• Wiki Home
• Forum
• Search
• ntfsprogs manpages

• What is NTFS?
• How can I access NTFS?
  • The kernel driver
  • Userspace driver (ntfsmount)
  • Userspace tools (ntfsprogs)
• Current project status
• Other Documentation

• Downloads
• Development
• RedHat/Fedora
• About us

~~CLOUD:30~~

ntfsinfo is a ntfsprogs utility for getting some information out of the NTFS file system metadata.

ntfsinfo output is generated from 2 main data sources:

• Data about the entire volume (such as the boot sector, volume label, etc.)
• Data about a single file or directory (from the FILE record).

The following examples assume that the NTFS partition is /dev/hda1, and that it is unmounted. If it is mounted, add the -f switch.

If you want to output more information, use the -v switch. If this is still not enough, try the -vv switch.

Up till ntfsprogs version 1.12.1 (the current), ntfsinfo requires the -d switch before the device name (/dev/hdXY). The next version (1.13.0+ or 2.0.0+) will not support this switch, meaning the device name should appear last)

Try running:

ntfsinfo -m -d /dev/hda1

An example output is:

Volume Information
        Name of device: /dev/hda1
        Device state: 3
        Volume Name:
        Volume State: 1
        Volume Version: 3.1
        Sector Size: 512
        Cluster Size: 4096
        Volume Size in Clusters: 4598526
MFT Information
        MFT Record Size: 1024
        MFT Zone Multiplier: 1
        MFT Data Position: 24
        MFT Zone Start: 10
        MFT Zone End: 574825
        MFT Zone Position: 10
        Current Position in First Data Zone: 574825
        Current Position in Second Data Zone: 0
        LCN of Data Attribute for FILE_MFT: 10
        FILE_MFTMirr Size: 4
        LCN of Data Attribute for File_MFTMirr: 629425
        Size of Attribute Definition Table: 2560
FILE_Bitmap Information
        FILE_Bitmap MFT Record Number: 6
        State of FILE_Bitmap Inode: 0
        Length of Attribute List: 0
        Attribute List: (null)
        Number of Attached Extent Inodes: 0
FILE_Bitmap Data Attribute Information
        Decompressed Runlist: not done yet
        Base Inode: 6
        Attribute Types: not done yet
        Attribute Name Length: 0
        Attribute State: 3
        Attribute Allocated Size: 577536
        Attribute Data Size: 574816
        Attribute Initialized Size: 574816
        Attribute Compressed Size: 0
        Compression Block Size: 0
        Compression Block Size Bits: 0
        Compression Block Clusters: 0

You can see that this info is rather low-level. Still, the “Volume Information” section is quite useful and understandable without getting into the technical nitty gritties

You have two running methods for dumping a FILE record:

• By a the MFT record number:

ntfsinfo -i 5 -d /dev/hda1

• By a path and file names.

ntfsinfo -F / -d /dev/hda1

Both will dump information about the root folder (which is a file too).

An example output is:

Dumping Inode #5
Update Sequence Array Count:     3
$LogFile seqNum for this Inode:  0x3870248
Number of times reused:          5
Number of hard links:            1
MFT record Flags:                DIRECTORY
Size - Used:                     648 bytes
Size - Allocated:                1024 bytes
Next Attribute Instance Num      81
Dumping attribute $STANDARD_INFORMATION (0x10)
        Attribute instance:      0
        File Creation Time:      Mon Feb 26 18:38:39 2001
        File Altered Time:       Sun Oct  2 18:47:36 2005
        MFT Changed Time:        Sun Oct  2 18:47:36 2005
        Last Accessed Time:      Sun Oct  2 21:22:58 2005
        File attributes:         HIDDEN SYSTEM ARCHIVE
        Max Number of Versions:  0
        Version Number:          0
        Class ID:                0
Dumping attribute $FILE_NAME (0x30)
        File Name:               '.'
        File Name Length:        1
        Namespace:               Win32 & DOS
        Attribute instance:      1
        Allocated File Size:     0
        Real File Size:          0
        Parent directory:        5
        File attributes:         HIDDEN SYSTEM ARCHIVE FILE_NAME_INDEX
        File Creation Time:      Mon Feb 26 18:38:39 2001
        File Altered Time:       Thu Sep 15 12:27:31 2005
        MFT Changed Time:        Thu Sep 15 12:27:31 2005
        Last Accessed Time:      Thu Sep 15 12:27:31 2005
Dumping attribute $SECURITY_DESCRIPTOR (0x50)
        Attribute instance:      2
        Revision:                1
        Flags:                   0x8004
        Owner SID:               S-1-5-32-544
        Group SID:               S-1-5-32-544
        System ACL:              missing
        Discretionary ACL:
                Revision         2
                ACE:             type:allow  flags:0x3  access:0x1f01ff
                                 SID: S-1-1-0
Dumping attribute $INDEX_ROOT (0x90)
        Index name:              '$I30'
        Attribute instance:      78
        Indexed Attr Type:       file names
        Collation Rule:          1
        Index Block Size:        4096
        Clusters Per Block:      1
        Allocated Size:          152
        Used Size:               152
        Flags:                   0x01
        Index entries total:     2
Dumping attribute $INDEX_ALLOCATION (0xA0)
        Index name:              '$I30'
        Attribute instance:      80
        Allocated data size:     8192
        Used data size:          8192
        Index entries total:     38
        INDX blocks total:       2
Dumping attribute $BITMAP (0xB0)
        Bitmap name:             '$I30'
        Attribute instance:      79
        Bitmap's size:           8 bytes
End of inode reached

The first section is information about the entire file. The others are NTFS attributes belong to that file.