How to send FSCTL_GET_RETRIEVAL_POINTERS for NTFS metadata files ($Mft,$Bitmap,etc.)

ProcMon will pretty much tell you how fsutil works.

It’s internal to the file system. I’m not sure that you could ever always
accurately track the blocks of the file unless you open it exclusive, mark
the file as immovable (FSCTL_MARK_HANDLE/MARK_HANDLE_PROTECT_CLUSTERS), and
then query.

-scott
OSR
@OSRDrivers

1 Like