Mike J. Kreuzer, Ph.D, MCSE, MCT
Call me at: 831-675-MCSE
Silicon Valley and International Networks since 1984.
- Mirror Sites:
Mike J. Kreuzer, Ph.D, MCSE, MCT
Call me at: 831-675-MCSE
Silicon Valley and International Networks since 1984.
To create an NTFS volume you need to format a partition erasing all data. In this example we use /dev/sdb1:
fdisk -l /dev/sdb
Disk ''/dev/sdb'': 8254 MB, 8254390272 bytes 254 heads, 62 sectors/track, 1023 cylinders Units = cylinders of 15748 * 512 = 8062976 bytes Disk identifier: 0x1ebdf237 Device Boot Start End Blocks Id System ''/dev/sdb1'' 1 1023 8055071 83 Linux
Cluster size has been automatically set to 4096 bytes.
Initializing device with zeroes: 100% - Done. Creating NTFS volume structures. mkntfs completed successfully. Have a nice day.
# [[mkdir]] ''/mnt/ntfs'' # ntfs-3g ''/dev/sdb1'' ''/mnt/ntfs'' # [[ls]] ''/mnt/ntfs'' # [[echo]] ''hallo''>''/mnt/ntfs/welt'' # [[ll]] ''/mnt/ntfs/'' total 1 -rwxrwxrwx 1 root root 6 Dec 8 12:37 ''welt''ntfs3g uses fuse.
# mount [...] ''/dev/sdb1'' on /mnt/ntfs type fuseblk (rw,allow_other,blksize=4096)So you can just unmount it using the command umount:
# umount ''/dev/sdb1''
NTFS has several technical improvements over FAT and HPFS (High Performance File System), the file systems that it superseded, such as improved support for metadata, and the use of advanced data structures to improve performance, reliability, and disk space utilization, plus additional extensions, such as security access control lists (ACL) and file system journaling.
Mac OS X kernels also have a limited ability to read NTFS (as well as limited built-in write support, although this is not enabled by default); Linux and BSD kernels have a free and open-source driver for the NTFS filesystem with both read and write functionality.
In the mid-1980s, Microsoft and IBM formed a joint project to create the next generation of graphical operating system. The result of the project was OS/2, but Microsoft and IBM disagreed on many important issues and eventually separated: OS/2 remained an IBM project and Microsoft worked on Windows NT.
The OS/2 file system HPFS contained several important new features. When Microsoft created their new operating system, they borrowed many of these concepts for NTFS.<ref>
</ref> Probably as a result of this common ancestry, HPFS and NTFS use the same disk partition identification type code (07).
Using the same Partition ID Record Number is unusual, since there were dozens of available codes, and other major file systems have their own code. FAT has more than nine (one each for FAT12, FAT16, FAT32, etc.). Algorithms identifying the file system in a partition type 07 must perform additional checks. NTFS developers include: Tom Miller, Gary Kimura, Brian Andrew and David Goebel.<ref>
Microsoft has released five versions of NTFS:
</ref> Supports disk quotas, Encrypting File System, sparse files, reparse points, update sequence number (USN) journaling, the $Extend folder and its files. Reorganized security descriptors so that multiple files using the same security setting can share the same descriptor.<ref name=“insidewin2kntfs”/> Commonly called NTFS 5.0 after the OS release.
The NTFS.sys version number (e.g. v5.0 in Windows 2000) is based on the operating system version and should not be confused with the NTFS version number (v3.1 since Windows XP).<ref>
Although subsequent versions of Windows added new file system-related features, they did not change NTFS itself. For example, Windows Vista implemented NTFS symbolic links, Transactional NTFS, partition shrinking and self-healing.<ref>
</ref> All except NTFS symbolic links are operating system's features.
NTFS v3.0 includes several new features over its predecessors: sparse file support, disk usage quotas, reparse points, distributed link tracking, and file-level encryption, also known as the Encrypting File System (EFS).
In theory, the maximum NTFS volume size is 264−1 clusters. However, the maximum NTFS volume size as implemented in Windows XP Professional is 232−1 clusters partly due to partition table limitations. For example, using 64 kB clusters, the maximum Windows XP NTFS volume size is 256 TB minus 64 KB. Using the default cluster size of 4 kB, the maximum NTFS volume size is 16 TB minus 4 kB. (Both of these are vastly higher than the 128 GB limit lifted in Windows XP SP1.) Because partition tables on master boot record (MBR) disks support only partition sizes up to 2 TB, dynamic or GPT volumes must be used to create NTFS volumes over 2 TB. Booting from a GPT volume to a Windows environment in a Microsoft supported way requires a system with UEFI and 64-bit support.<ref>http://www.rodsbooks.com/gdisk/booting.html</ref>
The maximum theoretical file size on NTFS is 16 EB (
NTFS supports a maximum cluster size of 64 kB.<ref>
NTFS is a journaling file system and uses the NTFS Log ($LogFile) to record metadata changes to the volume. It is a critical functionality of NTFS (a feature that FAT does not provide) for ensuring that its internal complex data structures (notably the volume allocation bitmap), or data moves performed by the defragmentation API, the modifications to MFT records (such as moves of some variable-length attributes stored in MFT records and attribute lists), and indices (for directories and security descriptors) will remain consistent in case of system crashes, and allow easy rollback of uncommitted changes to these critical data structures when the volume is remounted.
The USN Journal (Update Sequence Number Journal) is a system management feature that records (in $Extend\$UsnJrnl) changes to files, streams and directories on the volume, as well as their various attributes and security settings. The journal is made available for applications to track changes to the volume.<ref>
</ref> This journal can be enabled or disabled on non-system volumes.<ref>
Hard links allows different file names to directly refer to the same file contents.
Hard links are similar to directory junctions, but refer to files instead. Hard links may link only to files in the same volume because each volume has its own MFT. Hard links have their own file metadata, so a change in file size or attributes under one hard link may not update the others until they are opened.<ref>
Hard links were originally included to support the POSIX subsystem in Windows NT.<ref>
Windows uses hard links to support short (8.3) filenames in NTFS. Operating system support is needed because there are legacy applications that can work only with 8.3 filenames. In this case, an additional filename record and directory entry is added, but both 8.3 and long file name are linked and updated together, unlike a regular hard link.
The NTFS file system has a limit of 1024 hard links on a file.<ref>
NTFS Streams were introduced in Windows NT 3.1, to enable Services for Macintosh (SFM) to store resource forks. Although current versions of Windows Server no longer include SFM, third-party Apple Filing Protocol (AFP) products (such as GroupLogic's ExtremeZ-IP) still use this feature of the file system. Very small ADS (named “Zone.Identifier”) are added by Internet Explorer and recently by other browsers to mark files downloaded from external sites as possibly unsafe to run; the local shell would then require user confirmation before opening them.<ref>
</ref> When the user indicates that they no longer want this confirmation dialog, this ADS is deleted.
Alternate streams are not listed in Windows Explorer, and their size is not included in the file's size. When the file is copied or moved to another file system without ADS support the user is warned that alternate data streams cannot be preserved. No such warning is typically provided if the file is attached to an e-mail, or uploaded to a website. Thus, using alternate streams for critical data may cause problems. Microsoft provides a tool called Streams<ref>Sysinternals Streams v1.56</ref> to view streams on a selected volume. Starting with Windows PowerShell 3.0, it is possible to manage ADS natively with seven cmdlets: Add-Content, Clear-Content, Get-Content, Get-Item, Out-String, Remove-Item, Set-Content.<ref>
Malware has used alternate data streams to hide code.<ref>Malware utilising Alternate Data Streams?, AusCERT Web Log, 21 August 2007</ref> As a result, malware scanners and other special tools now check for alternate data streams.
</ref>). Files are compressed in 16-cluster chunks. With 4 kB clusters, files are compressed in 64 kB chunks. The compression algorithms in NTFS are designed to support cluster sizes of up to 4 kB. When the cluster size is greater than 4 kB on an NTFS volume, NTFS compression is not available.<ref>
</ref> If the compression reduces 64 kB of data to 60 kB or less, NTFS treats the unneeded 4 kB pages like empty sparse file clusters—they are not written. This allows for reasonable random-access times as the OS just has to follow the chain of fragments. However, large compressible files become highly fragmented since every chunk < 64KB becomes a fragment.<ref>
</ref> According to Microsoft's NTFS Development team’s research, 50–60 GB is a reasonable maximum size for a compressed file on an NTFS volume with a 4KB (default) cluster (block) size. This reasonable maximum size decreases sharply for volumes with smaller cluster sizes.<ref>
</ref> Single-user systems with limited hard disk space can benefit from NTFS compression for small files, from 4 kB to 64 kB or more, depending on compressibility. Files less than 900 bytes or so are stored within the directory entry at the MFT.<ref>
Flash memory, such as SSD drives do not have the head movement delays of hard disk drives, so fragmentation has only a smaller penalty. Users of fast multi-core processors will find improvements in application speed by compressing their applications and data as well as a reduction in space used.<ref>
</ref> Note that SSDs with Sandforce controllers already compress data. However, since less data is transferred, there is a reduction in I/Os.
Compression works best with files that have repetitive content, are seldom written, are usually accessed sequentially, and are not themselves compressed. Log files are an ideal example.
If system files that are needed at boot time (such as drivers, NTLDR, winload.exe, or BOOTMGR) are compressed, the system may fail to boot correctly, because decompression filters are not yet loaded.<ref>
</ref> Later editions of Windows
, do not allow important system files to be compressed.
Files may be compressed or decompressed individually (via changing the advanced attributes) for a drive, directory, or directory tree, becoming a default for the files inside.
Although read–write access to compressed files is mostly<ref>
</ref> transparent, Microsoft recommends avoiding compression on server systems and/or network shares holding roaming profiles because it puts a considerable load on the processor.<ref>“Best practices for NTFS compression in Windows.” Microsoft Knowledge Base. Retrieved on 2005-08-18.</ref> Since many fragments are created for compressible files, defragmentation may take longer.
Sparse files are files interspersed with empty segments for which no actual storage space is used. To the applications, the file looks like an ordinary file with empty regions seen as regions filled with zeros.<ref>
Database applications, for instance, may use sparse files.<ref>
</ref> As with compressed files, the actual sizes of sparse files are not taken into account when determining quota limits.<ref>
The Volume Shadow Copy Service (VSS) keeps historical versions of files and folders on NTFS volumes by copying old, newly overwritten data to shadow copy via copy-on-write technique. The user may later request an earlier version to be recovered. This also allows data backup programs to archive files currently in use by the file system. On heavily loaded systems, Microsoft recommends setting up a shadow copy volume on a separate disk.<ref>
Windows Vista also introduced persistent shadow copies for use with System Restore and Previous Versions features. Persistent shadow copies, however, are deleted when an older operating system mounts that NTFS volume. This happens because the older operating system does not understand the newer format of persistent shadow copies.<ref>
As of Windows Vista, applications can use Transactional NTFS (TxF) to group changes to files together into a transaction. The transaction will guarantee that all changes happen, or none of them do, and it will guarantee that applications outside the transaction will not see the changes until they are committed.<ref>
It uses similar techniques as those used for Volume Shadow Copies (i.e. copy-on-write) to ensure that overwritten data can be safely rolled back, and a CLFS log to mark the transactions that have still not been committed, or those that have been committed but still not fully applied (in case of system crash during a commit by one of the participants).
Transactional NTFS does not restrict transactions to just the local NTFS volume, but also includes other transactional data or operations in other locations such as data stored in separate volumes, the local registry, or SQL databases, or the current states of system services or remote services. These transactions are coordinated network-wide with all participants using a specific service, the DTC, to ensure that all participants will receive same commit state, and to transport the changes that have been validated by any participant (so that the others can invalidate their local caches for old data or rollback their ongoing uncommitted changes). Transactional NTFS allows, for example, the creation of network-wide consistent distributed file systems, including with their local live or offline caches.
Microsoft now advise against using TxF: “Microsoft strongly recommends developers utilize alternative means…” since “TxF may not be available in future versions of Microsoft Windows”<ref name=NTFS-TxF>
In NTFS, each file or folder is assigned a security descriptor that defines its owner and contains two access control lists (ACLs). The first ACL, called discretionary access control list (DACL), defines exactly what type of interaction (e.g. reading, writing, executing or deleting) is allowed or forbidden by which user or groups of users. For example, files in C:\Program Files folder may be read and executed by all users but modified only by a user holding administrative privileges.<ref name=“:0”>
The second ACL, called system access control list (SACL), defines which interactions with the file or folder are to be audited and whether they should be logged when the activity is successful, failed or both. For example, auditing can be enabled on sensitive files of a company, so that its managers get to know when someone tries to delete them or make a copy of them, and whether he or she succeeds.<ref name=“:0”/>
Encrypting File System (EFS) provides strong<ref>
</ref> and user-transparent encryption of any file or folder on an NTFS volume. EFS works in conjunction with the EFS service, Microsoft's CryptoAPI and the EFS File System Run-Time Library (FSRTL). EFS works by encrypting a file with a bulk symmetric key (also known as the File Encryption Key, or FEK), which is used because it takes a relatively small amount of time to encrypt and decrypt large amounts of data than if an asymmetric key cipher is used. The symmetric key that is used to encrypt the file is then encrypted with a public key that is associated with the user who encrypted the file, and this encrypted data is stored in an alternate data stream of the encrypted file. To decrypt the file, the file system uses the private key of the user to decrypt the symmetric key that is stored in the file header. It then uses the symmetric key to decrypt the file. Because this is done at the file system level, it is transparent to the user.<ref>
</ref> Also, in case of a user losing access to their key, support for additional decryption keys has been built into the EFS system, so that a recovery agent can still access the files if needed. NTFS-provided encryption and NTFS-provided compression are mutually exclusive; however, NTFS can be used for one and a third-party tool for the other.
The support of EFS is not available in Basic, Home, and MediaCenter versions of Windows, and must be activated after installation of Professional, Ultimate, and Server versions of Windows or by using enterprise deployment tools within Windows domains.
Disk quotas were introduced in NTFS v3. They allow the administrator of a computer that runs a version of Windows that supports NTFS to set a threshold of disk space that users may use. It also allows administrators to keep track of how much disk space each user is using. An administrator may specify a certain level of disk space that a user may use before they receive a warning, and then deny access to the user once they hit their upper limit of space. Disk quotas do not take into account NTFS's transparent file-compression, should this be enabled. Applications that query the amount of free space will also see the amount of free space left to the user who has a quota applied to them.
NTFS reparse points, introduced in NTFS v3, are used by associating a reparse tag in the user space attribute of a file or directory. Microsoft includes several default tags including NTFS symbolic links, directory junction points and volume mount points. When the object manager (see Windows NT line executive) parses a file system name lookup and encounters a reparse attribute, it will reparse the name lookup, passing the user controlled reparse data to every file system filter driver that is loaded into Windows. Each filter driver examines the reparse data to see whether it is associated with that reparse point, and if that filter driver determines a match, then it intercepts the file system call and executes its special functionality.
Starting with Windows Vista Microsoft added the built-in ability to shrink or expand a partition, but this capability is limited because it will not relocate page file fragments or files that have been marked as unmovable. So shrinking will often require relocating or disabling any page file, the index of Windows Search, and any Shadow Copy used by System Restore. Various third-party tools are capable of resizing NTFS partitions.
Internally, NTFS uses B+ trees to index file system data. Although complex to implement, this allows faster file look up times in most cases. A file system journal is used to guarantee the integrity of the file system metadata but not individual files' content. Systems using NTFS are known to have improved reliability compared to FAT file systems.<ref>
NTFS allows any sequence of 16-bit values for name encoding (file names, stream names, index names, etc.) except 0x0000. This means UTF-16 code units are supported, but the file system does not check whether a sequence is valid UTF-16 (it allows any sequence of short values, not restricted to those in the Unicode standard). File names are limited to 255 UTF-16 code units. Certain names are reserved in the volume root directory and cannot be used for files. These are
.<ref name=“How NTFS Works”/> (dot) and $Extend are both directories; the others are files. The NT kernel limits full paths to 32,767 UTF-16 code units. There are some additional restrictions on code points and file names.<ref>
|Byte Offset||Field length||Typical Value||Field Name||Purpose|
|0x00||3 bytes||0xEB5290||JMP instruction||Causes execution to continue after the data structures in this boot sector.|
|0x03||8 bytes|| “
”<br/><small>Word “NTFS” followed by four trailing spaces (0x20)</small>
|OEM ID||This is the magic cookie that indicates this is an NTFS file system.|
|0x0B||2 bytes||0x0200||Bytes per sector||How many bytes are in a sector?|
|0x0D||1 byte||0x08||Sectors Per Cluster||How many sectors are in a cluster?|
|0x0E||2 bytes||0x0000||Reserved Sectors||How much space is reserved by the OS. Not specified as to where in the reference cited.|
|0x10||3 bytes||0x000000||Unused||This field is always 0|
|0x13||2 bytes||0x0000||Unused by NTFS||This field is always 0|
|0x15||1 byte||0xF8||Media Descriptor||Not specified in reference cited.|
|0x16||2 bytes||0x0000||Unused||This field is always 0|
|0x18||2 bytes||0x003F||Sectors Per Track||How many sectors are there per track?|
|0x1A||2 bytes||0x00FF||Number Of Heads||How many magnetic read-write heads are there in this drive?|
|0x1C||4 bytes||0x0000003F||Hidden Sectors||How many hidden sectors are there? Location not specified in reference cited.|
|0x20||4 bytes||0x00000000||Unused||Not used by NTFS|
|0x24||4 bytes||0x80008000||Unused||Not used by NTFS|
|0x28||8 bytes||0x00000000007FF54A||Total sectors||How many sectors are in this partition?|
|0x30||8 bytes||0x0000000000000004||$MFT cluster number||Which cluster contains the $MFT?|
|0x38||8 bytes||0x000000000007FF54||$MFTMirr cluster number||Which cluster contains the mirror (backup) $MFT|
|0x40||1 byte||0xF6||Bytes Per File Record Segment||How many bytes per file record segment? If negative then value is 2 to the power of -value, e.g. if value is 0xF6 then record length is 2^10 (10==-0xf6)|
|0x41||3 bytes||0x000000||Unused||This field is not used by NTFS|
|0x44||1 byte||0x01||Clusters Per Index Buffer||How many clusters per index buffer? Algorithm as for bytes per record above|
|0x45||3 bytes||0x000000||Unused||This field is not used by NTFS|
|0x48||8 bytes||0x1C741BC9741BA514||Volume Serial Number||A unique random number assigned to this partition, to keep things organized.|
|0x50||4 bytes||0x00000000||Checksum||A checksum of the previous values. Algorithm not described in cited article.|
|0x54||426 bytes||Bootstrap Code||The code that loads the rest of the operating system. This is pointed to by the first 3 bytes of this sector.|
|0x01FE||2 bytes||0xAA55||End-of-sector Marker||This flag indicates that this is a valid boot sector.|
In NTFS, all file, directory and metafile data—file name, creation date, access permissions (by the use of access control lists), and size—are stored as metadata in the Master File Table (MFT). This abstract approach allowed easy addition of file system features during Windows NT's development—an example is the addition of fields for indexing used by the Active Directory software. This also enables fast file search software such as Everything to locate named local files and folders included in the MFT very fast, without requiring any other index.
The MFT structure supports algorithms which minimize disk fragmentation.<ref>
</ref> A directory entry consists of a filename and a “file ID”, which is the record number representing the file in the Master File Table. The file ID also contains a reuse count to detect stale references. While this strongly resembles the W_FID of Files-11, other NTFS structures radically differ.
Two copies of the MFT are stored in case of corruption. If the first record is corrupted, NTFS reads the second record to find the MFT mirror file. Locations for both files are stored in the boot sector.<ref>NTFS Master File Table (MFT). Information on structure of MFT file.</ref>
NTFS contains several files that define and organize the file system. In all respects, most of these files are structured like any other user file ($Volume being the most peculiar), but are not of direct interest to file system clients. These metafiles define files, back up critical file system data, buffer file system changes, manage free space allocation, satisfy BIOS expectations, track bad allocation units, and store security and disk space usage information. All content is in an unnamed data stream, unless otherwise indicated.
|Segment Number||File Name||Purpose|
|Describes all files on the volume, including file names, timestamps, stream names, and lists of cluster numbers where data streams reside, indexes, security identifiers, and file attributes like “read only”, “compressed”, “encrypted”, etc.|
|Duplicate of the first vital entries of $MFT, usually 4 entries (4 Kilobytes).|
|Contains transaction log of file system metadata changes.|
|Contains information about the volume, namely the volume object identifier, volume label, file system version, and volume flags (mounted, chkdsk requested, requested $LogFile resize, mounted on NT 4, volume serial number updating, structure upgrade request). This data is not stored in a data stream, but in special MFT attributes: If present, a volume object ID is stored in an $OBJECT_ID record; the volume label is stored in a $VOLUME_NAME record, and the remaining volume data is in a $VOLUME_INFORMATION record. Note: volume serial number is stored in file $Boot (below).|
|A table of MFT attributes that associates numeric identifiers with names.|
|Root directory. Directory data is stored in $INDEX_ROOT and $INDEX_ALLOCATION attributes both named $I30.|
|An array of bit entries: each bit indicates whether its corresponding cluster is used (allocated) or free (available for allocation).|
|Volume boot record. This file is always located at the first clusters on the volume. It contains bootstrap code (see NTLDR/BOOTMGR) and a BIOS parameter block including a volume serial number and cluster numbers of $MFT and $MFTMirr.|
|A file that contains all the clusters marked as having bad sectors. This file simplifies cluster management by the chkdsk utility, both as a place to put newly discovered bad sectors, and for identifying unreferenced clusters. This file contains two data streams, even on volumes with no bad sectors: an unnamed stream contains bad sectors—it is zero length for perfect volumes; the second stream is named $Bad and contains all clusters on the volume not in the first stream.|
|Access control list database that reduces overhead having many identical ACLs stored with each file, by uniquely storing these ACLs only in this database (contains two indices: $SII (Standard_Information ID) and $SDH (Security Descriptor Hash), which index the stream named $SDS containing actual ACL table).<ref name=“insidewin2kntfs”/>|
|A table of unicode uppercase characters for ensuring case-insensitivity in Win32 and DOS namespaces.|
|A file system directory containing various optional extensions, such as $Quota, $ObjId, $Reparse or $UsnJrnl.|
|12–23||Reserved for $MFT extension entries. Extension entries are additional MFT records that contain additional attributes that do not fit in the primary record. This could occur if the file is sufficiently fragmented, has many streams, long filenames, complex security, or other rare situations.|
|Holds disk quota information. Contains two index roots, named $O and $Q.|
|Holds link tracking information. Contains an index root and allocation named $O.|
|Holds reparse point data (such as symbolic links). Contains an index root and allocation named $R.|
|27—||Beginning of regular file entries.|
These metafiles are treated specially by Windows, handled directly by the
driver and are difficult to directly view: special purpose-built tools are needed.<ref>Since Windows XP, it is very difficult to view a listing of these files: they exist in the root directory's index, but the Win32 interface filters them out. In NT 4.0, the command line
command would list the metafiles in the root directory if
were specified. In Windows 2000,
stopped working, but
dir /a \$MFT
worked.</ref> As of Windows 7, the NTFS driver completely prohibits user access, resulting in a BSoD whenever an attempt to execute a metadata file is made. One such tool is the nfi.exe (“NTFS File Sector Information Utility”) that is freely distributed as part of the Microsoft “OEM Support Tools”. For example, to obtain information on the “$MFT”-Master File Table Segment the following command is used:
</ref> Another way to bypass the restriction is to use 7-zip's file manager and go to the low-level NTFS path
resembles any drive/partition). Here, 3 new folders will appear:
(a pseudo-folder that 7-zip uses to attach files deleted from the file system to view), and
(another pseudo-folder that contains all the NTFS metadata files). This trick can be used from removable devices (USB flash drives, external hard drives, SD Cards, etc.) inside Windows, but doing this on the active partition requires offline access (namely WinRE)
For each file (or directory) described in the MFT record, there is a linear repository of stream descriptors (also named attributes), packed together in one or more MFT records (containing the so-called attributes list), with extra padding to fill the fixed 1 KB size of every MFT record, and that fully describes the effective streams associated with that file.
Each attribute has an attribute type (a fixed-size integer mapping to an attribute definition in file $AttrDef), an optional attribute name (for example, used as the name for an alternate data stream), and a value, represented in a sequence of bytes. For NTFS, the standard data of files, the alternate data streams, or the index data for directories are stored as attributes.
According to $AttrDef, some attributes can be either resident or non-resident. The $DATA attribute, which contains file data, is such an example. When the attribute is resident (which is represented by a flag), its value is stored directly in the MFT record. Otherwise, clusters are allocated for the data, and the cluster location information is stored as data runs in the attribute.
All attributes of a given file may be displayed by using the nfi.exe (“NTFS File Sector Information Utility”) that is freely distributed as part of the Microsoft “OEM Support Tools”.<ref name=“support.microsoft.com”/>
Windows system calls may handle alternate data streams.<ref name=“How NTFS Works”/> Depending on the operating system, utility and remote file system, a file transfer might silently strip data streams.<ref name=“How NTFS Works”/> A safe way of copying or moving files is to use the BackupRead and BackupWrite system calls, which allow programs to enumerate streams, to verify whether each stream should be written to the destination volume and to knowingly skip unwanted streams.<ref name=“How NTFS Works”/>
To optimize the storage and reduce the I/O overhead for the very common case of attributes with very small associated value, NTFS prefers to place the value within the attribute itself (if the size of the attribute does not then exceed the maximum size of an MFT record), instead of using the MFT record space to list clusters containing the data; in that case, the attribute will not store the data directly but will just store an allocation map (in the form of data runs) pointing to the actual data stored elsewhere on the volume.<ref>blogs.technet.com: Jeff Hughes, The Four Stages of NTFS File Growth (2009)</ref> When the value can be accessed directly from within the attribute, it is called “resident data” (by computer forensics workers). The amount of data that fits is highly dependent on the file's characteristics, but 700 to 800 bytes is common in single-stream files with non-lengthy filenames and no ACLs.
The allocation map is stored in a form of data runs with compressed encoding. Each data run represents a contiguous group of clusters that store the attribute value. For files on a multi-GB volume, each entry can be encoded as 5 to 7 bytes, which means a 1 KB MFT record can store about 100 such data runs. However, as the $ATTRIBUTE_LIST also has a size limit, it is dangerous to have more than 1 million fragments of a single file on an NTFS volume, which also implies that it is in general not a good idea to use NTFS compression on a file larger than 10 GB.<ref>Microsoft KB: A heavily fragmented file in an NTFS volume may not grow beyond a certain size (2012)</ref>
The NTFS file system driver will sometimes attempt to relocate the data of some of the attributes that can be made non-resident into the clusters, and will also attempt to relocate the data stored in clusters back to the attribute inside the MFT record, based on priority and preferred ordering rules, and size constraints.
Since resident files do not directly occupy clusters (“allocation units”), it is possible for an NTFS volume to contain more files on a volume than there are clusters. For example, a 74.5 GB partition NTFS formats with 19,543,064 clusters of 4 KB. Subtracting system files (a 64 MB log file, a 2,442,888-byte Bitmap file, and about 25 clusters of fixed overhead) leaves 19,526,158 clusters free for files and indices. Since there are four MFT records per cluster, this volume theoretically could hold almost 4 × 19,526,158= 78,104,632 resident files.
Opportunistic locks (oplocks) allow clients to alter their buffering strategy for a given file or stream in order to increase performance and reduce network use.<ref>http://msdn.microsoft.com/en-us/library/cc308442.aspx</ref> Oplocks apply to the given open stream of a file and do not affect oplocks on a different stream.
Oplocks can be used to transparently access files in the background. A network client may avoid writing information into a file on a remote server if no other process is accessing the data, or it may buffer read-ahead data if no other process is writing data.
Windows supports four different types of oplocks:
Opportunistic locks have been enhanced in Windows 7 and Windows Server 2008 R2 with per-client oplock keys.<ref>http://technet.microsoft.com/en-us/library/ff383236(WS.10).aspx</ref>
Windows NT and its descendants keep internal timestamps as UTC and make the appropriate conversions for display purposes. Therefore, NTFS timestamps are in UTC.
For historical reasons, the versions of Windows that do not support NTFS all keep time internally as local zone time, and therefore so do all file systems other than NTFS that are supported by current versions of Windows. This means that when files are copied or moved between NTFS and non-NTFS partitions, the OS needs to convert timestamps on the fly. But if some files are moved when daylight saving time (DST) is in effect, and other files are moved when standard time is in effect, there can be some ambiguities in the conversions. As a result, especially shortly after one of the days on which local zone time changes, users may observe that some files have timestamps that are incorrect by one hour. Due to the differences in implementation of DST in different jurisdictions, this can result in a potential timestamp error of up to 4 hours in any given 12 months.<ref>“Beating the Daylight Saving Time bug and getting correct file modification times” The Code Project</ref>
While the different NTFS versions are for the most part fully forward- and backward-compatible, there are technical considerations for mounting newer NTFS volumes in older versions of Microsoft Windows. This affects dual-booting, and external portable hard drives. For example, attempting to use an NTFS partition with “Previous Versions” (a.k.a. Volume Shadow Copy) on an operating system that does not support it will result in the contents of those previous versions being lost.<ref>
</ref> A Windows command-line utility called convert.exe can convert supporting file systems to NTFS, including HPFS (only on Windows NT 3.1, 3.5, and 3.51), FAT16 and FAT32 (on Windows 2000 and later).<ref>
Mac OS X 10.3 and later include read-only support for NTFS-formatted partitions. The GPL-licensed NTFS-3G also works on Mac OS X through FUSE and allows reading and writing to NTFS partitions. A performance enhanced commercial version, called Tuxera NTFS for Mac,<ref>
</ref> is also available from the NTFS-3G developers. Paragon Software Group sells a read-write driver named NTFS for Mac OS X,<ref>
</ref> which is also included on some models of Seagate hard drives.<ref>Seagate Read/Write NTFS driver for Mac OS X</ref> Native NTFS write support has been discovered in Mac OS X 10.6 and later, but is not activated by default, although workarounds do exist to enable the functionality. However, user reports indicate the functionality is unstable and tends to cause kernel panics, probably the reason why write support has not been enabled or advertised.<ref>
Linux kernel versions 2.2.0 and later include the ability to read NTFS partitions; kernel versions 2.6.0 and later contain a driver written by Anton Altaparmakov (University of Cambridge) and Richard Russon which supports file read, overwrite and resize. Three userspace drivers (NTFSMount, NTFS-3G and Captive NTFS, a 'wrapping' driver that uses Windows' own driver, ntfs.sys) exist for NTFS support. They are built on the Filesystem in Userspace (FUSE), a Linux kernel module tasked with bridging userspace and kernel code to save and retrieve data. All three are licensed under the terms of the GNU General Public License (GPL). Due to the complexity of internal NTFS structures, both the built-in 2.6.14 kernel driver and the FUSE drivers disallow changes to the volume that are considered unsafe, to avoid corruption.
Two proprietary solutions also exist:
eComStation, and FreeBSD offer read-only NTFS support (there is a beta NTFS driver that allows write/delete for eComStation, but is generally considered unsafe). A free third-party tool for BeOS, which was based on NTFS-3G, allows full NTFS read and write. NTFS-3G also works on Mac OS X, FreeBSD, NetBSD, Solaris, QNX and Haiku, in addition to Linux, through FUSE.<ref>
</ref> A free for personal use read/write driver for MS-DOS called “NTFS4DOS” also exists.<ref>
</ref><ref>Download of NTFS4DOS.EXE NTFS driver for DOS at Softpedia.com</ref> Ahead Software developed a “NTFSREAD” driver (version 1.200) for DR-DOS 7.0x between 2002 and 2004. It was part of their Nero Burning ROM software. OpenBSD offer native read-only NTFS support by default on i386 and amd64 platforms as of version 4.9 released 1 May 2011.<ref>http://openbsd.com/49.html</ref> Read/write support through NTFS-3G are possible in OpenBSD -current as of 1 November 2013 (first release is OpenBSD 5.5 on 1 May 2014) as OpenBSD henceforth has its own FUSE implementation<ref>