NTFS

NTFS
Developer(s)	Microsoft
Full name	New Technology File System
Introduced	July 1993 with Windows NT 3.1
Partition IDs	0x07 (MBR) ; EBD0A0A2-B9E5-4433-87C0-68B6B72699C7 (GPT)
Structures
Directory contents	B+ tree
File allocation	Bitmap/Extents
Bad blocks	Bitmap/Extents
Limits
Max volume size	256 TiB with current implementation (16 EiB architecturally)
Max file size	16 TiB with current implementation (16 EiB architecturally)
Max no. of files	4,294,967,295 (232-1)
Max filename length	255 characters
Allowed filename; characters	any character except '\0' (NULL) and '/' The Win32 Subsystem also excludes the use of \ : * ? " < > and pipe
Features
Dates recorded	Creation, modification, POSIX change, access
Date range	1 January 1601 - 28 May 60056
Forks	Yes
Attributes	Read-only, hidden, system, archive
File system; permissions	ACLs
Transparent; compression	Per-file, LZ77 (Windows NT 3.51 onward)
Transparent; encryption	Per-file,; DESX (Windows 2000 onward),; Triple DES (Windows XP onward),; AES (Windows XP Service Pack 1, Windows Server 2003 onward)
Other
Supported; operating systems	Windows NT family (Windows NT 3.1 to Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista)

NTFS, also known as NT File System or New Technology File System,^[2] is the standard file system of Windows NT and its descendants Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

NTFS replaced Microsoft's previous FAT file system, used in MS-DOS and early versions of Windows. NTFS has several improvements over FAT such as improved support for metadata and the use of advanced data structures to improve performance, reliability, and disk space utilization plus additional extensions such as security access control lists and file system journaling. The exact specification is a trade secret, although (since NTFS v3.00) it can be licensed commercially from Microsoft through their Intellectual Property Licensing program.

NTFS has five versions:

v1.0
v1.1
v1.2 found in NT 3.51 and NT 4
v3.0 found in Windows 2000
v3.1 found in Windows XP, Windows Server 2003, and Windows Vista

These final three versions are sometimes referred to as v5.0, v5.1, and v6.0, after the version of Windows with which they ship. Each newer version added extra features, for example Windows 2000 introduced quotas.

Internals

In NTFS, everything that has anything to do with a file (file name, creation date, access permissions and even contents) is stored as metadata. This abstract approach allowed easy addition of filesystem features during the course of Windows NT's development — an interesting example is the addition of fields for indexing used by the Active Directory software.

NTFS allows any sequence of short values for file encoding. This means UTF-16 codepoints are supported, but the filesystem does not check whether the sequence is valid UTF-16 (it allows any sequence of short values, not restricted to those in the Unicode standard).

Internally, NTFS uses B+ trees to index file system data. Although complex to implement, this allows faster access times in some cases. A file system journal is used in order to guarantee the integrity of the file system itself (but not of each individual file). Systems using NTFS are known to have improved reliability compared to FAT file systems.^[3]

The Master File Table (MFT) essentially contains metadata about every file and directory on an NTFS file system. It includes parameters such as location, size, and permissions. It is used to aid in minimizing disk fragmentation.

Interoperability

Details on the implementation's internals are closed, so third-party vendors have a difficult time providing tools to handle NTFS.

Linux

A number of different software implementations have been developed to allow NTFS volumes to be read, and in some cases modified, under Linux:

NTFS partitions can be read by the Linux kernel since version 2.2.0.
Linux 2.6 contains a new driver written by Anton Altaparmakov (Cambridge University) and Richard Russon. It offers only file overwrite and file resize support, in some cases.
NTFSMount: More write support is available using ntfsmount,^[4] a userspace driver written by Yura Pakhuchiy in which files and directories can be created, overwritten, renamed, deleted, truncated, and expanded with limited success.

NTFS-3G: In July of 2006, a GPL licensed, open source read-write driver, called NTFS-3G,^[5] was introduced by Szabolcs Szakacsits. It has been based on ntfsmount and offers unlimited file creation, deletion, and many other functionality and performance improvements and fixes. The driver is in stable status since February of 2007 and included in most Linux distributions.

NTFS for Linux: Full write support is available using Paragon's NTFS for Linux driver, although criticised for leaving many errors on the volume when mounted read-write.^{[citation needed]}

Captive NTFS: The Windows driver ntfs.sys can be used with Captive NTFS.

Due to the complexity of the internal NTFS structures, both the built-in 2.6.14 kernel driver and the FUSE drivers will deny changes to the volume when they are considered to be unsafe; thus avoiding corruption.

Windows

There are technical considerations for mounting newer NTFS volumes in older versions of Windows. This affects dual-booting, and external portable hard drives.

For example, "Previous Versions" (a.k.a. shadow copies) will be lost because the older OS doesn't understand how to keep the new feature's data updated.^[6]

Others

FreeBSD, eComStation and Mac OS X versions 10.3 and later offer read-only NTFS support (there is a beta NTFS driver that allows write/delete for eComStation, but is generally considered unsafe). A free third-party tool for BeOS, which was based on NTFS-3G, allows full NTFS read and write. The read/write NTFS-3G driver has been also ported to FreeBSD, Mac OS X, NetBSD, Haiku and FreeDOS.

Compatibility with FAT

Microsoft currently provides a tool (convert.exe) to convert HPFS (only on Windows NT 3), FAT16 and, on Windows 2000 and higher, FAT32 to NTFS, but not the other way around [1]. Various third-party tools are all capable of safely resizing NTFS partitions. Microsoft added the ability to expand the size of NTFS partitions in Windows Server 2003 using the Diskpart command line tool, and shrinking a partition was introduced with Windows Vista.

For historical reasons, the versions of Windows that do not support NTFS all keep time internally as local zone time, and therefore so do all file systems other than NTFS that are supported by current versions of Windows. However, Windows NT and its descendants keep internal timestamps as UTC and make the appropriate conversions for display purposes. Therefore, NTFS timestamps are in UTC. This means that when files are copied or moved between NTFS and non-NTFS partitions, the OS needs to convert timestamps on the fly. But if some files are moved when daylight saving time (DST) is in effect, and other files are moved when standard time is in effect, there can be some ambiguities in the conversions. As a result, especially shortly after one of the days on which local zone time changes, users may observe that some files have timestamps that are incorrect by one hour. Due to the differences in implementation of DST between the northern and southern hemispheres, this can result in a potential timestamp error of up to 4 hours in any given 12 months.^[7]

Features

NTFS v3.0, the third version of NTFS to be introduced, includes several new features over its predecessors: disk usage quotas, sparse file support, reparse points, distributed link tracking and file-level encryption, also known as the Encrypting File System (EFS).

Alternate data streams (ADS): Alternate data streams allows files to be associated with more than one data stream. For example, a file such as text.txt can have an ADS with the name of text.txt:secret.txt (of form filename:ads) that can only be accessed by knowing the ADS name or by specialized directory browsing programs. Alternate streams are not detectable in the original file's size but are lost when the original file (i.e. text.txt) is deleted with a RemoveFile or RemoveFileTransacted call (or a call that uses those calls), or when the file is copied or moved to a partition that doesn't support ADS (e.g. a FAT partition, a floppy disk, or a network share). While ADS is a useful feature, it can also easily eat up hard disk space if unknown either through being forgotten or not being detected.
Quotas: Disk quotas were introduced in NTFS v3. They allow the administrator of a computer that runs a version of Windows that supports NTFS to set a threshold of disk space that users may utilise. It also allows administrators to keep track of how much disk space each user is using. An administrator may specify a certain level of disk space that a user may use before they receive a warning, and then deny access to the user once they hit their upper limit of space. Disk quotas do not take into account NTFS's transparent file-compression, should this be enabled. Applications that query the amount of free space will also see the amount of free space left to the user who has a quota applied to them.
Sparse files: Sparse files are files which contain sparse data sets, data mostly filled with zeroes. Many scientific applications can generate very large sparse data sets. Because of this, Microsoft has implemented support for sparse files by only allocating disk space for regions that do not contain blocks of zero data. An application that reads a sparse file reads it in the normal manner with the file system calculating what data should be returned based upon the file offset. As with compressed files, the actual size of sparse files are not taken into account when determining quota limits.^[8]
Reparse points: This feature was introduced in NTFS v3. These are used by associating a reparse tag in the user space attribute of a file or directory. When the object manager (see Windows NT line executive) parses a file system name lookup and encounters a reparse attribute, it knows to reparse the name lookup, passing the user controlled reparse data to every file system filter driver that is loaded into Windows 2000. Each filter driver examines the reparse data to see if it is associated with that reparse point, and if that filter driver determines a match then it intercepts the file system call and executes its special functionality. Reparse points are used to implement Volume Mount Points, Directory Junctions, Hierarchical Storage Management, Native Structured Storage and Single Instance Storage:
Volume mount points: Similar to Unix mount points, where the root of another file system is attached to a directory. In NTFS, this allows additional file systems to be mounted without requiring a separate drive letter (like C: or D:) for each.
Directory Junctions: Similar to Volume Mount Points, however directory junctions reference other directories in the file system instead of other volumes. For instance, the directory C:\exampledir with a directory junction attribute that contains a link to D:\linkeddir will automatically refer to the directory D:\linkeddir when it is accessed by a user-mode application. They are the equivalent of a Unix symbolic link, though in Unix a symbolic link can be applied on files as well as on directories.^[9]
Hard links: Hard links are similar to directory junctions, but used for files instead of directories. Hard links can only be applied to files on the same volume since an additional filename record is added to the file's MFT record. Short (8.3) filenames are also implemented as additional filename records that don't have separate directory entries.
Hierarchical Storage Management (HSM): Hierarchical Storage Management is a means of transferring files that are not used for some period of time to less expensive storage media. When the file is next accessed the reparse point on that file determines that it is needed and retrieves it from storage.
Native Structured Storage (NSS): NSS was an ActiveX document storage technology that has since been discontinued by Microsoft. It allowed ActiveX documents to be stored in the same multi-stream format that ActiveX uses internally. An NSS file system filter was loaded and used to process the multiple streams transparently to the application, and when the file was transferred to a non-NTFS formatted disk volume it would also transfer the multiple streams into a single stream.^[10]
Volume Shadow Copy: The Volume Shadow Copy (VSC) service keeps historical versions of files and folders on NTFS volumes by copying old, newly-overwritten data to shadow copy (copy-on-write). The old file data is overlaid on the new when the user requests a revert to an earlier version. This also allows data backup programs to archive files currently in use by the file system. On heavily loaded systems, Microsoft recommends setting up a shadow copy volume on separate disk to reduce the I/O load on the main volume.
File compression: NTFS can compress files using a variant of the LZ77 algorithm (also used in the popular ZIP file format).^[11] Although read-write access to compressed files is transparent, Microsoft recommends avoiding compression on server systems and/or network shares holding roaming profiles because it puts a considerable load on the processor.^[12]; Single-user systems with limited hard disk space will probably use NTFS compression successfully. The slowest link in the 2.5 inch drive of a notebook computer is not the CPU, but the speed of the drive, so NTFS compression allows the limited storage space to be better used.
Single Instance Storage (SIS): When there are several directories that have different, but similar, files, some of these files may have identical content. Single instance storage allows identical files to be merged to one file and create references to that merged file. SIS consists of a file system filter that manages copies, modification and merges to files; and a user space service (or groveler) that searches for files that are identical and need merging. SIS was mainly designed for remote installation servers as these may have multiple installation images that contain many identical files; SIS allows these to be consolidated but, unlike for example hard links, each file remains distinct; changes to one copy of a file will leave others unaltered. This is similar to copy-on-write, which is a technique by which memory copying is not really done until one copy is modified.^[13]
Encrypting File System (EFS): EFS provides strong and user-transparent encryption of any file or folder on an NTFS volume. EFS works in conjunction with the EFS service, Microsoft's CryptoAPI and the EFS File System Run-Time Library (FSRTL).; EFS works by encrypting a file with a bulk symmetric key (also known as the File Encryption Key, or FEK), which is used because it takes a relatively smaller amount of time to encrypt and decrypt large amounts of data than if an asymmetric key cipher is used. The symmetric key that is used to encrypt the file is then encrypted with a public key that is associated with the user who encrypted the file, and this encrypted data is stored in an alternate data stream of the encrypted file. To decrypt the file, the file system uses the private key of the user to decrypt the symmetric key that is stored in the file header. It then uses the symmetric key to decrypt the file. Because this is done at the file system level, it is transparent to the user.^[14] Also, in case of a user losing access to their key, support for recovery agents that can unencrypt files has been built in to the EFS system.
Symbolic links: Symbolic links were introduced in Windows Vista.^[15]

Transactional NTFS: As of Windows Vista, applications can use Transactional NTFS to group changes to files together into a transaction. The transaction will guarantee that all changes happen, or none of them do, and it will guarantee that applications outside the transaction will not see the changes until the precise instant they're committed.^[16]

Limitations

The following are a few limitations of NTFS:

Reserved File Names: Though the file system supports paths up to ca. 32,000 Unicode characters with each path component (directory or filename) up to 255 characters long, certain names are unusable, since NTFS stores its metadata in regular (albeit hidden and for the most part inaccessible) files; accordingly, user files cannot use these names. These files are all in the root directory of a volume (and are reserved only for that directory). The names are: $MFT, $MFTMirr, $LogFile, $Volume, $AttrDef, . (dot), $Bitmap, $Boot, $BadClus, $Secure, $Upcase, and $Extend;^[17] . (dot) and $Extend are both directories, the others are files.

Maximum Volume Size: In theory, the maximum NTFS volume size is 2⁶⁴-1 clusters. However, the maximum NTFS volume size as implemented in Windows XP Professional is 2³²-1 clusters. For example, using 64 KiB clusters, the maximum NTFS volume size is 256 TiB minus 64 KiB. Using the default cluster size of 4 KiB, the maximum NTFS volume size is 16 TiB minus 4 KiB. Because partition tables on master boot record (MBR) disks only support partition sizes up to 2 TiB, you must use dynamic volumes to create bootable NTFS volumes over 2 TiB.

Maximum File Size: Theoretical: 16 EiB minus 1 KiB ( $2^{64}-2^{10}$ bytes). Implementation: 16 TiB minus 64 KiB ( $2^{44}-2^{16}$ bytes)

Alternate Data Streams: Care must be exercised when copying or moving files from NTFS to other filesystem types. Windows system calls and programs can have varying behavior with regard to alternate data streams and might silently strip those which could not be stored on the destination filesystem. A safe way of copying or moving files is to use the BackupRead and BackupWrite system calls, which allow to enumerate streams, to verify whether each stream could be written to the destination volume and to knowingly skip offending streams.

Maximum date: NTFS was built to only recognize dates up to May 28 60056. After this date everything would reverse back to the date of January 1 1601, in an event similar to the Year 2000 problem or the Year 2038 problem (although obviously much more remote).

Developers

NTFS was developed by:

Notes

^ UTF-16 codepoints accepted, but not validated
^ Helen Custer (1994). Inside the Windows NT File System. Microsoft Press. ISBN 1-55615-660-X.
^ "Microsoft TechNet Resource Kit"
^ "ntfsmount wiki page on linux-ntfs.org"
^ "ntfs-3g announcement in linux-ntfs-dev list"
^ cfsbloggers (July 14, 2006). "How restore points and other recovery features in Windows Vista are affected when you dual-boot with Windows XP". The Filing Cabinet. Retrieved 2007-03-21.
^ "Beating the Daylight Savings Time bug and getting correct file modification times" The Code Project
^ "Sparse Files", MSDN Platform SDK: File Systems. Retrieved May 22, 2005.
^ Mark Russinovich, "Inside Win2K NTFS, Part 1"
^ John Saville, "What is Native Structured Storage?"
^ "File Compression and Decompression". MSDN Platform SDK: File Systems. Retrieved Aug 18, 2005.
^ "Best practices for NTFS compression in Windows." Microsoft Knowledge Base. Retrieved Aug 18, 2005.
^ "Single Instance Storage in Windows 2000" (PDF). Microsoft Research and Balder Technology Group.
^ How EFS Works, Microsoft Windows 2000 Resource Kit
^ "Symbolic Links". MSDN. Retrieved 2007-01-05.
^ "Transactional NTFS". MSDN. Retrieved 2007-02-02.
^ "How NTFS Works" Windows Server 2003 Technical Reference

References

Bolosky, William J.; Corbin, Scott; Goebel, David; & Douceur, John R. (date). "Single Instance Storage in Windows 2000" (PDF). Microsoft Research & Balder Technology Group, Inc. {{cite journal}}: Check date values in: |date= (help); Cite journal requires |journal= (help)CS1 maint: multiple names: authors list (link)
Custer, Helen (1994). Inside the Windows NT File System. Microsoft Press. ISBN 1-55615-660-X.
Nagar, Rajeev (1997). Windows NT File System Internals: A Developer's Guide (1st ed). O'Reilly. ISBN 1-56592-249-2.

External links

Linux-NTFS – an open source project to add NTFS support to the Linux kernel (write support is limited, but can be used for simple tasks), and write POSIX-compatible utilities for accessing and manipulating NTFS (ntfsprogs; includes ntfsls, ntfsresize, ntfsclone, etc)
NTFS-3G – NTFS-3G read/write driver for Linux
NTFS-3G for Mac OS X
Captive NTFS – a shim which used the Windows NTFS driver to access NTFS filesystems under Linux
NTFS.com – documentation and resources for NTFS
Microsoft NTFS Technical Reference

[1] UTF-16 codepoints accepted, but not validated

[2] Helen Custer (1994). Inside the Windows NT File System. Microsoft Press. ISBN 1-55615-660-X.

[3] "Microsoft TechNet Resource Kit"

[4] "ntfsmount wiki page on linux-ntfs.org"

[5] "ntfs-3g announcement in linux-ntfs-dev list"

[6] sbloggers (July 14, 2006). "How restore points and other recovery features in Windows Vista are affected when you dual-boot with Windows XP". The Filing Cabinet. Retrieved 2007-03-21.

[7] "Beating the Daylight Savings Time bug and getting correct file modification times" The Code Project

[8] "Sparse Files", MSDN Platform SDK: File Systems. Retrieved May 22, 2005.

[9] Mark Russinovich, "Inside Win2K NTFS, Part 1"

[10] John Saville, "What is Native Structured Storage?"

[11] "File Compression and Decompression". MSDN Platform SDK: File Systems. Retrieved Aug 18, 2005.

[12] "Best practices for NTFS compression in Windows." Microsoft Knowledge Base. Retrieved Aug 18, 2005.

[13] "Single Instance Storage in Windows 2000" (PDF). Microsoft Research and Balder Technology Group.

[14] How EFS Works, Microsoft Windows 2000 Resource Kit

[15] "Symbolic Links". MSDN. Retrieved 2007-01-05.

[16] "Transactional NTFS". MSDN. Retrieved 2007-02-02.

[17] "How NTFS Works" Windows Server 2003 Technical Reference

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]