windows MFT文件的位置?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/2948229/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-09-15 14:33:35  来源:igfitidea点击:

Location of MFT file?

windowsntfsntfs-mft

提问by Usman

I have a partition, formatted as NTFS. I have studied that devices formatted as NTFS have a MFT (Master File Table) which contains a lot of information about the contents of a devices.

我有一个分区,格式化为 NTFS。我研究过格式化为 NTFS 的设备有一个 MFT(主文件表),其中包含有关设备内容的大量信息。

Is MFT really a file?
Where is it located?
How can I view it?

MFT真的是一个文件吗?
它位于哪里?
如何查看?

I, actually want to view the $BITMAP to know the locations of all the files and directories in a partition.

我,实际上是想查看 $BITMAP 以了解分区中所有文件和目录的位置。

Update: Seems like I can only view the MFT file using HexEditor. Still searching for more options though...

更新:似乎我只能使用 HexEditor 查看 MFT 文件。仍在寻找更多选择...

回答by akarnokd

Accessing a disk's cluster BITMAP can be read via the FSCTL_GET_VOLUME_BITMAPAPI call. However, it won't tell what files are at each cluster. You need either parse the MFT (faster) or recursively call FSCTL_GET_RETRIEVAL_POINTERSon each file (slow).

访问磁盘的集群 BITMAP 可以通过FSCTL_GET_VOLUME_BITMAPAPI 调用读取。但是,它不会告诉每个集群中有哪些文件。您需要解析 MFT(更快)或递归调用每个文件上的FSCTL_GET_RETRIEVAL_POINTERS(慢)。

回答by WarriorPrince

If your intention is to list files from a drive and view the path of them then check the source files here a link. This guy parses the MFT and searches for a file present inside it or not. Just modify the code can help you get the path of files and directories.

如果您打算列出驱动器中的文件并查看它们的路径,请在此处查看源文件的链接。这家伙解析 MFT 并搜索其中是否存在文件。只需修改代码即可帮助您获取文件和目录的路径。

回答by Stas

I don't exactly know where it is but you can try next path \\.\C:, as I understood it is it. You can have a look on this programthat shows how to get deleted files.

我不完全知道它在哪里,但你可以尝试下一条路径\\.\C:,据我所知。您可以查看该程序该程序显示了如何获取已删除的文件。

回答by Pavel Radzivilovsky

MFT is not a file. MFT is a part of the file system. To view it, you will have to access disk on lower level, such as block mode.

MFT 不是文件。MFT 是文件系统的一部分。要查看它,您必须访问较低级别的磁盘,例如块模式。