What I am trying to achieve :
- Use the NTFS bitmap to read data from a volume (consider no write activity on the volume)
- Layout this data into a VHD with a NTFS volume
- Update the volume serial number for the volume thus created on the VHD. This is needed because I see Disk Management related interfaces stuck up for some time for a few cases where the original volume was LDM based (mirror, spanned etc). The volume serial number is seen on the first and last sector of the partition.
What I have observed :
The last sector of the partition created for the volume is not part of the volume itself (considering sector size = cluster size, aligned starting LBA).
Example : Created a 512 MB volume using Disk Management MMC.
fsutil fsinfo ntfsinfo vol: shows :
C:>fsutil fsinfo ntfsinfo p:
NTFS Volume Serial Number : 0xe45accaf5acc8032
NTFS Version : 3.1
LFS Version : 2.0
Number Sectors : 0x00000000000fffff
Total Clusters : 0x00000000000fffff
Free Clusters : 0x00000000000f9e20
Total Reserved : 0x0000000000000000
Bytes Per Sector : 512
Bytes Per Physical Sector : 512
Bytes Per Cluster : 512
Bytes Per FileRecord Segment : 1024
Clusters Per FileRecord Segment : 2
Mft Valid Data Length : 0x0000000000040000
Mft Start Lcn : 0x0000000000055555
Mft2 Start Lcn : 0x0000000000000010
Mft Zone Start : 0x0000000000055740
Mft Zone End : 0x0000000000075560
Resource Manager Identifier : CDED0F2A-95BA-11E6-80CF-00505699EE53
GetFreeDiskSpaceEx() gives the volume size as 536870400 bytes
IOCTL_DISK_GET_LENGTH_INFO gives the volume size as 536870912 bytes which is 1 sector more than the clusters / sectors seen by fsutil info.
As per diskpart detail partition / detail volume also, we can see that partition size is more than volume size.
This last sector has the same data replicated as first sector [confirmed this by creating the volume on a VHD, reading the GPT to get details of partition boundaries, detaching the VHD and then doing reads at concerned offsets within the VHD file]
This seems to be the boot sector as per details given at https://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx / https://blogs.technet.microsoft.com/askcore/2010/10/08/gpt-in-windows/ (The 2nd link claims that the replicated boot sector will be part of the volume).
Trying to read this last sector using the volume handle does not work (seek fails). Tried using FSCTL_ALLOW_EXTENDED_DASD_IO on the volume handle but that does not help either.
Question:
- Any explanation on why the replicated first sector is not accounted for in the NTFS clusters / sectors data ?
- Any suggestions on how to read the actual last sector using volume handle ?</vol:>