[Linux-NTFS-Dev] Windows Device driver for NTFS

Sat Feb 25 14:01:46 CST 2006

On Sat, 25 Feb 2006, Gerold J. Wucherpfennig wrote:
> Can anybody help me to code a little driver for a virtual hard disk drive for
> examination of undocumented NTFS filesystem stuctures i.e. the $LOGFILE 
> (journaling of NTFS)? The  data should be written to e.g. C:\image.bin, 
> filesize e.g. 50MB which will correspond to a drive e.g. Z:, drive size 50MB.
> After every write the driver should be paused to examine the C:\image.bin
> to get the undocumented structure of the file $LOGFILE?
> 
> Can anybody help me? I'm a little confused by the windows DDK documentation
> and tutorials found on the internet. I've already downloaded the windows DDK.
> 
> Please CC me and excuse me for crossposting. Regards,

Go to: http://www.acc.umu.se/~bosse/

It will answer all your questions and more.  In particular you will 
probably want a copy of the ntifs.h header file there as well as copy of 
the FileDisk driver source code (source + binary is in the zip file) 
which is what you want to write...  Instead of pausing you may want to 
just modify the driver to keep a change log of what it is writing where or 
to even just create a whole copy of the image every time a write occurs or 
whatever...

Have fun!

Note three things:

1) You will want to disable write caching on the "disk" from Windows 
(can't remember where it is exactly but it is something like "optimize 
for quick removal" or some simillar name).

2) Note that you will not actually see small modifications to $LogFile 
because they are all done in memory and only when (one or more?) complete 
log record pages are done do they get given to the nt cache manager which 
flushes them to disk.  So you are likely to only see 4k or large writes at 
a time so you will never be able to see the actual fine granularity that 
you really need to see to figure out the $LogFile internals properly.

3) Look at the current ntfs kernel driver (2.6 kernels) or in 
ntfsprogs/libntfs in the header file fs/ntfs/logfile.h (kernel) or 
include/ntfs/logfile.h (ntfsprogs/libntfs) for the restart page 
definitions and fs/ntfs/logfile.c and libntfs/(somewhere).c for logfile 
parsin functions.  They are pretty advanced in that they properly parse 
and sanity check the restart areas of a logfile $LogFile and analyse if 
the volume has been shut down cleanly or not.  The only case they cannot 
tell is when the volume looks like it is dirty but if you were able to 
actually parse all the log record pages, you would find it to be clean 
after all (e.g. there was no activity on the system when the power failed 
so system was idle and no disk activity hence no not checkpointed 
transactions present) but we can't tell that because we do not understand 
the log record pages.

Oh also there is a book with a high level overview of how logging in 
Windows/ntfs works.  It is "Inside Windows 2000, 3rd Ed" (or "Inside 
Windows NT, 2nd Ed") [ there may now be a more recent edition, don't know 
], this is from Microsoft Press and authors are David Solomon (only author 
on 2nd Ed) and Mark Russinovich.  See 
http://www.amazon.co.uk/exec/obidos/ASIN/0735610215

Best regards,

	Anton
-- 
Anton Altaparmakov <aia21 at cam.ac.uk> (replace at with @)
Unix Support, Computing Service, University of Cambridge, CB2 3QH, UK
Linux NTFS maintainer / IRC: #ntfs on irc.freenode.net
WWW: http://linux-ntfs.sf.net/ & http://www-stu.christs.cam.ac.uk/~aia21/