NTFS reparse point

An NTFS reparse point is a type of NTFS file system object. It is available with the NTFS v3.0 found in Windows 2000 or later versions. Reparse points provide a way to extend the NTFS filesystem. A reparse point contains a reparse tag and data which is interpreted by a filesystem filter identified by the tag. Microsoft includes several default tags including NTFS symbolic links, directory junction points, volume mount points. Also, reparse points are used as placeholders for files moved by Windows 2000's Hierarchical Storage System. They also can act as hard links, but aren't limited to point to files on the same volume: they can point to directories on any local volume.^[1]

Basic, simple breakdown

In general:

• hard link – link to a file (MFT entry) The data are still accessible as long as at least one link that points to it still exists.
• soft link – link to its name (file path).

'Soft' links

Windows Vista supports a new symbolic link capability that replaces junction points in Windows 2000 and Windows XP. They are designed to aid in migration and application compatibility with UNIX operating systems. Unlike a junction point, a symbolic link can also point to a file or remote SMB network path. Additionally, the NTFS symbolic link implementation provides full support for cross-filesystem links. However, the functionality enabling cross-host symbolic links requires that the remote system also support them, which effectively limits their support to Windows Vista and later Windows operating systems.

• NTFS symbolic link (SYMLINK) – local or remote, relative or absolute SMB file or path. Enabling cross-host symbolic links requires that the remote system also support them, which effectively limits their support to Windows Vista and later Windows operating systems. Used in WS8 for '\Users\All Users\' '->' '\ProgramData' only (in basic installation). Symbolic links can point to non-existent targets because the operating system does not check to see if the target exists. With mklink or mklink /D. Relative symbolic links are restricted to a single volume.

• Junction point/directory junction – since Windows 2000 – absolute directory (may be \) on a local volume. Used in default Windows Server 2008 configuration for Users folder redirs. With mklink /J. Deleting a junction point using Windows Explorer will delete the targeted files immediately if using shift-delete (Windows 2000/XP/2003). the command del myjunction should not be used – this will just delete all the files in the targeted directory. Deleting a junction point using Explorer is safe since Vista.

Hard links

• NTFS HARD link – since Windows NT4 – files on the same drive. The Windows API from Windows 2000 onwards includes a CreateHardLink() call to create hard links and DeleteFile() to remove them. All versions of Windows NT can use GetFileInformationByHandle() to determine the number of hard links associated with a file. Hard links require an NTFS partition. Unix-like emulation or compatibility software running on Windows, such as Cygwin and Subsystem for UNIX-based Applications, allow the use of POSIX interfaces under Windows. Most modern operating systems don't allow hard links on directories to prevent endless recursion. In addition, hard links on directories would lead to inconsistency on parent directory entries. Symbolic links and NTFS junction points are generally used instead for this purpose. Hard links can only be created to files on the same file system. If a link to a file on a different file system is needed, it may be created with a symbolic link. Hard links are created with mklink /H

Hard link uses the same MFT entry as the original file. Adding a hard link creates a new name attribute and increases the hard link count (for a newly created file this count equals to one). Deleting a hard link removes the appropriate name and decreases the hard link count. When the count goes to zero, the system deletes the file, freeing up its allocated disk space and releasing its MFT record. All the name attributes are independent, so deleting, moving, or renaming the file doesn't affect other hard links.

Known risks

The Stuxnet as part of its series of Win32 exploits does use NTFS junction points as part of its overall mode of operation.

See also

• NTFS symbolic link
• NTFS junction point
• NTFS volume mount point
• Symbolic link

References

1. "Microsoft Windows Vista Client Configuration Study Guide" Wiley Publishing, Inc. 2007 p.285

External links

• Reparse Point Support in Windows 2000-Based Clusters
• Entry for Reparse Points in the Microsoft Developer Network (MSDN) Library