1
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2
<!-- http://linux-ntfs.sourceforge.net/ntfs/help/glossary.html -->
6
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
7
<meta name="description" content="NTFS Documentation">
8
<link rel="stylesheet" type="text/css" href="../style/ntfsdoc.css">
9
<link rel="stylesheet" type="text/css" href="../style/glossary.css">
10
<link rel="start" type="text/html" href="../index.html" title="NTFS Documentation">
11
<title>Glossary - NTFS Documentation</title>
15
<table border="0" class="toolbar" summary="" cellspacing="0">
17
<td class="toolbar"><a accesskey="1" class="toolbar" href="../index.html">Home</a>
18
<td class="toolbar"> </td>
19
<td class="toolbar"><a accesskey="2" class="toolbar" href="../files/index.html">Files</a></td>
20
<td class="toolbar"> </td>
21
<td class="toolbar"><a accesskey="3" class="toolbar" href="../attributes/index.html">Attributes</a></td>
22
<td class="toolbar"> </td>
23
<td class="toolbar"><a accesskey="4" class="toolbar" href="../concepts/index.html">Concepts</a></td>
24
<td class="toolbar"> </td>
25
<td class="toolbar"><a accesskey="5" class="toolbar" href="../help/glossary.html">Glossary</a></td>
26
<td class="toolbar"> </td>
27
<td class="toolbar"><a accesskey="6" class="toolbar" href="../help/index.html">Help</a></td>
31
<h1>NTFS - Glossary</h1>
36
<a href="#a" accesskey="a">A</a> <a href="#b" accesskey="b">B</a>
37
<a href="#c" accesskey="c">C</a> <a href="#d" accesskey="d">D</a>
38
<a href="#e" accesskey="e">E</a> <a href="#f" accesskey="f">F</a>
39
<a href="#g" accesskey="g">G</a> <a href="#h" accesskey="h">H</a>
40
<a href="#i" accesskey="i">I</a> <a href="#j" accesskey="j">J</a>
41
<a href="#k" accesskey="k">K</a> <a href="#l" accesskey="l">L</a>
42
<a href="#m" accesskey="m">M</a> <a href="#n" accesskey="n">N</a>
43
<a href="#o" accesskey="o">O</a> <a href="#p" accesskey="p">P</a>
44
<a href="#q" accesskey="q">Q</a> <a href="#r" accesskey="r">R</a>
45
<a href="#s" accesskey="s">S</a> <a href="#t" accesskey="t">T</a>
46
<a href="#u" accesskey="u">U</a> <a href="#v" accesskey="v">V</a>
47
<a href="#w" accesskey="w">W</a> <a href="#x" accesskey="x">X</a>
48
<a href="#y" accesskey="y">Y</a> <a href="#z" accesskey="z">Z</a>
52
This is a glossary of all terms.
53
Some entries refer to other entries, e.g. <q>See also</q>.
54
Some entries have an entire page of their own, e.g. <q>More...</q>
55
If your browser supports access keys, then you can jump around this
56
document by using, for example, Alt-M for the M section.
60
<dd><a name="a"></a></dd>
62
<dt>. <a href="#dot">(See Dot, Root Directory)</a></dt>
64
<dd><a name="ace"></a></dd>
65
<dt>Access Control Entry (ACE)</dt>
67
An Access Control Entry is the smallest unit of security.
68
It contains a SID (either a user or a group) and permissions information.
69
The permission will be one of <q>Access Allowed</q>, <q>Access Denied</q>
70
or <q>System Audit</q>. This object has flags to determine how the
71
permissions should be inherited.
73
<a href="#sid">SID</a>,
74
<a href="#acl">ACL</a> and
75
<a href="#audit">Auditing</a>
78
<dd><a name="acl"></a></dd>
79
<dt>Access Control List (ACL)</dt>
81
This security structure contains a list of ACEs.
83
<a href="#security_descriptor">$SECURITY_DESCRIPTOR</a>,
84
<a href="#sid">SID</a>,
85
<a href="#acl">ACL</a> and
86
<a href="#audit">Auditing</a>
89
<dt>ACE <a href="#ace">(See Access Control Entry)</a></dt>
91
<dt>ACL <a href="#acl">(See Access Control List)</a></dt>
93
<dd><a name="attrdef"></a></dd>
94
<dt>$AttrDef <a href="../files/attrdef.html">(More...) </a></dt>
96
This <a href="#metadata">metadata</a> file contains the definitions
97
of all the <a href="#attribute">attributes</a> that are allowed on an
98
NTFS <a href="#volume">volume</a>.
101
<dd><a name="attribute"></a></dd>
104
on disk a file is stored as a set of attributes
108
<dd><a name="attribute_list"></a></dd>
109
<dt>$ATTRIBUTE_LIST <a href="../attributes/attribute_list.html">(More...) </a></dt>
111
This <a href="#attribute">attribute</a> is used when a file's
112
attributes won't fit in a single MFT File Record. It has a list
113
of all the attributes and where they can be found. The $ATTRIBUTE_LIST
114
is always stored in the Base FILE Record.
116
<a href="#file_record">File Record</a>
117
<a href="#mft">$MFT</a>
118
<a href="#base_file_record">Base FILE Record</a>
121
<dd><a name="audit"></a></dd>
122
<dt>Audit, Auditing</dt>
124
As part of the security permissions of a file,
125
any actions performed on the file can be recorded.
126
For example a file could be required to log all the people who tried
127
to read it, but didn't have the permissions to do so.
134
<dd><a name="b"></a></dd>
136
<dd><a name="b+_tree"></a></dd>
139
A B+ tree is a variant of the binary tree.
140
Instead of one data element per node, there are many.
141
(In NTFS the actual number depends on the lengths of
142
the names and the cluster size). The B+ tree retains
143
the efficiency of a binary tree and also performs well
144
with large numbers of data elements (because the tree tends
145
to grow wide rather than deep).
147
<a href="#binary_tree">Binary Tree</a> and
148
<a href="#balanced_tree">Balanced Tree</a>.
151
<dd><a name="baad"></a></dd>
154
During chkdsk, if NTFS finds a multi-sector item (MFT, INDEX BLOCK, etc)
155
where the multi-sector header doesn't match the values at the end of the
156
sector, it marks the item with the magic number 'BAAD', and fill it with zeroes
157
(except for a short at the end of each sector...)
160
"BAAD" == corrupt record
163
"HOLE" == ??? (NTFS 3.0+?)
164
"INDX" == index buffer
168
<a href="#chkdsk">chkdsk</a> and
169
<a href="#fsck">fsck</a>.
172
<dd><a name="bad"></a></dd>
175
This is the named Data Stream representing bad clusters on a volume.
177
<a href="#badclus">$BadClus</a>.
180
<dd><a name="badclus"></a></dd>
181
<dt>$BadClus <a href="../files/badclus.html">(More...) </a></dt>
183
This <a href="#metadata">metadata</a> file lists all the unreadable
184
<a href="#cluster">clusters</a> on the <a href="#volume">volume</a>.
187
<dd><a name="balanced_tree"></a></dd>
188
<dt>Balanced Tree</dt>
190
Often binary trees can become very uneven. By reorganising
191
the data, the tree can be balanced such that no a node has
192
similar numbers of children to it's left and right.
194
<a href="#b+_tree">B+ Tree</a> and
195
<a href="#binary_tree">Binary Tree</a>.
198
<dd><a name="base_file_record"></a></dd>
199
<dt>Base FILE Record</dt>
201
If the attributes don't fit into a single MFT record
202
then the Base FILE Record holds enough information to
203
locate the other records.
205
<a href="#attribute_list">$ATTRIBUTE_LIST</a>,
206
<a href="#file_record">FILE Record</a> and
207
<a href="#mft">$MFT</a>.
210
<dd><a name="binary"></a></dd>
213
Maths carried out in base two. In this documentation, certain flags
214
fields are represented in binary, for the sake of clarity. e.g.
215
00001000<sub>2</sub>, 010000000<sub>2</sub>.
217
<a href="#decimal">Decimal</a>,
218
<a href="#hex">Hex</a> and
219
<a href="#units">Units</a>.
222
<dd><a name="binary_tree"></a></dd>
225
This is an efficient way of storing sorted data in order.
226
Each node in the tree represents a data element.
227
The left child node is a collection of all the elements that come before it.
228
The right child node is a collection of all the elements that come after it.
230
<a href="#b+_tree">B+ Tree</a> and
231
<a href="#balanced_tree">Balanced Tree</a>.
234
<dd><a name="bit"></a></dd>
237
One binary digit, one or zero.
239
<a href="#units">Units</a>,
242
<dt>$Bitmap <a href="../files/bitmap.html">(More...) </a></dt>
244
This <a href="#metadata">metadata</a> file keeps track of
245
which <a href="#cluster">clusters</a> are in use on the
246
<a href="#volume">volume</a>.
249
<dt>$BITMAP <a href="../attributes/bitmap.html">(More...) </a></dt>
251
This <a href="#attribute">attribute</a> keeps track of which
252
<a href="#record">records</a> are in use in an index.
255
<dd><a name="block"></a></dd>
258
In Linux terminology, this is a cluster. Block device In Linux
259
terminology, this is a storage unit. Cluster The minimum allocation
260
unit. Clusters are a fixed power of 2 of the sector size (called the
261
cluster factor), and their size can be between 512 bytes and 4 KB
262
(Sometimes 64 KB, but 4 KB is the largest cluster size that the current
263
NTFS compression engine can operate with. That limit may be related to
264
the 4 KB page size used on the Intel i386 CPU). This size can be set
265
with the Windows NT format utility, whose default is: Volume size
266
Cluster size 1 to 512 MB Sector size 512 MB to 1 GB 1 KB 1 GB to 2 GB 2
267
KB more than 2 GB 4 KB
270
<dd><a name="boot"></a></dd>
271
<dt>$Boot <a href="../files/boot.html">(More...) </a></dt>
273
This <a href="#metadata">metadata</a> file points at the boot sector
274
of the <a href="#volume">volume</a>. It contains information about
275
the size of the <a href="#volume">volume</a>, <a href="#cluster">clusters</a>
276
and the <a href="#mft">MFT</a>.
279
<dd><a name="byte"></a></dd>
280
<dt>Byte <a href="#units">(See Units)</a></dt>
286
<dd><a name="c"></a></dd>
288
<dd><a name="chkdsk"></a></dd>
291
This is a DOS and Windows utility to check and repair filesystems.
292
Its name is an abbreviation of check disk.
294
<a href="#fsck">fsck</a>.
297
<dd><a name="cluster"></a></dd>
300
This is the smallest unit of disk that NTFS uses
301
and it is a multiple of the sector size.
302
It is determined when the volume is formatted and
303
cannot be altered afterwards.
305
<a href="#sector">Sector</a>,
306
<a href="#boot">$Boot</a> and
307
<a href="#volume">Volume</a>.
310
<dd><a name="compression"></a></dd>
313
NTFS supports file- and directory-level compression.
314
The compression is performed transparently when the file
315
is read or written. Any new files in a compressed
316
directory will automatically be compressed.
318
<a href="#compression_unit">Compression Unit</a>
321
<dd><a name="compression_unit"></a></dd>
322
<dt>Compression Unit</dt>
324
Each file marked to be compressed is divided into sixteen
325
cluster blocks, known as compression units. If one of these
326
blocks cannot be compressed into fifteen clusters or less
327
it is left uncompressed. This division also helps accessing
328
a file randomly, ie it isn't necessary to decompress the whole
331
<a href="#cluster"></a>
332
<a href="#compression"></a>
339
<dd><a name="d"></a></dd>
341
<dd><a name="data"></a></dd>
342
<dt>$DATA <a href="../attributes/data.html">(More...) </a></dt>
344
This <a href="#attribute">attribute</a> contains the actual
345
data for a file. This <a href="#stream">stream</a> may also
349
<dd><a name="data_runs"></a></dd>
350
<dt>Data Runs <a href="../concepts/data_runs.html">(More...) </a></dt>
352
Non-resident attributes are stored in intervals of clusters called runs.
353
Each run is represented by its starting cluster and its length.
354
The runs map the VCNs of a file to the LCNs of a volume.
356
<a href="#attribute">Attribute</a>,
357
<a href="#cluster">Cluster</a>,
358
<a href="#lcn">LCN</a>,
359
<a href="#vcn">VCN</a> and
360
<a href="#volume">Volume</a>.
363
<dd><a name="decimal"></a></dd>
366
Maths carried out in base ten. In this documentation,
367
numbers that are neither in <a href="#hex">hex</a>, nor
368
<a href="#binary">binary</a>, are in decimal,
369
e.g. 16 (sixteen), 23 (twenty-three).
371
<a href="#binary">Binary</a>,
372
<a href="#hex">Hex</a> and
373
<a href="#units">Units</a>.
376
<dd><a name="directory"></a></dd>
377
<dt>Directory <a href="../concepts/directory.html">(More...) </a></dt>
379
An NTFS directory is an index attribute. NTFS uses index attributes to collate
380
file names. A directory entry contains the name of the file and a copy of the
381
file's standard information attribute (time stamp information). This approach
382
provides a performance boost for directory browsing because NTFS does not need
383
to read the files' MFT records to print directory information.
386
<dd><a name="dos_file_permissions"></a></dd>
387
<dt>DOS File Permissions <a href="#file_permissions">(see File Permissions)</a></dt>
389
<dd><a name="dot"></a></dd>
390
<dt>Dot, Root Directory <a href="../files/dot.html">(More...) </a></dt>
392
Root directory of the disk
395
<dd><a name="drive"></a></dd>
396
<dt>Drive <a href="#volume">(See Volume)</a></dt>
398
<dd><a name="dynamic_disk"></a></dd>
399
<dt>Dynamic Disk</dt>
402
Dynamic disk SDS, win2k
410
<dd><a name="e"></a></dd>
412
<dd><a name="ea"></a></dd>
413
<dt>$EA <a href="../attributes/ea.html">(More...) </a></dt>
415
This <a href="#attribute">attribute</a> is used to implement
416
the <a href="#hpfs">HPFS</a> extended attribute under NTFS.
417
It is only used for OS/2 compatibity.
420
<dd><a name="ea_information"></a></dd>
421
<dt>$EA_INFORMATION <a href="../attributes/ea_information.html">(More...) </a></dt>
423
This <a href="#attribute">attribute</a> is used to implement
424
the <a href="#hpfs">HPFS</a> extended attribute under NTFS.
425
It is only used for OS/2 compatibity.
428
<dd><a name="efs"></a></dd>
431
$EFS is the named $LOGGED_UTILITY_STREAM of any encrypted file.
433
<a href="#logged_utility_stream">$LOGGED_UTILITY_STREAM</a>.
436
<dd><a name="extend"></a></dd>
437
<dt>$Extend <a href="../files/extend.html">(More...) </a></dt>
439
This <a href="#metadata">metadata</a> directory contains the
440
<a href="#metadata">metadata</a> files:
441
<a href="#objid">$ObjId</a>,
442
<a href="#quota">$Quota</a>,
443
<a href="#reparse">$Reparse</a>.
450
<dd><a name="f"></a></dd>
452
<dd><a name="file"></a></dd>
453
<dt>File <a href="../concepts/file.html">(More...) </a></dt>
455
In the NTFS terminology, a file can be a normal file, directory
456
(like in Linux) or a system file.
459
<dd><a name="file_name"></a></dd>
460
<dt>$FILE_NAME <a href="../attributes/file_name.html">(More...) </a></dt>
462
This <a href="#attribute">attribute</a> represents the file's name.
463
A file can have one or more names, which can be in any directory.
464
This is the NTFS equivalent to Unix's hard links.
467
<dd><a name="filename_namespace"></a></dd>
468
<dt>Filename Namespace <a href="../concepts/filename_namespace.html">(More...) </a></dt>
470
Not all characters are valid in DOS filenames.
471
For compatibity NTFS stores which namespace the name belongs to.
474
<dd><a name="file_permissions"></a></dd>
475
<dt>File Permissions</dt>
477
NTFS supports the standard set of DOS file permissions, namely
478
<q>Archive</q>, <q>System</q>, <q>Hidden</q> and <q>Read Only</q>.
479
In addition, NTFS supports <q>Compressed</q> and <q>Encrypted</q>.
481
<a href="#security_descriptor">$SECURITY_DESCRIPTOR</a> and
482
<a href="#compression">Compression</a>
485
<dd><a name="file_record"></a></dd>
488
The $MFT is made up of FILE records, so named because of
489
a magic number of <q>FILE</q>. Each record has a standard
490
header and a list of attributes. If the attributes don't
491
fit into a single record, then more records will be used
492
and a $ATTRIBUTE_LIST attribute will be needed.
494
<a href="#attribute">Attribute</a>,
495
<a href="#attribute_list">Attribute List</a>,
496
<a href="#magic_number">Magic Number</a> and
497
<a href="#mft">$MFT</a>.
500
<dd><a name="file_record_segment"></a></dd>
501
<dt>File Record Segment (FRS)</dt>
504
FRS = MFT File Record
508
<dd><a name="file_reference"></a></dd>
509
<dt>File Reference</dt>
511
Each file record has a unique number identifying it.
512
The first 48 bits are a sequentially allocated number
513
which is the offset in the $MFT. The last 16 bits
514
are a sequence number. Every time the record is altered
515
this number is incremented. The sequence number can
516
help detect errors on the volume.
519
<a href="#file_record">File Record</a>,
520
<a href="#mft">$MFT</a> and
521
<a href="#volume">Volume</a>.
524
<dd><a name="file_runs"></a></dd>
525
<dt>File Runs <a href="#data_runs">(See Data Runs)</a></dt>
527
<dd><a name="filesize"></a></dd>
530
There are three file sizes that NTFS records.
531
Each of them stores the number of bytes
533
<li>R) Real. The number of bytes of data.</li>
534
<li>A) Allocated. The size taken up on disk.</li>
535
<li>I) Initialised. Size of compressed file.</li>
538
If the file is compressed, the Initialised Size may be smaller
542
<dd><a name="filesystem"></a></dd>
545
The physical structure an operating system uses to store and organize files on a storage unit.
546
A commonly used filesystem is FAT (used by DOS).
549
<dd><a name="fixup"></a></dd>
550
<dt>Fixup <a href="#update_sequence">(See Update Sequence)</a></dt>
552
<dd><a name="fork"></a></dd>
553
<dt>Fork <a href="#resource_fork">(See Resource Fork)</a></dt>
555
<dd><a name="fragmented"></a></dd>
561
<dd><a name="frs"></a></dd>
562
<dt>FRS <a href="#file_record_segment">(See File Record Segment)</a></dt>
564
<dd><a name="fsck"></a></dd>
567
This is a utility to check and repair filesystems.
568
Its name is an abbreviation of filesystem check.
575
<dd><a name="g"></a></dd>
577
<dd><a name="gb"></a></dd>
578
<dt>GB <a href="#units">(See Units)</a></dt>
580
<dd><a name="guid"></a></dd>
581
<dt>GUID <a href="#units">(See Units)</a></dt>
584
The valid format for a GUID is {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
586
Globally Unique Identifier (GUID)
588
GUID structures store globally unique identifiers (GUID). A GUID is a
589
128-bit value consisting of one group of eight hexadecimal digits, followed
590
by three groups of four hexadecimal digits each, followed by one group of
591
twelve hexadecimal digits. GUIDs are Microsoft's implementation of the
592
distributed computing environment (DCE) universally unique identifier (UUID).
594
1F010768-5A73-BC91-0010A52216A7
596
order stored on disk?
598
01020304-0506-0708-090A0B0C0D0E0F010
603
0x08 090A0B0C0D0E0F010
612
<dd><a name="h"></a></dd>
614
<dd><a name="hex"></a></dd>
615
<dt>Hex, Hexadecimal</dt>
617
Maths carried out in base sixteen. In this documentation,
618
many numbers represented in hex, e.g. 0x02E0, 0xF100.
620
<a href="#binary">Binary</a>,
621
<a href="#decimal">Decimal</a> and
622
<a href="#units">Units</a>.
625
<dd><a name="hfs"></a></dd>
626
<dt>HFS <a href="#hfs">(See Hierarchical File System)</a></dt>
628
<dt>Hierarchical File System (HFS)</dt>
630
The MacOS filesystem.
633
<dd><a name="hpfs"></a></dd>
634
<dt>High Performance File System (HPFS)</dt>
636
The OS/2 filesystem. Remember: once upon a time, OS/2 had to be the
637
operating system developed by both IBM and Microsoft. There was a break
638
between the 2 giants. IBM continued to develop OS/2 (it became OS/2
639
Warp), and that explains why OS/2 knows how to execute Windows
640
applications. Microsoft decided to make its own operating system:
641
Windows NT. HPFS design influenced NTFS design, so the 2 filesystems
645
<dt>HPFS <a href="#hpfs">(See High Performance File System)</a></dt>
651
<dd><a name="i"></a></dd>
653
<dd><a name="i30"></a></dd>
656
This is the named index used by directories.
657
The name refers to attribute 0x30 ($FILE_NAME).
659
<a href="#attribute">Attribute</a>,
660
<a href="#directory">Directory</a>,
661
<a href="#file_name">$FILE_NAME</a> and
662
<a href="#index">Index</a>
665
<dd><a name="index"></a></dd>
668
(just the whole index idea)
671
<dd><a name="index_allocation"></a></dd>
672
<dt>$INDEX_ALLOCATION <a href="../attributes/index_allocation.html">(More...) </a></dt>
674
This <a href="#attribute">attribute</a> contains the location of the entries
675
that make up an index.
678
<dd><a name="index_root"></a></dd>
679
<dt>$INDEX_ROOT <a href="../attributes/index_root.html">(More...) </a></dt>
681
This <a href="#attribute">attribute</a> is the root of an index.
682
The index is stored as a balanced binary tree.
683
The only attribute which is indexed is <a href="#file_name">$FILE_NAME</a>
684
and the index is called <a href="#i30">$I30</a>.
687
<dd><a name="indx_record"></a></dd>
688
<dt>INDX Record <a href="../concepts/index_record.html">(More...) </a></dt>
690
Index records are used by directories, $Quota, $Reparse
691
and $Secure. The contents depend on the type of index
692
being kept. Directories store $FILE_NAME attributes.
694
<a href="#directory">Directory</a>,
695
<a href="#i30">$I30</a>,
696
<a href="#quota">$Quota</a>,
697
<a href="#reparse">$Reparse</a> and
698
<a href="#secure">$Secure</a>.
701
<dd><a name="infinite_logging_area"></a></dd>
702
<dt>Infinite Logging Area</dt>
704
Something contained in $LogFile. It consists of a
705
sequence of 4KB log records.
707
<a href="#logfile">$LogFile</a>
710
<dd><a name="inode"></a></dd>
713
An inode is the filesystems representation of a file, directory, device, etc.
714
In NTFS every inode it represented by an MFT FILE record.
716
<a href="#directory">Directory</a>,
717
<a href="#file">File</a>,
718
<a href="#file_record">FILE Record</a> and
719
<a href="#filesystem">Filesystem</a>
726
<dd><a name="j"></a></dd>
728
<dd><a name="j"></a></dd>
731
$J is a named data stream of the Metadata File $UsnJrnl.
733
<a href="#usnjrnl">$UsnJrnl</a>
736
<dd><a name="junction_point"></a></dd>
737
<dt>Junction Point</dt>
739
Microsoft term for a mount point, available in NT 5.0.
746
<dd><a name="k"></a></dd>
748
<dd><a name="kb"></a></dd>
749
<dt>KB <a href="#units">(See Units)</a></dt>
755
<dd><a name="l"></a></dd>
757
<dt>LCN <a href="#lcn">(See Logical Cluster Number)</a></dt>
759
<dd><a name="log_record"></a></dd>
762
One 4KB chunk of the infinite logging area. It starts with
763
the magic number 'RCRD' and a fixup, then has undocumented variable
764
length data. [The log record might be further subdivided - I cannot
765
imagine they waste 4KB if they only have to log a few bytes. Custer
766
mentions high level and low level 'records'. High level are: - allocate
767
inode n, - make a directory entry foo in directory m low level are: -
768
modify inode n with the new contents of <1KB>]
771
<dd><a name="logfile"></a></dd>
772
<dt>$LogFile <a href="../files/logfile.html">(More...) </a></dt>
774
This <a href="#metadata">metadata</a> file is used
775
to guarantee data integrity in case of a system failure. It has two
776
copies of the restart area and the infinite logging area. The log file
777
is near the centre of the volume, just after the second cluster of
778
the boot file. [Better say 'run' than cluster. The boot file usually
779
extends over several clusters at the beginning of the disk, and then has
780
a single run of just one cluster (the copy of the boot sector). Also,
781
isn't it 'infinite'?]
782
Transactional logging file
785
<dd><a name="logged_utility_stream"></a></dd>
786
<dt>$LOGGED_UTILITY_STREAM <a href="../attributes/logged_utility_stream.html">(More...) </a></dt>
788
This <a href="#attribute">attribute</a> is used by encrypted files.
791
<dd><a name="lcn"></a></dd>
792
<dt>Logical Cluster Number (LCN)</dt>
794
A volume is divided into clusters. They are
795
numbered sequentially, starting at zero.
797
<a href="#cluster">Cluster</a> and
798
<a href="#volume">Volume</a>.
801
<dd><a name="lsn"></a></dd>
802
<dt>Logical Sequence Number (LSN)</dt>
804
A serial number used to
805
identify an NTFS log record.
808
<dt>LSN <a href="#lsn">(See Logical Sequence Number)</a></dt>
814
<dd><a name="m"></a></dd>
816
<dd><a name="magic_number"></a></dd>
817
<dt>Magic Number</dt>
819
Most of the on-disk structures in NTFS have a unique constant identifying them.
820
This number is usually located at the beginning of the structure and can be
821
used as a sanity check.
824
<dd><a name="master_file_table"></a></dd>
825
<dt>Master File Table <a href="#master_file_table">(See $MFT)</a></dt>
827
<dd><a name="max"></a></dd>
830
$Max is a named Data Stream of $UsnJrnl.
832
<a href="#usnjrnl">$UsnJrnl</a>
835
<dd><a name="mb"></a></dd>
836
<dt>MB <a href="#units">(See Units)</a></dt>
838
<dd><a name="metadata"></a></dd>
841
Data on the storage unit used by the filesystem only, as a
842
frame to access user data. Metadata constitutes the structure of the
843
filesystem). Metadata examples from various filesystems include FATs,
844
inode tables, free block lists, free block bitmaps, logging areas, and
850
Data about data. In data processing, meta-data is definitional data
851
that provides information about or documentation of other data managed
852
within an application or environment.
854
For example, meta data would document data about data elements or
855
attributes, (name, size, data type, etc) and data about records or
856
data structures (length, fields, columns, etc) and data about data
857
(where it is located, how it is associated, ownership, etc.). Meta
858
data may include descriptive information about the context, quality
859
and condition, or characteristics of the data.
863
<dd><a name="mft"></a></dd>
864
<dt>$MFT <a href="../files/mft.html">(More...) </a></dt>
866
This <a href="#metadata">metadata</a> file, the Master File Table,
867
is an index of all the files on the volume. It contains the
868
attributes of each file and the root of any indexes.
871
<dd><a name="mftmirr"></a></dd>
872
<dt>$MFTMirr <a href="../files/mftmirr.html">(More...) </a></dt>
874
This <a href="#metadata">metadata</a> file stores a copy of
875
the first four records of $MFT. It is a safety measure
876
which probably only gets used when chkdsk is run.
879
<dd><a name="mountmgrdatabase"></a></dd>
880
<dt>$MountMgrDatabase</dt>
882
$MountMgrDatabase is a named Data Stream of dot (the root directory).
883
It contains a list of mounted volumes.
885
<a href="#dot">Dot, Root Directory</a>.
888
<dd><a name="mst"></a></dd>
889
<dt>MST <a href="#multi_sector_transfer">(See Multi-Sector Transfer)</a></dt>
891
<dd><a name="multi_sector_transfer"></a></dd>
892
<dt>Multi-Sector Transfer</dt>
895
multiple sectors, fixup, safety checks
903
<dd><a name="n"></a></dd>
905
<dd><a name="nibble"></a></dd>
908
Half of a byte (4 bits).
911
<dd><a name="nt_authority"></a></dd>
912
<dt>NT Authority</dt>
914
The NT Authority defines the scope of the security identifier.
915
Numbers 0 - 4 represent internal identifiers, e.g.
916
World, Local. 5 represents the NT Authority.
918
<a href="#nt_sub_authority">NT Sub Authority</a>
919
<a href="#sid">SID</a>
920
<a href="#security_descriptor">$SECURITY_DESCRIPTOR</a>
923
<dd><a name="ntfs"></a></dd>
924
<dt>NTFS <a href="../attributes/volume_information.html">(More...) </a></dt>
926
NTFS is the file system of Windows NT, Windows 2000 and Windows XP.
928
<a href="#filesystem">Filesystem</a>
931
<dd><a name="nt_sub_authority"></a></dd>
932
<dt>NT Sub Authority</dt>
934
The Sub Authority can contain any number of fields (five is usual).
935
Sub Authorities beginning with 21 (0x15) denote a NT Domain identifier.
936
<a href="#nt_authority">NT Authority</a>
937
<a href="#sid">SID</a>
938
<a href="#security_descriptor">$SECURITY_DESCRIPTOR</a>
945
<dd><a name="o"></a></dd>
947
<dd><a name="o"></a></dd>
950
This is one of the named indexes belonging to $Quota and $ObjId.
952
<a href="#index">Index</a>,
954
<a href="#objid">$ObjId</a> and
955
<a href="#quota">$Quota</a>.
958
<dd><a name="object_id"></a></dd>
959
<dt>$OBJECT_ID <a href="../attributes/object_id.html">(More...) </a></dt>
961
This <a href="#attribute">attribute</a> stores a mapping between a
962
SID and a Security Hash.
965
<dd><a name="objid"></a></dd>
966
<dt>$ObjId <a href="../files/objid.html">(More...) </a></dt>
968
This <a href="#attribute">attribute</a> record's the unique identifiers
969
given to files and directorys when using Distributed Link Tracking.
976
<dd><a name="p"></a></dd>
978
<dd><a name="pam"></a></dd>
981
Pluggable Authentication Modules (PAM) are a set of libraries
982
for validating security on Linux.
985
<dd><a name="partition"></a></dd>
986
<dt>Partition <a href="#volume">(See Volume)</a></dt>
988
<dd><a name="partition_table"></a></dd>
989
<dt>Partition Table</dt>
993
SFS Win2K dynamic disk
997
<dd><a name="permissions"></a></dd>
1000
There are two mechanisms for storing permissions in NTFS.
1001
One is a superset of DOS File Permissions, which includes
1002
<q>Read Only</q> and <q>Hidden</q>.
1003
The other is based on ACEs and allows granting specific
1004
permissions to specific users.
1006
<a href="#ace">$ACE</a>,
1007
<a href="#file_permissions">File Permissions</a> and
1008
<a href="#security_descriptor">$SECURITY_DESCRIPTOR</a>
1011
<dd><a name="posix"></a></dd>
1014
An acronym (pronounced like positive) for Portable Operating System
1015
Interface, suggested by Richard M. Stallman. It is a set of
1016
international standards (ISO/IEC 9945-1:1996(E), ANSI/IEEE Std 1003.1
1017
1996 Edition) to interface with Unix-like exploitation systems, e.g.
1018
Linux. NTFS does not support Unix-like device files.
1021
<dd><a name="property_set"></a></dd>
1022
<dt>$PROPERTY_SET <a href="../attributes/property_set.html">(More...) </a></dt>
1031
<dd><a name="q"></a></dd>
1033
<dd><a name="q"></a></dd>
1036
This is one of the named indexes belonging to $Quota.
1038
<a href="#index">Index</a>,
1039
<a href="#o">$O</a> and
1040
<a href="#quota">$Quota</a>.
1043
<dd><a name="quota"></a></dd>
1044
<dt>$Quota <a href="../files/quota.html">(More...) </a></dt>
1046
This <a href="#metadata">metadata</a> file stores information
1054
<dd><a name="r"></a></dd>
1056
<dd><a name="r"></a></dd>
1059
This is the named index belonging to $Reparse.
1061
<a href="#index">Index</a>,
1062
<a href="#reparse">$Reparse</a>.
1065
<dd><a name="rcrd_record"></a></dd>
1066
<dt>RCRD Record</dt>
1068
This record is used in the $LogFile. Each represents
1069
an atomic transaction that is to be performed.
1071
<a href="#logfile">$LogFile</a> and
1072
<a href="#transaction">Transaction</a>
1075
<dd><a name="record"></a></dd>
1078
There are several record types in NTFS.
1079
FILE Record are used in the $MFT, INDX Records in indexes,
1080
RCRD and RSTR Records in the $LogFile.
1082
<a href="#file_record">FILE Record</a>,
1083
<a href="#indx_record">INDX Record</a>,
1084
<a href="#rcrd_record">RCRD Record</a> and
1085
<a href="#rstr_record">RSTR Record</a>
1088
<dd><a name="recursion"></a></dd>
1089
<dt>Recursion <a href="#recursion">(See Recursion)</a></dt>
1091
<dd><a name="reference"></a></dd>
1094
file (are there any others?)
1097
<dd><a name="reparse"></a></dd>
1098
<dt>$Reparse <a href="../files/reparse.html">(More...) </a></dt>
1100
This <a href="#metadata">metadata</a> file stores information
1101
about reparse points.
1104
<dd><a name="reparse_point"></a></dd>
1105
<dt>$REPARSE_POINT <a href="../attributes/reparse_point.html">(More...) </a></dt>
1107
This <a href="#attribute">attribute</a> stores information about
1111
<dd><a name="resource_fork"></a></dd>
1112
<dt>Resource Fork</dt>
1114
In MacOS's filesystem, HFS, files are allowed to have multiple
1115
data streams. These are called resource forks.
1117
<a href="#hfs">HFS</a> and
1118
<a href="#stream">Stream</a>.
1121
<dd><a name="roll-back"></a></dd>
1124
When an NTFS volume is mounted, it is checked to see if it
1125
is in a consistant state. If it isn't then the $LogFile is
1126
consulted and transactions are undone until the disk returns
1127
to a consistant state. This does not guarantee data integrity,
1128
only disk integrity.
1130
<a href="#logfile">$LogFile</a>,
1131
<a href="#transaction">Transaction</a> and
1132
<a href="#volume">Volume</a>.
1135
<dd><a name="root_directory"></a></dd>
1136
<dt>Root Directory <a href="#dot">(See Dot, Root Directory)</a></dt>
1138
<dd><a name="rstr_record"></a></dd>
1139
<dt>RSTR Record</dt>
1141
Two copies of this are in $LogFile. A restart area has the
1142
magic number 'RSTR' followed by a fixup and some other data, including
1143
three LSNs. A restart area has a pointer into the log area, such as the
1144
first and last log records written and the last checkpoint record
1145
written. (that is three - now which is which?)
1148
<dd><a name="runs"></a></dd>
1149
<dt>Runs <a href="#data_runs">(See Data Runs)</a></dt>
1155
<dd><a name="s"></a></dd>
1157
<dd><a name="sdh"></a></dd>
1160
This is one of the named indexes belonging to $Secure.
1162
<a href="#index">Index</a>,
1163
<a href="#sii">$SII</a> and
1164
<a href="#secure">$Secure</a>.
1167
<dd><a name="sds"></a></dd>
1170
This is the named data stream belonging to $Secure.
1172
<a href="#secure">$Secure</a> and
1173
<a href="#stream">Stream</a>
1176
<dd><a name="sector"></a></dd>
1179
Unit of data on the physical storage unit. The storage controller
1180
can only access data in multiples of this unit. A sector is usually 512
1181
bytes, but can be 1 KB on certain Asian hard disks.
1184
<dd><a name="secure"></a></dd>
1185
<dt>$Secure <a href="../files/secure.html">(More...) </a></dt>
1187
This <a href="#metadata">metadata</a> file stores a table of security
1188
descriptors used by the volume.
1191
<dd><a name="security"></a></dd>
1194
There are two levels of security in NTFS.
1195
There are the DOS File Permissions, such as <q>Read Only</q> and <q>Hidden</q>
1196
and an ACL model which grants specific permissions to specific users.
1198
<a href="#ace">ACE</a>,
1199
<a href="#acl">ACL</a>,
1200
<a href="#permissions">Permissions</a>,
1201
<a href="#security_descriptor">$SECURITY_DESCRIPTOR</a> and
1202
<a href="#sid">SID</a>.
1205
<dd><a name="security_descriptor"></a></dd>
1206
<dt>$SECURITY_DESCRIPTOR <a href="../attributes/security_descriptor.html">(More...) </a></dt>
1208
This attribute stores all the security information about a file or
1209
directory. It contains an ACL for auditing, an ACL for permissions and
1210
a SID to show the user and group of the owner.
1212
<a href="#attribute">Attribute</a>,
1213
<a href="#acl">ACL</a>,
1214
<a href="#ace">ACE</a> and
1215
<a href="#sid">SID</a>.
1218
<dd><a name="sid"></a></dd>
1219
<dt>Security Identifier (SID)</dt>
1221
This variable-length identifier uniquely identifies a user
1222
or a group on an NT domain. It is used in the security permissions.
1224
<a href="#ace">ACE</a>,
1225
<a href="#acl">ACL</a> and
1226
<a href="#security_descriptor">$SECURITY_DESCRIPTOR</a>.
1229
<dd><a name="sequence_array"></a></dd>
1230
<dt>Sequence Array <a href="#sid">(See Update Sequence)</a></dt>
1232
<dt>SID <a href="#sid">(See Security Identifier)</a></dt>
1234
<dd><a name="sii"></a></dd>
1237
This is one of the named indexes belonging to $Secure.
1239
<a href="#index">Index</a>,
1240
<a href="#sdh">$SDH</a> and
1241
<a href="#secure">$Secure</a>.
1244
<dd><a name="sparse_file"></a></dd>
1245
<dt>Sparse File</dt>
1247
NTFS supports sparse files. If a file contains large, contiguous,
1248
blocks of zeros, then NTFS can choose to not waste any space storing
1249
these portions on disk. They are represented as data runs containing
1250
nothing. When read from disk, NTFS simply substitutes zeros.
1252
<a href="#data_runs">Data Runs</a>.
1255
<dd><a name="standard_information"></a></dd>
1256
<dt>$STANDARD_INFORMATION <a href="../attributes/standard_information.html">(More...) </a></dt>
1258
This <a href="#attribute">attribute</a> contains information about a file,
1259
such as its file permissions and when it was created.
1262
<dd><a name="stream"></a></dd>
1265
All data on NTFS is stored in streams, which can have names.
1266
A file can have more than one data streams,
1267
but exactly one must have no name.
1268
The <q>size</q> of a file is the size of its unnamed data attribute.
1271
<dd><a name="symbolic_link"></a></dd>
1272
<dt>$SYMBOLIC_LINK</dt>
1274
This <a href="#attribute">attribute</a>
1275
This attribute, like <a href="#volume_version">$VOLUME_VERSION</a>
1276
existed in NTFS v1.2, but wasn't used.
1277
It does not longer exist in NTFS v3.0+.
1284
<dd><a name="t"></a></dd>
1286
<dd><a name="tb"></a></dd>
1287
<dt>TB <a href="#units">(See Units)</a></dt>
1289
<dd><a name="time_stamp"></a></dd>
1292
NTFS stores four significant times referring to files and directories.
1293
They are: File creation time; Last modification time; Last modification
1294
of the MFT record; Last access time. NTFS stores dates as the number
1295
of 100ns units since Jan 1<sup>st</sup> 1601.
1296
Unix, stores dates as the number of seconds since Jan 1<sup>st</sup> 1970.
1298
standardise 4 time fields name & description concept page?
1299
refer to 4 times as:
1301
A alter (modification)
1303
R read (last access)
1306
NOTE: There is conflicting information about the meaning of each of the time
1307
fields but the meaning as defined below has been verified to be
1308
correct by practical experimentation on Windows NT4 SP6a and is hence
1309
assumed to be the one and only correct interpretation.
1312
Time file was created. Updated when a filename is changed(?).
1314
last_data_change_time
1315
Time the data attribute was last modified.
1317
last_mft_change_time
1318
Time this mft record was last modified.
1321
Approximate time when the file was last accessed (obviously this is not
1322
updated on read-only volumes). In Windows this is only updated when
1323
accessed if some time delta has passed since the last update.
1326
N.B. There is conflicting information about the meaning of each of the time
1327
fields but the meaning as defined below has been verified to be
1328
correct by practical experimentation on Windows NT4 SP6a and is hence
1329
assumed to be the one and only correct interpretation.
1333
<a href="#file_record">File Record</a>
1336
<dd><a name="transaction"></a></dd>
1337
<dt>Transaction</dt>
1339
A transaction on a system is a set of operations (on that
1340
system) that constitutes a unit. This unit can't be divided. Before the
1341
transaction, the state of the system is well defined. During the
1342
transaction, it is undefined. After the transaction, it is well defined
1343
again. A transaction can't be half-realized: if no operation fails, the
1344
transaction is realized. If on the contrary an error occurs in one or
1345
more of the operations, the transaction is not realized. A set of (even
1346
atomic) operations is not atomic by definition. A transaction is a model
1347
that provides a kind of atomicity to this set of operations.
1354
<dd><a name="u"></a></dd>
1356
<dd><a name="unfragmented"></a></dd>
1357
<dt>Unfragmented <a href="#fragmented">(see Fragmented)</a></dt>
1359
<dd><a name="unicode"></a></dd>
1362
International character set coded on 16 bits (ASCII is coded on
1363
7 bits and Latin-1 coded on 8 bits). Unicode can represent every symbol
1364
of almost every language in the world.
1367
<dd><a name="units"></a></dd>
1370
Every size in this document is measured in bytes (unless clearly marked).
1371
The abbreviations for sizes are:
1374
<table border="1" summary="" cellspacing="0">
1378
<th class="numeric">Exactly</th>
1379
<th class="numeric">Approx.</th>
1384
<td class="numeric">2<sup>10</sup></td>
1385
<td class="numeric">10<sup>3</sup></td>
1390
<td class="numeric">2<sup>20</sup></td>
1391
<td class="numeric">10<sup>6</sup></td>
1396
<td class="numeric">2<sup>30</sup></td>
1397
<td class="numeric">10<sup>9</sup></td>
1402
<td class="numeric">2<sup>40</sup></td>
1403
<td class="numeric">10<sup>12</sup></td>
1408
<pre>see also Binary, Decimal, Hexadecimal</pre>
1410
N.B. Technically, the correct abbreviation for 1024 bytes
1411
is KiB, which stands for kilobinary bytes.
1414
<dd><a name="upcase"></a></dd>
1415
<dt>$UpCase <a href="../files/upcase.html">(More...) </a></dt>
1417
This <a href="#metadata">metadata</a> file contains 128KB of capital
1418
letters. For each character in the Unicode alphabet, there
1419
is an entry in this file. It is used to compare and sort filenames.
1422
<dd><a name="update_sequence"></a></dd>
1423
<dt>Update Sequence</dt>
1425
Several structures in NTFS have sequence numbers in them
1426
to check for consistancy errors. They are FILE, INDX, RCRD
1427
and RSTR records. Before the record is written to disk,
1428
the last two bytes of each sector are copied to an array
1429
in the header. The update sequence number is then
1430
incremented and written to the end of each sector. If
1431
any disk corruption occurs, this technique could detect it.
1434
The Update Sequence Array (usa) is an array of the __u16 values which belong
1435
to the end of each sector protected by the update sequence record in which
1436
this array is contained. Note that the first entry is the Update Sequence
1437
Number (usn), a cyclic counter of how many times the protected record has
1438
been written to disk. The values 0 and -1 (ie. 0xffff) are not used. All
1439
last __u16's of each sector have to be equal to the usn (during reading) or
1440
are set to it (during writing). If they are not, an incomplete multi sector
1441
transfer has occured when the data was written.
1442
The maximum size for the update sequence array is fixed to:
1443
maximum size = usa_ofs + (usa_count * 2) = 510 bytes
1444
The 510 bytes comes from the fact that the last __u16 in the array has to
1445
(obviously) finish before the last __u16 of the first 512-byte sector.
1446
This formula can be used as a consistency check in that usa_ofs +
1447
(usa_count * 2) has to be less than or equal to 510.
1451
<a href="#file_record">FILE Record</a>
1452
<a href="#indx_record">INDX Record</a>
1453
<a href="#rcrd_record">RCRD Record</a>
1454
<a href="#rstr_record">RSTR Record</a>
1457
<dd><a name="usnjrnl"></a></dd>
1458
<dt>$UsnJrnl <a href="../files/usnjrnl.html">(More...) </a></dt>
1460
<pre>used for logging</pre>
1467
<dd><a name="v"></a></dd>
1469
<dd><a name="vcn"></a></dd>
1470
<dt>VCN <a href="#vcn">(See Virtual Cluster Number)</a></dt>
1472
<dt>Virtual Cluster Number (VCN)</dt>
1474
When representing the data runs of a file, the clusters
1475
are given virtual cluster numbers. Cluster zero refers
1476
to the first cluster of the file. The data runs map the
1477
VCNs to LCNs so that the file can be located on the volume.
1479
<a href="#cluster">Cluster</a>,
1480
<a href="#lcn">LCN</a> and
1481
<a href="#volume">Volume</a>.
1484
<dd><a name="volume"></a></dd>
1487
(=drive=partition) (extended, striped, mirrored (not supported))
1488
A logical NTFS partition. It is a group of physical partitions
1489
(see the fdisk utility, you can set up mirroring and stripping) that act
1490
as one (somewhat like the Linux md block devices).
1493
<dt>$Volume <a href="../files/volume.html">(More...) </a></dt>
1495
This <a href="#metadata">metadata</a> file contains information
1496
such as the name, serial number and whether the volume needs
1497
checking for errors.
1500
<dd><a name="volume_information"></a></dd>
1501
<dt>$VOLUME_INFORMATION <a href="../attributes/volume_information.html">(More...) </a></dt>
1503
This <a href="#attribute">attribute</a> contains information
1504
such as the serial number, creation time and whether the volume
1505
needs checking for errors.
1508
<dd><a name="volume_name"></a></dd>
1509
<dt>$VOLUME_NAME <a href="../attributes/volume_name.html">(More...) </a></dt>
1511
This <a href="#attribute">attribute</a> stores the name of the
1515
<dd><a name="volume_version"></a></dd>
1516
<dt>$VOLUME_VERSION</dt>
1518
This <a href="#attribute">attribute</a>
1519
This attribute, like <a href="#symbolic_link">$SYMBOLIC_LINK</a>
1520
existed in NTFS v1.2, but wasn't used.
1521
It does not longer exist in NTFS v3.0+.
1524
<dd><a name="w"></a></dd>
1525
<dd><a name="x"></a></dd>
1526
<dd><a name="y"></a></dd>
1527
<dd><a name="z"></a></dd>
1531
<a class="contact" href="http://linux-ntfs.sourceforge.net/ntfs/help/glossary.html">Online</a>
1532
<!-- The two validators will only work if this page is visible on the web -->
1533
<a class="contact" href="http://validator.w3.org/check/referer">Validate HTML</a>
1534
<a class="contact" href="http://jigsaw.w3.org/css-validator/check/referer">Validate CSS</a>
1535
<a class="contact" href="mailto:webmaster@flatcap.org">$Id: glossary.html,v 1.13 2001/07/11 17:09:23 flatcap Exp $</a>