft. 18 July 2012. Retrieved 25 February 2014.

[58] "Windows 8 volume compatibility considerations with prior versions of Windows". 17 January 2024. Retrieved 2024-08-08.

[59] "Change Journals". Microsoft Docs. 7 January 2021. Retrieved 2023-08-12.

[60] "Creating, Modifying, and Deleting a Change Journal (Windows)". Microsoft Docs. 7 January 2021. Retrieved 2023-08-12.

[61] "Chapter 29 – POSIX Compatibility". MS Windows NT Workstation 4.0 Resource Guide. Microsoft. 1995. Retrieved 21 October 2013.

[62] "Hard Links and Junctions". MSDN. Microsoft. 12 October 2013. Retrieved 21 October 2013.

[63] "MSDN – CreateHardLink function". Retrieved 14 January 2016.

[64] "Streams - Sysinternals". Microsoft Docs. 23 March 2021. Retrieved 12 August 2023.

[65] "FileSystem Provider". Microsoft. 9 August 2012. Archived from the original on 23 January 2015. Retrieved 23 January 2015.

[66] Russinovich, Mark E.; Solomon, David A.; Ionescu, Alex (2009). "File Systems". Windows Internals (5th ed.). Microsoft Press. p. 921. ISBN 978-0-7356-2530-3. One component in Windows that uses multiple data streams is the Attachment Execution Service[...] depending on which zone the file was downloaded from [...] Windows Explorer might warn the user

[67] Boyd, Christopher (26 October 2022). "Malformed signature trick can bypass Mark of the Web". Malwarebytes. Retrieved 2023-05-15.

[68] DHB-MSFT (28 February 2023). "Macros from the internet are blocked by default in Office - Deploy Office". learn.microsoft.com. Retrieved 2023-05-15.

[69] ttps://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85)?redirectedfrom=MSDN

[70] "Malware utilising Alternate Data Streams?". AusCERT Web Log. 21 August 2007. Archived from the original on 2011-02-23.

[71] ttps://github.com/fafalone/ZoneStripper

[72] "File Compression and Decompression". MSDN Platform SDK: File Systems. Retrieved 2005-08-18.

[73] "The Default Cluster Size for the NTFS and FAT File Systems". Microsoft. January 31, 2002. Retrieved 2012-01-10.

[74] "How NTFS Works". 2003-03-28. Retrieved 2011-10-24.

[75] Masiero, Manuel (2011-12-01). "Should You Compress Data On Your SSD?". Tom's Hardware. Bestofmedia Group. Retrieved 2013-04-05.

[understanding-ntfs-compression-76] Middleton, Dennis. "Understanding NTFS Compression". Ntdebugging Blog. Microsoft. Archived from the original on 29 June 2011. Retrieved 2011-03-16.

[77] "Shrinking the gap: carving NTFS-compressed files". Retrieved 2011-05-29.

[78] "Disk Concepts and Troubleshooting". Microsoft. 11 September 2008. Retrieved 2012-03-26.

[ms-xca-79] "[MS-XCA]: Xpress Compression Algorithm". 31 January 2023.

[wmilib-compression-80] "wimlib: the open source Windows Imaging (WIM) library - Compression algorithm".

[compactos-81] "Compact OS, single-instancing, and image optimization". Microsoft. Retrieved 1 October 2019.

[oldnewthing-wof-82] Raymond Chen (18 June 2019). "What is WofCompressedData? Does WOF mean that Windows is a dog?". Microsoft DevBlogs.

[83] Biggers, Eric (29 April 2019). "NTFS-3G plugin for reading "system compressed" files". GitHub. Retrieved 1 October 2019.

[84] "Re: [ntfs-3g-devel] Experimental support for Windows 10 "System Compressed" files". SourceForge.net. Retrieved 1 October 2019.

[85] "DISM Overview". 15 December 2021.

[compact-reference-86] "Compact". 3 February 2023.

[wimboot-87] "Windows Image File Boot (WIMBoot) Overview". 10 March 2015.

[88] "Sparse Files". MSDN. Microsoft. 12 October 2013. Retrieved 21 October 2013.

[89] Kandoth, Suresh B. (4 March 2009). "Sparse File Errors: 1450 or 665 due to file fragmentation: Fixes and Workarounds". CSS SQL Server Engineers. Microsoft. Archived from the original on 21 October 2013. Retrieved 21 October 2013.

[90] "Sparse Files and Disk Quotas". MSDN Library. Microsoft. 12 October 2013. Retrieved 21 October 2013.

[91] "Transactional NTFS". MSDN. Microsoft. Archived from the original on 2007-02-21. Retrieved 2007-02-02.

[NTFS-TxF-92] "Transactional NTFS (TxF)". Microsoft Docs. Microsoft. 20 July 2022. Retrieved 12 August 2023.

[93] "Unable to open content synced in a OneDrive folder on an external drive". Microsoft Support. Retrieved 2021-04-03.

[ntfs-3g-94] André, Jean-Pierre (March 1, 2019). "NTFS-3G: Junction Points, Symbolic Links and Reparse Points". jp-andre.pagesperso-orange.fr. Archived from the original on Aug 28, 2022.

[95] "Chapter 18 – Choosing a File System". MS Windows NT Workstation 4.0 Resource Guide. Microsoft. 20 February 2014. Retrieved 25 February 2014.

[96] "Naming Files, Paths, and Namespaces". MSDN. Microsoft. Naming Conventions. Retrieved 25 February 2014.

[97] "NTFS. Partition Boot Sector". Ntfs.com. Retrieved 22 September 2018.

[98] "Boot Sector". Technet.microsoft.com. September 11, 2008. Table 1.13 BPB and Extended BPB Fields on NTFS Volumes. Retrieved 22 September 2018.

[99] "Master File Table". MSDN. July 2, 2012.

[100] "Forensics: What is the MFT Mirror?". Where is Your Data?. 2009-06-05. Retrieved 2021-07-30.

[101] "NTFS Master File Table (MFT)". Ntfs.com. Retrieved 22 September 2018.

[102] Schwarz, Thomas. "COEN 252 Computer Forensics NTFS". Faculty of Organization and Informatics University of Zagreb. Archived from the original on 2021-02-27. Retrieved May 30, 2019.

[support.microsoft.com-104] "OEM Support Tools Phase 3 Service Release 2 Availability". Microsoft Corporation. 2007-02-21. Archived from the original on 2015-02-23. Retrieved 2010-06-16. Windows NT File System (NTFS) File Sector Information Utility ... A tool used to dump information about an NTFS volume

[105] "The Four Stages of NTFS File Growth". Archived from the original on 23 September 2018. Retrieved 22 September 2018.

[106] "A heavily fragmented file in an NTFS volume may not grow beyond a certain size". Archived from the original on 2021-05-06. Retrieved 2021-05-19.

[107] "How Oplocks function in the Windows Environment: Overview". Archived from the original on 2010-08-23. Retrieved 2018-12-19.

[108] "What's New in NTFS". Technet.microsoft.com. 2 July 2012. Retrieved 22 September 2018.

[109] Gilligan, Jonathan (28 May 2001). "Beating the Daylight Saving Time bug and getting correct file modification times". The Code Project.

[1]

[2]

[3]

[4]

[a]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[b]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]

[39]

[40]

[41]

[42]

[43]

[44]

[45]

[46]

[47]

[48]

[49]

[50]

[51]

[52]

[53]

[54]

[55]

[56]

[57]

[58]

[59]

[60]

[61]

[62]

[63]

[64]

[65]

[66]

[67]

[68]

[69]

[70]

[71]

[72]

[73]

[74]

[75]

[76]

[77]

[78]

[79]

[80]

[81]

[82]

[83]

[84]

[85]

[86]

[87]

[88]

[89]

[90]

[91]

[92]

[93]

[94]

[95]

[96]

[97]

[98]