Glossary |
This is the basic component of an index (e.g. a directory). This is the storage location for all sub-nodes of the B+ tree that implements an index (e.g. a directory). This file attribute is always non-resident.
As defined in $AttrDef, this attribute has a no minimum or maximum size.
this attribute is never resident -- would use index root instead
It is simply a sequence of all index buffers that belong to the index.
Offset | Size | Description |
---|---|---|
~ | ~ | Standard Attribute Header |
0x00 | ... | Data runs |
split into two tables, at least
Offset | Size | Description |
---|---|---|
~ | ~ | Standard Attribute Header |
The next field is only valid when the last entry flag is not set | ||
0x00 | 8 | File reference |
0x08 | 2 | L = Length of the index entry |
0x0A | 2 | M = Length of the stream |
0x0C | 1 | Flags |
The next field is only present when the last entry flag is not set | ||
0x10 | M | Stream |
The next field is only present when the sub-node flag is set | ||
L - 8 | 8 | VCN of the sub-node in the index allocation attribute |
A copy of the field at offset 10 in the header part of the resident file attribute indexed by the index entry. But why the hell haven't these 2 fields the same size?
Flag | Description |
---|---|
0x01 | Index entry points to a sub-node |
0x02 | Last index entry in the node |
The last entry flag is used to indicate the end of a sequence of index entries. Although it does not represent a valid file, it can point to a sub-node.
A copy of the stream of the resident file attribute indexed by the index entry (e.g. for a directory, the file name attribute).
Always non-resident (doesn't make sense to be resident anyway!). This is an array of index blocks. Each index block starts with an INDEX_BLOCK structure containing an index header, followed by a sequence of index entries (INDEX_ENTRY structures), as described by the INDEX_HEADER. When creating the index block, we place the update sequence array at this offset, i.e. before we start with the index entries. This also makes sense, otherwise we could run into problems with the update sequence array containing in itself the last two bytes of a sector which would mean that multi sector transfer protection wouldn't work. As you can't protect data by overwriting it since you then can't get it back... When reading use the data from the ntfs record header.