NTFS reparse point

From Wikipedia, the free encyclopedia
Jump to: navigation, search

An NTFS reparse point is a type of NTFS file system object. It is available with the NTFS v3.0 found in Windows 2000 or later versions. Reparse points provide a way to extend the NTFS filesystem. A reparse point contains a reparse tag and data which is interpreted by a filesystem filter identified by the tag. Microsoft includes several default tags including NTFS symbolic links, directory junction points, volume mount points. Also, reparse points are used as placeholders for files moved by Windows 2000's Hierarchical Storage System. They also can act as hard links, but aren't limited to point to files on the same volume: they can point to directories on any local volume.[1]

Design[edit]

In general:

  • hard link: link to a file (MFT entry) The data are still accessible as long as at least one link that points to it still exists.
  • soft link: link to its name (file path).

Soft links[edit]

Windows Vista supports a new symbolic link capability that replaces junction points in Windows 2000 and Windows XP. They are designed to aid in migration and application compatibility with UNIX operating systems. Unlike a junction point, a symbolic link can also point to a file or remote SMB network path. Additionally, the NTFS symbolic link implementation provides full support for cross-filesystem links. However, the functionality enabling cross-host symbolic links requires that the remote system also support them, which effectively limits their support to Windows Vista and later Windows operating systems.

  • NTFS symbolic link (SYMLINK): local or remote, relative or absolute SMB file or path. Enabling cross-host symbolic links requires that the remote system also support them, which effectively limits their support to Windows Vista and later Windows operating systems. Used in WS8 for '\Users\All Users\' '->' '\ProgramData' only (in basic installation). Symbolic links can point to non-existent targets because the operating system does not check to see if the target exists. With mklink or mklink /D. Relative symbolic links are restricted to a single volume.
  • Junction point/directory junction: since Windows 2000: absolute directory (may be \) on a local volume. Used in default Windows Server 2008 configuration for Users folder redirs. With mklink /J. Deleting a junction point using Windows Explorer will delete the targeted files immediately if using shift-delete (Windows 2000/XP/2003). the command del myjunction should not be used: this will just delete all the files in the targeted directory. Deleting a junction point using Explorer is safe since Vista.

Hard links[edit]

  • NTFS HARD link: since Windows NT4: files on the same drive. The Windows API from Windows 2000 onwards includes a CreateHardLink() call to create hard links and DeleteFile() to remove them. All versions of Windows NT can use GetFileInformationByHandle() to determine the number of hard links associated with a file. Hard links require an NTFS partition. Unix-like emulation or compatibility software running on Windows, such as Cygwin and Subsystem for UNIX-based Applications, allow the use of POSIX interfaces under Windows. Most modern operating systems don't allow hard links on directories to prevent endless recursion. In addition, hard links on directories would lead to inconsistency on parent directory entries. Symbolic links and NTFS junction points are generally used instead for this purpose. Hard links can only be created to files on the same file system. If a link to a file on a different file system is needed, it may be created with a symbolic link. Hard links are created with mklink /H

Hard link uses the same MFT entry as the original file. Adding a hard link creates a new name attribute and increases the hard link count (for a newly created file this count equals to one). Deleting a hard link removes the appropriate name and decreases the hard link count. When the count goes to zero, the system deletes the file, freeing up its allocated disk space and releasing its MFT record. All the name attributes are independent, so deleting, moving, or renaming the file doesn't affect other hard links.

Features[edit]

Volume mount points[edit]

Volume mount points are similar to Unix mount points, where the root of another file system is attached to a directory. In NTFS, this allows additional file systems to be mounted without requiring a separate drive letter (such as C: or D:) for each.

Once a volume has been mounted on top of an existing directory of another volume, the contents previously listed in that directory become invisible and are replaced by the content of the root directory of the mounted volume. The mounted volume could still have its own drive letter assigned separately. The file system does not allow volumes to be mutually mounted on each other. Volume mount points can be made to be either persistent (remounted automatically after system reboot) or not persistent (must be manually remounted after reboot).[citation needed]

Mounted volumes may use other file systems than just NTFS, possibly with their own security settings and remapping of access rights according to the remote file system policy.

Directory junctions[edit]

Main article: NTFS junction point

Directory junctions are similar to volume mount points, but reference other directories in the file system instead of other volumes. For instance, the directory C:\exampledir with a directory junction attribute that contains a link to D:\linkeddir will automatically refer to the directory D:\linkeddir when it is accessed by a user-mode application.[2] This function is conceptually similar to symbolic links to directories in Unix, except that the target in NTFS must always be another directory (typical Unix file systems allow the target of a symbolic link to be any type of file).

Directory joins (which can be created with the command MKLINK /J junctionName targetDirectory and removed with RMDIR junctionName from a console prompt) are persistent, and resolved on the server side as they share the same security realm of the local system or domain on which the parent volume is mounted and the same security settings for its contents as the content of the target directory; however the junction itself may have distinct security settings. Unlinking a directory junction join does not delete files in the target directory.[citation needed]

Some directory junctions are installed by default on Windows Vista, for compatibility with previous versions of Windows, such as Documents and Settings in the root directory of the system drive, which links to the Users physical directory in the root directory of the same volume. However they are hidden by default, and their security settings are set up so that the Windows Explorer will refuse to open them from within the Shell or in most applications, except for the local built-in SYSTEM user or the local Administrators group (both user accounts are used by system software installers). This additional security restriction has probably been made to avoid users of finding apparent duplicate files in the joined directories and deleting them by error, because the semantics of directory junctions is not the same as hardlinks; the reference counting is not used on the target contents and not even on the referenced container itself.[citation needed]

Directory junctions are soft links (they will persist even if the target directory is removed), working as a limited form of symbolic links (with an additional restriction on the location of the target), but it is an optimized version allowing faster processing of the reparse point with which they are implemented, with less overhead than the newer NTFS symbolic links, and can be resolved on the server side (when they are found in remote shared directories).[citation needed]

Symbolic links[edit]

Main article: NTFS symbolic link

Symbolic links (or soft links) were introduced in Windows Vista.[3] Symbolic links are resolved on the client side. So when a symbolic link is shared, the target is subject to the access restrictions on the client, and not the server.[citation needed]

Symbolic links can be created either to files (created with MKLINK symLink targetFilename) or to directories (created with MKLINK /D symLinkD targetDirectory), but (unlike Unix symbolic links) the semantic of the link must be provided with the created link. The target however need not exist or be available when the symbolic link is created: when the symbolic link will be accessed and the target will be checked for availability, NTFS will also check if it has the correct type (file or directory); it will return a not-found error if the existing target has the wrong type.[citation needed]

They can also reference shared directories on remote hosts or files and subdirectories within shared directories: their target is not mounted immediately at boot, but only temporarily on demand while opening them with the OpenFile() or CreateFile() API. Their definition is persistent on the NTFS volume where they are created (all types of symbolic links can be removed as if they were files, using DEL symLink from a command line prompt or batch).[citation needed]

Distributed Link Tracking (DLT)[edit]

See also: File shortcut

Distributed link tracking allows applications to track files, shell shortcuts or OLE links even if they were renamed or moved to another volume within the same machine, domain or workgroup.[4] Tracking is implemented as a system service, which uses the object identifier (OID) index stored in a metafile.[5] When the application requests a track to a file or directory, the tracking service creates the OID entry, which points to the file, and file rename, copy or move operation to a NTFS v3 volume also copies the object ID. This allows the tracking service to eventually find the target file.

Single Instance Storage (SIS)[edit]

When there are several directories that have different but similar files, some of these files may have identical content. Single instance storage allows identical files to be merged to one file and create references to that merged file. SIS consists of a file system filter that manages copies, modification and merges to files; and a user space service (or groveler) that searches for files that are identical and need merging. SIS was mainly designed for remote installation servers as these may have multiple installation images that contain many identical files; SIS allows these to be consolidated but, unlike for example hard links, each file remains distinct; changes to one copy of a file will leave others unaltered. This is similar to copy-on-write, which is a technique by which memory copying is not really done until one copy is modified.[6]

Hierarchical Storage Management (HSM)[edit]

Hierarchical Storage Management is a means of transferring files that are not used for some period of time to less expensive storage media. When the file is next accessed, the reparse point on that file determines that it is needed and retrieves it from storage.[citation needed]

Native Structured Storage (NSS)[edit]

NSS was an ActiveX document storage technology that has since been discontinued by Microsoft.[citation needed] It allowed ActiveX Documents to be stored in the same multi-stream format that ActiveX uses internally. An NSS file system filter was loaded and used to process the multiple streams transparently to the application, and when the file was transferred to a non-NTFS formatted disk volume it would also transfer the multiple streams into a single stream.[7]

Known risks[edit]

The Stuxnet as part of its series of Win32 exploits does use NTFS junction points as part of its overall mode of operation.

See also[edit]

References[edit]

  1. ^ "Microsoft Windows Vista Client Configuration Study Guide" Wiley Publishing, Inc. 2007 p.285
  2. ^ Mark Russinovich. "Inside Win2K NTFS, Part 1". Microsoft Developer Network. Retrieved 2008-04-18. 
  3. ^ "Symbolic Links (Windows)". MSDN. 
  4. ^ http://msdn.microsoft.com/en-us/library/windows/desktop/aa363997.aspx
  5. ^ http://technet.microsoft.com/en-us/library/cc736811(WS.10).aspx
  6. ^ "Single Instance Storage in Windows 2000" (PDF). Microsoft Research and Balder Technology Group. 
  7. ^ Saville, John (date unknown). What is Native Structured Storage? Windows IT Pro. Retrieved from http://www.windowsitpro.com/Article/ArticleID/13785/13785.html.

External links[edit]