filesystemsntfsntfs-mft

Reading MFT in NTFS


While wandering the web looking for explanations of how to read/write MFT I found the folowing section:(http://www.installsetupconfig.com/win32programming/1996%20AppE_apnilife.pdf)

If NtfsProtectSystemFiles is set to FALSE, then the special files can be opened. There are, however, some drawbacks associated with attempting to do this: Because many of the special files are opened in a special way when mounting the volume, they are not prepared to handle the IRP_MJ_READ requests resulting from a call to ZwReadFile, and the system crashes if such a request is received. These special files can be read by mapping the special file with ZwCreateSection and ZwMapViewOfSection and then reading the mapped data. A further problem is that a few of the special files are not prepared to handle the IRP_MJ_CLEANUP request that is generated when the last handle to a file object is closed, and the system crashes if such a request is received. The only option is to duplicate the open handle to the special file into a process that never terminates (such as the system process).

  1. What does it mean “they are not prepared to handle the IRP_MJ_READ requests” what kind of preparation is needed? What is IRP_MJ_READ?
  2. “Mapping the special file with ZwCreateSection and ZwMapViewOfSection and then reading the mapped data” How does that solve the problem?
  3. What does it means “files are not prepared to handle the IRP_MJ_CLEANUP request that is generated when the last handle to a file object is closed” again what is that preparation? What is IRP_MJ_CLEANUP?
  4. “Duplicate the open handle to the special file into a process that never terminates” How does that solve the problem?

Solution

  • That's old data (from 1996). And more than a little incorrect. The world has moved on since then.

    You might try opening \$MFT to read the MFT but getting the access bits right might be problematic. You can also write them but that's really playing with fire. The file system does not expect that it's data structures will be modified without it's involvement.

    You are much better off opening the partition raw and walking the disk structures directly.