Segment Number
| File Name
| Purpose
|
---|
| $MFT
| Describes all files on the volume, including file names, timestamps, stream names, and lists of cluster numbers where data streams reside, indexes, security identifiers, and file attributes like "read only", "compressed", "encrypted", etc.
|
1
| $MFTMirr
| Duplicate of the first vital entries of $MFT, usually 4 entries (4 Kilobytes).
|
2
| $LogFile
| Contains transaction log of file system metadata changes.
|
3
| $Volume
| Contains information about the volume, namely the volume object identifier, volume label, file system version, and volume flags (mounted, chkdsk requested, requested $LogFile resize, mounted on NT 4, volume serial number updating, structure upgrade request). This data is not stored in a data stream, but in special MFT attributes: If present, a volume object ID is stored in an $OBJECT_ID record; the volume label is stored in a $VOLUME_NAME record, and the remaining volume data is in a $VOLUME_INFORMATION record. Note: volume serial number is stored in file $Boot (below).
|
4
| $AttrDef
| A table of MFT attributes that associates numeric identifiers with names.
|
5
| .
| Root directory. Directory data is stored in $INDEX_ROOT and $INDEX_ALLOCATION attributes both named $I30.
|
6
| $Bitmap
| An array of bit entries: each bit indicates whether its corresponding cluster is used (allocated) or free (available for allocation).
|
7
| $Boot
| Volume boot record. This file is always located at the first clusters on the volume. It contains bootstrap code (see NTLDR/BOOTMGR) and a BIOS parameter block including a volume serial number and cluster numbers of $MFT and $MFTMirr.
|
8
| $BadClus
| A file that contains all the clusters marked as having bad sectors. This file simplifies cluster management by the chkdsk utility, both as a place to put newly discovered bad sectors, and for identifying unreferenced clusters. This file contains two data streams, even on volumes with no bad sectors: an unnamed stream contains bad sectors—it is zero length for perfect volumes; the second stream is named $Bad and contains all clusters on the volume not in the first stream.
|
9
| $Secure
| Access control list database that reduces overhead having many identical ACLs stored with each file, by uniquely storing these ACLs in this database only (contains two indices: $SII (Standard_Information ID) and $SDH (Security Descriptor Hash), which index the stream named $SDS containing actual ACL table).[SUP][2][/SUP]
|
10
| $UpCase
| A table of unicode uppercase characters for ensuring case-insensitivity in Win32 and DOS namespaces.
|
11
| $Extend
| A filesystem directory containing various optional extensions, such as $Quota, $ObjId, $Reparse or $UsnJrnl.
|
12–23
| Reserved for $MFT extension entries. Extension entries are additional MFT records that contain additional attributes that do not fit in the primary record. This could occur if the file is sufficiently fragmented, has many streams, long filenames, complex security, or other rare situations.
| |
24
| $Extend\$Quota
| Holds disk quota information. Contains two index roots, named $O and $Q.
|
25
| $Extend\$ObjId
| Holds link tracking information. Contains an index root and allocation named $O.
|
26
| $Extend\$Reparse
| Holds reparse point data (such as symbolic links). Contains an index root and allocation named $R.
|
27—
| Beginning of regular file entries.
| |