All geek questions in one place

How do I know if an NTFS logical cluster is free?

I would like to write a program that reads all unused clusters in NTFS volumne. (I am looking to recover data from a file that was accidentally truncated).

According to this page, I can call SetFilePointer () and ReadFile () in the volume descriptor to go through each logical cluster on the volume. But how do I know which clusters are used by files and which are free?

+3
source share
2 answers

To get all unused clusters on an NTFS volume, you will need to build a map of all distributions of all files and streams. This is very difficult since you need to parse exnent lists for non-resident files. And MFT.

But you can use the IOCTL or fsutil queryallocranges file in a truncated file and read the last degree further. Calculate where the current file ends and you lose the file.

That is, if the file is not compressed or EFS-encrypted.

A free or commercial data recovery program will be a faster way.

+1
source

FSCTL_GET_VOLUME_BITMAP should be exactly what you are looking for and should be pretty fast. This is what many components use to try to defragment a single file, say, into a large contiguous space.

+1

Source: https://habr.com/ru/post/1754990/

More articles:


All Articles