NTFS Documentation: Index Entry

Definition

This is the basic component of an index (e.g. a directory).

Layout

Its layout is:

Offset to the beginning of the index entry Length Description

The next field is only valid when the last entry flag is not set

0 8 File reference

8 2 L = Length of the index entry

A 2 M = Length of the stream

C 1 Flags

The next field is only present when the last entry flag is not set

10 M Stream

The next field is only present when the sub-node flag is set

L - 8 8 VCN of the sub-node in the index allocation attribute

Offset to the beginning of the index entry	Length	Description
The next field is only valid when the last entry flag is not set
0	8	File reference
8	2	L = Length of the index entry
A	2	M = Length of the stream
C	1	Flags

The next field is only present when the last entry flag is not set
10	M	Stream
The next field is only present when the sub-node flag is set
L - 8	8	VCN of the sub-node in the index allocation attribute

Length of the stream

A copy of the field at offset 10 in the header part of the resident file attribute indexed by the index entry. But why the hell haven't these 2 fields the same size?

Flags

Bit	Signification
01	Index entry points to a sub-node
02	Last index entry in the node

The last entry flag is used to indicate the end of a sequence of index entries. Although it does not represent a valid file, it can point to a sub-node.

Stream

A copy of the stream of the resident file attribute indexed by the index entry (e.g. for a directory, the file name attribute).

Regis Duchesne

Last modified: Mon Feb 15 08:43:45 PST 1999