NTFS Metadata files

NTDEV
1

Hi all,

how can I find out where the NTFS bitmap file resides ?

From my driver created system thread,
to issue FSCTL_GET_RETRIEVAL_POINTERS then, I open a file handle to
L"\??\:\$Bitmap<file:>".

This fails with STATUS_ACCESS_DENIED, no matter what combinations of
DesiredAccess,FileAttributes,ShareAccess,FILE_OPEN,CreateOptions
I pass to ZwCreateFile.

Do defrag products ever move this file (and how if above fails) and can it consist of more than one extents ?

Regards
Else

________________________________
Utimaco Safeware AG
A member of the Sophos Group
Hohemarkstr. 22
61440 Oberursel
Germany

Registergericht Bad Homburg HRB 5302
WEEE-Reg.Nr.: DE39805015
Sitz: Oberursel
Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte Pollmann, Olaf Siemens
Aufsichtsratsvorsitzender: Dr. Peter Lammer</file:>

2

I’m pretty sure NTFS explicitly protects this file from being opened. If you
want to inspect it you’d probably have to dismount the volume and walk the
structures yourself (or use an existing tool, I like the one from Runtime:
http://www.runtime.org/diskexplorer.htm - no affiliation)

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Else Kluger” wrote in message news:xxxxx@ntdev…
Hi all,

how can I find out where the NTFS bitmap file resides ?

From my driver created system thread,
to issue FSCTL_GET_RETRIEVAL_POINTERS then, I open a file handle to
L"\??\:\$Bitmap".

This fails with STATUS_ACCESS_DENIED, no matter what combinations of
DesiredAccess,FileAttributes,ShareAccess,FILE_OPEN,CreateOptions
I pass to ZwCreateFile.

Do defrag products ever move this file (and how if above fails) and can it
consist of more than one extents ?

Regards
Else

Utimaco Safeware AG
A member of the Sophos Group
Hohemarkstr. 22
61440 Oberursel
Germany

Registergericht Bad Homburg HRB 5302
WEEE-Reg.Nr.: DE39805015
Sitz: Oberursel
Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte
Pollmann, Olaf Siemens
Aufsichtsratsvorsitzender: Dr. Peter Lammer

3

Hi,

thanks Scott, we have some code in use to do what you suggest. I wanted to avoid using it in my driver.
As regards possible future undocumented NTFS changes it’s error prone.
And it’s gigantic and superfluous overhead for my purpose (just open to FSCTL_GET_RETRIEVAL_POINTERS),
which I thought could be sufficed by using documented APIs.

Regards
Else
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Freitag, 19. M?rz 2010 15:02
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NTFS Metadata files

I’m pretty sure NTFS explicitly protects this file from being opened. If you
want to inspect it you’d probably have to dismount the volume and walk the
structures yourself (or use an existing tool, I like the one from Runtime:
http://www.runtime.org/diskexplorer.htm - no affiliation)

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Else Kluger” wrote in message news:xxxxx@ntdev…
Hi all,

how can I find out where the NTFS bitmap file resides ?

From my driver created system thread,
to issue FSCTL_GET_RETRIEVAL_POINTERS then, I open a file handle to
L"\??\:\$Bitmap".

This fails with STATUS_ACCESS_DENIED, no matter what combinations of
DesiredAccess,FileAttributes,ShareAccess,FILE_OPEN,CreateOptions
I pass to ZwCreateFile.

Do defrag products ever move this file (and how if above fails) and can it
consist of more than one extents ?

Regards
Else

Utimaco Safeware AG
A member of the Sophos Group
Hohemarkstr. 22
61440 Oberursel
Germany

Registergericht Bad Homburg HRB 5302
WEEE-Reg.Nr.: DE39805015
Sitz: Oberursel
Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte
Pollmann, Olaf Siemens
Aufsichtsratsvorsitzender: Dr. Peter Lammer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Utimaco Safeware AG
A member of the Sophos Group
Hohemarkstr. 22
61440 Oberursel
Germany

Registergericht Bad Homburg HRB 5302
WEEE-Reg.Nr.: DE39805015
Sitz: Oberursel
Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte Pollmann, Olaf Siemens
Aufsichtsratsvorsitzender: Dr. Peter Lammer