I'm looking for a high-level method to read the MFT entries on an NTFS file system for a Seagate 1TB internal hard drive. The platform is Windows 7.
I need to fetch the filename, block size and LBA.
Is this a specialized task such that I need to write a program to do this?
Best Answer
This information is accessible through the Defrag API. Third-party defragment tools might expose it. On recent Windows systems (8.1 works, 7 not tested) you can use
fsutilto query it:There is also another subcommand that dumps all information for all data streams in the file:
C:\>fsutil volume filelayout example.exe ********* File 0x01390000000008dd ********* File reference number : 0x01390000000008dd File attributes : 0x00000020: Archive ... Stream : ::$FILE_NAME Attributes : 0x00000000: *NONE* Flags : 0x0000000c: Resident | No clusters allocated Size : 80 Allocated Size : 80 Stream : ::$DATA (the main data stream) Attributes : 0x00000000: *NONE* Flags : 0x00000000: *NONE* Size : 1681920 Allocated Size : 1683456 Extents : 1 Extents : 1: VCN: 0 Clusters: 411 LCN: 8527618In both commands' output, for each "extent" (a contiguous range of clusters), you get the "virtual cluster number" (offset from beginning of file), number of clusters in the extent, and the "logical cluster number" (offset from beginning of volume).
Note: Tiny files, which fit in the MFT base record, are stored ("resident") in their MFT record and will have zero extents. For those, you'll need to use other ways to dig through the MFT itself. (Also, in some cases, the file may be sparse and only have a small part allocated on disk; the rest is just assumed to be null bytes.)
The clusters are filesystem-level, so you need to convert them to block-device-level sectors; my system has 8 sectors per cluster:
This means you can open
\\.\C:with HxD or such, and find beginning of file at sector 13091568 (or byte 6702882816).