问题
I am writing some code to parse through the MFT on disk in NTFS volumes. This is straightforward, but one particular corner case caught my eye, and I can't find a clear answer anywhere on the internet.
For normal files in NTFS it is possible to have multiple MFT records for a single file, if the file has more attributes than can fit in a single record (for example, many $FILE_NAME attributes if the file has many hard-links, or many $DATA attributes if it has many Alternate Data Streams).
The $MFT file at reference-number 0 holds the data runs for the MFT itself. Normally it is a single record with no children. Is it possible for the $MFT file to have child records? If it were possible, how would you know where to find them? Would those child records have to be stored with very low reference numbers so that you could reliably get to them without having to have parsed the $MFT already to know where they were on disk?
回答1:
There is a special type of attribute called $ATTRIBUTE_LIST. A file or directory can have up to 65536 attributes and they can't possibly fit into a single MFT entry. It basically contains a list of all the file's attributes except himself. Each entry in the list contains the attribute type and the MFT reference of where to find the attribute. That's what the base file reference field in the file record header is for.
If the list gets too big for a MFT entry, the attribute can become non-resident and the list will be found by interpreting the data run of the attribute.
Because the type of the $ATTRIBUTE_LIST is 32, it's placed usually right after the $STANDARD_INFORMATION attribute and will contain attributes with greater types (like $FILE_NAME or $DATA).
When a file becomes very fragmented, the $DATA attribute run list will not fit in a single MFT entry. This is also a case where $ATTRIBUTE_LIST will be used to store the $DATA attribute in multiple entries.
The $MFT entry rarely has this problem since the allocation alogrithm is designed to prevent that. But if a $MFT for a volume becomes very fragmented it can have more than one entry to store it's $DATA.
来源:https://stackoverflow.com/questions/30424102/can-the-ntfs-mft-file-have-child-records