How do I check if a file is NTFS’ internally used file, such as $Mft
etc. to make sure it is not encrypted?
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
if ( FileName[0] == ‘$’ ) NtfsFile=TRUE; // will work quite fine
I just wonder what for you’d like to distinguish this… Ntfs will write
them itself and so you wouldn’t even get the chance to encrypt it (by a
filter driver). If windows writes a file starting with ‘$’ there won’t be
the need to not encrypt it, because you will decrypt it before it’s passed
back. But since this explanation seems to simple to me, probably I’m
confusing something.
----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Tuesday, November 26, 2002 7:02 PM
Subject: [ntfsd] Checking if the file is NTFS internal file
>
> How do I check if a file is NTFS’ internally used file, such as $Mft
> etc. to make sure it is not encrypted?
>
> –
> Kind regards, Dejan M. www.alfasp.com
> E-mail: xxxxx@alfasp.com ICQ#: 56570367
> Alfa File Monitor - File monitoring library for Win32 developers.
> Alfa File Protector - File protection and hiding library for Win32
> developers.
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@linkwave.org
> To unsubscribe send a blank email to %%email.unsub%%
File ID is <= 16. IIRC it is a good heuristics.
Max
----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Tuesday, November 26, 2002 9:02 PM
Subject: [ntfsd] Checking if the file is NTFS internal file
>
> How do I check if a file is NTFS’ internally used file, such as
$Mft
> etc. to make sure it is not encrypted?
>
> –
> Kind regards, Dejan M. www.alfasp.com
> E-mail: xxxxx@alfasp.com ICQ#: 56570367
> Alfa File Monitor - File monitoring library for Win32 developers.
> Alfa File Protector - File protection and hiding library for Win32
> developers.
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>
Do not encrypt the first 16 files in the MFT.
Jamey
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dejan Maksimovic
Sent: Tuesday, November 26, 2002 10:02 AM
To: File Systems Developers
Subject: [ntfsd] Checking if the file is NTFS internal file
How do I check if a file is NTFS’ internally used file, such as $Mft
etc. to make sure it is not encrypted?
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%
How do I tell if a file is one of those?
Jamey Kirby wrote:
Do not encrypt the first 16 files in the MFT.
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
I thought so, but how do I get the file ID, without querying the
directory contents? No file information structure provides it, except
query directory ones.
Or is it the same as File Index as returned by
FileInternalInformation ?
“Maxim S. Shatskih” wrote:
File ID is <= 16. IIRC it is a good heuristics.
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
> if ( FileName[0] == ‘$’ ) NtfsFile=TRUE; // will work quite fine
LOL! That won’t work at all.
I just wonder what for you’d like to distinguish this… Ntfs will write
them itself and so you wouldn’t even get the chance to encrypt it (by a
filter driver).
Yes, you will get a chance to see some of the reads and writes -
though not all - or at least not at the time you need to.
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
> Or is it the same as File Index as returned by
FileInternalInformation ?
IndexNumber is a combination of 16bit generation count (used to
prevent stale references to reused MFT records) and 48bit MFT record
number. The latter is the file ID.
Max
In other words, FileIndex & 0x0000FFFFFFFFFFFF is the File ID?
“Maxim S. Shatskih” wrote:
> Or is it the same as File Index as returned by
> FileInternalInformation ?IndexNumber is a combination of 16bit generation count (used to
prevent stale references to reused MFT records) and 48bit MFT record
number. The latter is the file ID.
–
Kind regards, Dejan M. www.alfasp.com
E-mail: xxxxx@alfasp.com ICQ#: 56570367
Alfa File Monitor - File monitoring library for Win32 developers.
Alfa File Protector - File protection and hiding library for Win32
developers.
Yes.
----- Original Message -----
From: “Dejan Maksimovic”
To: “File Systems Developers”
Sent: Wednesday, November 27, 2002 5:48 PM
Subject: [ntfsd] Re: Checking if the file is NTFS internal file
>
> In other words, FileIndex & 0x0000FFFFFFFFFFFF is the File ID?
>
> “Maxim S. Shatskih” wrote:
>
> > > Or is it the same as File Index as returned by
> > > FileInternalInformation ?
> >
> > IndexNumber is a combination of 16bit generation count (used to
> > prevent stale references to reused MFT records) and 48bit MFT
record
> > number. The latter is the file ID.
>
> –
> Kind regards, Dejan M. www.alfasp.com
> E-mail: xxxxx@alfasp.com ICQ#: 56570367
> Alfa File Monitor - File monitoring library for Win32 developers.
> Alfa File Protector - File protection and hiding library for Win32
> developers.
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to %%email.unsub%%
>