Reading the $mft file from an NTFS drive

Question

0.00/5 (No votes)

See more:

, +

Hello,
For a project I'm assisting with I need to open the $MFT (the actual file) and calculate its MD5.
Windows does acknowledge its existence (i.e. Create file to \\.\c:\$mft works) but any attempt to read from it returns Access denied error.
tried a different approach with FSCTL_GET_RETRIEVAL_POINTERS, the call works but I couldn't find any code example on how to go over the file one cluster a time.
An NTFS Parser Lib[^] is a great project that can actually do what I want but it uses a GPL licence so I can't take code directly off it.
plus i think using it might be somewhat of an overkill anyway.
Any info would be welcomed.
Thanks.

Posted 7-Feb-11 5:45am

hjaiuyg

Updated 11-Jul-17 2:25am

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Andrew Brock · Answer 1 · 2011-02-07T17:22:00

You will need to open the HDD (or better yet, just the partition) with direct access, then write your own file system library. You were pretty much doing this. Just use "\\\\.\\C:"

The good news is that this is not as hard as it sounds.

I would STRONGLY reccommend getting a hex editor. I use the excellent Breakpoint Hex Workshop[^] but it is not free. Try searching around for 1 that can open HDDs.

I would recommend that you get a basic understanding of the FAT filesystem first. Although the idea of NTFS is remarkably different the implementation of core features is almost identical for accessing the $FILEs such as $MFT.

There is a website http://www.ntfs.com/[^] which I used for helping my understanding of the NTFS filesystem, although I already knew the FAT filesystem.

In addition. You can read parts of the NTFS Parser Lib that you mentioned, there is no harm in that, you just can't copy code from it.

small_programmer · Answer 2 · 2017-07-11T02:25:00

Solution 2

You can use this open source library:
NtfsReader .NET Library / Wiki / Home[^][^]

It is in C# language but is a good and simple library to work with NTFS file system.

Posted 11-Jul-17 2:25am

small_programmer

Updated 11-Jul-17 2:26am

v2

Comments

jeron1 11-Jul-17 10:09am

Hopefully they've solved it...in the last 6+ years.