NTFS Documentation: FILE record

Definition

This is a component of the MFT. Each file of the volume is completely described by some of these FILE records. The first FILE record that describes a given file is called the base FILE record (or an inode in Linux terminology). All other are called extension FILE records.

Layout

A FILE record is 1 KB large or the cluster size if larger (as far as Helen is concerned, its maximum size is 4 KB, but Windows NT® 4 limit is 64 KB). It falls into 2 parts:

Properties

Extension FILE records are used when all information about a file doesn't fit into the base FILE record (e.g. if the sequence of file attributes grows because the file has a lot of file attributes or because the data attribute of the file has a long runlist because its stream is very fragmented). Only the base FILE record is used for referencing the file it describes. Since the type of the Attribute List file attribute is small enough, we are sure that this file attribute will be in the base FILE record. And this file attribute provides the references to all the extension FILE records describing the file.

When a file is deleted, NTFS can't simply remove the associated FILE records from the MFT, otherwise FILE record numbers wouldn't be constant over time, and all file references would have to be updated! Instead, the in-use flag of a FILE record indicates when it is no longer in use. When a file is created, an unused FILE record can be re-used for it, but its sequence number is incremented by one. This mechanism allow NTFS to check that file references don't point to deleted files.

Regis Duchesne at VIA, ECP, France
Last modified: Mon Feb 15 06:37:33 PST 1999