Unit OS8: File System 8.6. Lab Manual. 2 Copyright Notice © 2000-2005 David A. Solomon and Mark Russinovich These materials are part of the Windows Operating.

Slides:



Advertisements
Similar presentations
NTFS - The workhorse file system for the Windows Platform
Advertisements

Troubleshooting Startup Problems
COMP091 – Operating Systems 1
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS1: Overview of Operating Systems 1.1. Windows.
© Neeraj Suri EU-NSF ICT March 2006 Budapesti Műszaki és Gazdaságtudományi Egyetem Méréstechnika és Információs Rendszerek Tanszék Zoltán Micskei
File Systems Examples.
File System Analysis.
© Microsoft Corporation1 Windows Kernel Internals NTFS David B. Probert, Ph.D. Windows Kernel Development Microsoft Corporation.
FILE SYSTEMS. File Names 1 to 255 characters in length  This includes the path You can use uppercase and lowercase (case-aware, but not case-sensitive)
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 8: Troubleshooting Storage Devices and Display Devices.
Windows XP File System Management Group D. 3 Layers of Drivers Filter Drivers Filter Drivers –Virus protection, compression, encryption File System Drivers.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 10: Collect and Analyze Performance Data.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 1: Planning the Installation of Windows XP.
1 File Management in Representative Operating Systems.
File System Variations and Software Caching May 19, 2000 Instructor: Gary Kimura.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Session 3 Windows Platform Dina Alkhoudari. Learning Objectives Understanding Server Storage Technologies Direct Attached Storage DAS Network-Attached.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Tasks Necessary for Setting Up a Hard Disk Initializing the disk with basic or dynamic storage type Creating partitions on basic disks or volumes on dynamic.
Budapesti Műszaki és Gazdaságtudományi Egyetem Méréstechnika és Információs Rendszerek Tanszék Scheduling in Windows Zoltan Micskei
1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.
 AFS name space managed as mini-file systems (aka Volumes)  AFS Mount Points are the equivalent of NTFS Junctions and DFS Referrals which are stored.
WINDOWS SYSTEMS AND ARTIFACTS John P. Abraham Professor UTPA.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
LIS508 lecture 5: storage devices Thomas Krichel
®® Microsoft Windows 7 for Power Users Tutorial 5 Comparing Windows 7 File Systems.
NTFS Architecture NTFS Physical Structure
7.3. Windows Security Descriptors
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS3: Concurrency 3.5. Lab Slides & Lab Manual.
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Operating Systems Advanced OS - E. OS Advanced Evaluating an Operating System.
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS6: Device Management 6.1. Principles of I/O.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 4: Organizing a Disk for Data.
Microsoft Windows 2000 Daniel Hummell Ryan McKenica Valerie Grinblat.
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS5: Memory Management 5.5. Lab Manual.
Getting Started Additional information. Important DOS Commands Getting Started dirlists disk directories verdisplays OS version clsclear command prompt.
Chapter 3 Partitioning Drives using NTFS and FAT32 Prepared by: Khurram N. Shamsi.
File Storage Organization The majority of space on a device is reserved for the storage of files. When files are created and modified physical blocks are.
Unit OS11: Performance Evaluation Lab Manual.
Unit OS A: Windows Networking A.4. Lab Manual. 2 Copyright Notice © David A. Solomon and Mark Russinovich These materials are part of the Windows.
Unit OS6: Device Management 6.4. Lab Manual. 2 Copyright Notice © David A. Solomon and Mark Russinovich These materials are part of the Windows.
Unit OS12: Scripting Lab Manual. 2 Copyright Notice © David A. Solomon and Mark Russinovich These materials are part of the Windows Operating.
Lecture 18 Windows – NT File System (NTFS)
Lesson 20: Managing Local Storage MOAC : Configuring Windows 8.1.
NTFS 5.0 By Jeffrey Richter and Luis Felipe Cabrera From the Microsoft Systems Journal Presented by Stylianos Paparizos.
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS7: Security 7.4. Lab Manual.
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS3: Concurrency 3.3. Advanced Windows Synchronization.
NTFS Filing System CHAPTER 9. New Technology File System (NTFS) Started with Window NT in 1993, Windows XP, 2000, Server 2003, 2008, and Window 7 also.
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS1: Overview of Operating Systems 1.1. Windows.
BACS 371 Computer Forensics
Hands-On Microsoft Windows Server 2008 Chapter 7 Configuring and Managing Data Storage.
ITMT Windows 7 Configuration Chapter 4 – Working with Disks and Devices ITMT 1371 – Windows 7 Configuration 1.
Day 28 File System.
Working with Disks Lesson 4.
Unit OS7: Security 7.4. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze.
Unit OSC: Interoperability
Unit OS9: Real-Time and Embedded Systems
Unit OS4: Scheduling and Dispatch
Unit OS11: Performance Evaluation
Unit OS A: Windows Networking
Unit OS8: File System 8.6. Quiz
CSE451 NTFS Variations and other File System Issues Autumn 2002
Unit OS2: Operating System Principles
Unit OS10: Fault Tolerance
Unit OSB: Comparing the Linux and Windows Kernels
CONFIGURING HARDWARE DEVICE & START UP PROCESS
Unit OS5: Memory Management
Presentation transcript:

Unit OS8: File System 8.6. Lab Manual

2 Copyright Notice © David A. Solomon and Mark Russinovich These materials are part of the Windows Operating System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E. Russinovich with Andreas Polze Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic environments (and not for commercial use)

3 Roadmap for Section 8.6. Lab objectives investigating: List of registered file systems System restore filter driver Idle system I/O activity with Filemon Multiple data streams on NTFS files Hard and symbolic links (Junctions) on NTFS Viewing the Master File Table (MFT) NTFS information

4 List of Registered File Systems Lab When I/O manager loads driver, it typically names driver object according to file system Not all driver objects of type file system driver represent local/remote file systems I.e.; Npfs (Named Pipe File System) is a network API driver WinObj and the System Information viewer reveal list of registered file systems (MMC snap-in on W2K, Msinfo32 on Server 2003)

5 System Restore Lab System Restore provides a way to restore a Windows XP system to a previously known point Not available on Windows 2000 or Server 2003 XP-compatible Setup may create a “restore point” before installation begins Restore works on per-volume basis System restore filter driver attaches filter device objects to FAT and NTFS objects (volumes) Platform SDK provides SRSetRestorePoint and SRRemoveRestorePoint APIs for installation programs Lab investigates restore filter driver objects using kernel debugger

6 Filemon Idle System Lab Filemon shows all file activity as it occurs ideal tool for troubleshooting file system–related system and application failures Filemon requires Load Driver and Debug privileges Basic mode vs. advanced mode I/O operations (IRPs) are tagged with friendly names Access to NTFS metadata, paging I/O, System and filemon process activity, fast I/O failures are reported only in advanced mode Lab uses filemon to examine file system activity on idle system

7 Filemon App Error Lab Applications sometimes present error messages in response to an error condition that do not reveal the root cause of the error. These error messages can be frustrating because they might lead you to spend time diagnosing or resolving problems that do not exist. If the error message is related to a file system issue, Filemon will show what underlying errors might have occurred prior to the appearance of an error message.

8 NTFS Streams Lab An NTFS has a default, unnamed data stream Applications can create additional streams Each stream has different allocation size, actual size, and valid data length Windows Explorer uses streams to store summary information for files (right-click -> properties) Server for Macintosh stores resource fork in a separate stream Streams are named ”:” Streams are named ”:”

9 Hard links and Junctions - Lab A hard link allows multiple paths to refer to the same file Created via CreateHardLink() or ln() functions ln file file1 creates a new name for file NTFS also supports Junctions (symbolic links) Redirect file/pathname translation to another dir Based on NTFS reparse points No API functions to create reparse points (must use DeviceIoControl() or Linkd.exe / Junction.exe) Linkd \etc C:\Windows\system32 creates a new name for the Windows system32 directory

10 Viewing the MFT In NTFS, all data on a volume is stored in files, data structures used to locate and retrieve files, bootstrap data, the bitmap that records the allocation state of the entire volume (the NTFS metadata). The MFT is the heart of an NTFS volume implemented as an array of file records. The size of each file record is fixed at 1 KB, regardless of cluster size. Logically, the MFT contains one record for each file on the volume, including a record for the MFT itself. MFT can be inspected - it is only a file Nfi.exe utility from OEM Support Tools

11 View NTFS Information When it first accesses a volume, NTFS must mount it read metadata from the disk read metadata from the disk construct internal data structures so that it can process application file system accesses. To mount the volume, NTFS looks in the boot sector to find the physical disk address of the MFT. The MFT’s own file record is the first entry in the table; The second file record points to a file located in the middle of the disk called the MFT mirror (filename $MftMirr) that contains a copy of the first few rows of the MFT. NTFSInfo.exe and Fsutil.exe tools reveal crucial information about MFT placement

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.