Releases: kacos2000/MFT_Browser
Releases · kacos2000/MFT_Browser
MFTBrowser.exe (x64)
[Update]
- New Icons
- Support for both 1Kb and 4Kb records
- Full check of fix up /check values
- Other tweaks & updates
E.g.:
[0x04] Offset to Update Sequence Array: 48
[0x06] Number of fix up byte pairs: 9
.
[0x1C] Physical Size of MFT record: 4096
.
[0x30] Update sequence Number: 52428
[0x30] Update sequence: 0xCCCC
[0x32] Update sequence Array #1: 0x0000
[0x34] Update sequence Array #2: 0x0000
[0x36] Update sequence Array #3: 0xD701
[0x38] Update sequence Array #4: 0x0500
[0x3A] Update sequence Array #5: 0x0000
[0x3C] Update sequence Array #6: 0x0000
[0x3E] Update sequence Array #7: 0x0000
[0x40] Update sequence Array #8: 0x0000
PS: works better on 4K screens
BitmapReader
GUI $Bitmap content parser. Good for :
- MFT $bitmap resident attribute content (index files - allocated 4kb index blocks)
- MFT file's own non-resident bitmap (allocated MFT records).
- Small $Bitmap files (up to 10Mb as the time required after that is too long).
E.g from an $MFT file's bitmap, these are the Allocated MFT record numbers:
Marked as Allocated/Used 4Kb Index Blocks or $MFT record numbers.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
or you may choose to see the Non-Allocated ones:
Marked as NOT Allocated/Empty 4Kb Index Blocks or $MFT record numbers.
16 17 18 19 20 21 22 23 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121
122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144
145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167
168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 ...
PS: Had some fun playing with Win10 Speech Synthesizer :)
MFTBrowser.exe (x64)
[Updates]
- Added support for resident $Index_Root content of $Secure ($SDH & $SII).
- More tweaks
E.g.:
$Secure:$SII:
Index Entry Nr: 51
[0x9D0] Index Entry Offset to Data: 20
[0x9D2] Index Entry Data Size: 20
[0x9D8] Index Entry Length: 40
[0x9DA] Index Entry Key Size: 4
[0x9DC] Index Entry Flag [0x00]: Child node
[0x9E4] Security Descriptor Hash: 0xBE82EF95
[0x9E8] Security Id: 589872
[0x9EC] Offset in Security Descriptor ($SDS): 184639400
[0x9F4] Size in Security Descriptor ($SDS): 65545
$Secure:$SDH:
Index Entry Nr: 7
[0x2C0] Index Entry Offset to Data: 24
[0x2C2] Index Entry Data Size: 20
[0x2C8] Index Entry Length: 48
[0x2CA] Index Entry Key Size: 8
[0x2CC] Index Entry Flag [0x00]: Child node
[0x2D0] Index Entry Key for SID: 256
[0x2D0] Security Descriptor Hash: 0x32FEE6CB
[0x2D4] Security Id: 256
[0x2D8] Security Descriptor Hash: 0x32FEE6CB
[0x2DC] Security Id: 589872
[0x2E0] Offset in Security Descriptor ($SDS): 83909064
[0x2E8] Size in Security Descriptor ($SDS): 65545
MFTBrowser.exe (x64)
[Updates]
- Improved Hex view loading time !
- Some other tweaks
- Resident $Data decoding of lnk files (mostly found in 4k records)
- Added support for resident $Index_Root content of $ObjId, $Quota and $Reparse. E.g.:
$ObjId:$O
Index key is a GUID
Index Entry Nr: 1
[0x150] Index Entry Offset to Data: 32
[0x152] Index Entry Data Size: 56
[0x158] Index Entry Length: 88
[0x15A] Index Entry Key Size: 16
[0x15C] Index Entry Flag [0x00]: Child node
[0x160] Index Entry Key: 42A09F1C-3358-4A6F-9026-57D1424DE798
GUID Version: 4
GUID Variant: 2
GUID Sequence: 4134
[-----] Reference MFT record ID: 0003000000000003
[0x170] Reference MFT record Nr: 3
[0x176] Reference MFT Sequence Nr: 3
Index Entry Nr: 2
[0x1A8] Index Entry Offset to Data: 32
[0x1AA] Index Entry Data Size: 56
[0x1B0] Index Entry Length: 88
[0x1B2] Index Entry Key Size: 16
[0x1B4] Index Entry Flag [0x00]: Child node
[0x1B8] Index Entry Key: BC4BBA0E-277F-11EC-800F-00155D380176
GUID Version: 1
GUID Variant: 2
GUID Sequence: 15
GUID created at: 07/10/2021 15:03:31.5052046
MAC Address: 00:15:5D:38:01:76
[-----] Reference MFT record ID: 0002000000000028
[0x1C8] Reference MFT record Nr: 40
[0x1CE] Reference MFT Sequence Nr: 2
$Quota:$O
Index key is Security ID (sid)
Index Entry Nr: 1
[0x150] Index Entry Offset to Data: 32
[0x152] Index Entry Data Size: 4
[0x158] Index Entry Length: 40
[0x15A] Index Entry Key Size: 16
[0x15C] Index Entry Flag [0x00]: Child node
[0x160] Index Entry Key: S-1-5-32-544
[0x170] Owner ID: 256
[0x170] Index Entry Content
$Quota:$Q
Index key is Owner ID
Index Entry Nr: 1
[0x1C8] Index Entry Offset to Data: 20
[0x1CA] Index Entry Data Size: 48
[0x1D0] Index Entry Length: 72
[0x1D2] Index Entry Key Size: 4
[0x1D4] Index Entry Flag [0x00]: Child node
[0x1D8] Index Entry Key: 1
[0x1DC] Quota Version: 2
[0x1E0] Quota Flag: Default Limits
[0x1E4] Quota Bytes Used: 0
[0x1EC] Quota Changed Time: 07/10/2021 14:44:32.5994800
[0x204] Quota Hard Limit: 0
Index Entry Nr: 2
[0x210] Index Entry Offset to Data: 20
[0x212] Index Entry Data Size: 64
[0x218] Index Entry Length: 88
[0x21A] Index Entry Key Size: 4
[0x21C] Index Entry Flag [0x00]: Child node
[0x220] Index Entry Key: 256
[0x224] Quota Version: 2
[0x228] Quota Flag: Default Limits
[0x22C] Quota Bytes Used: 0
[0x234] Quota Changed Time: 07/10/2021 14:44:32.5994800
[0x24C] Quota Hard Limit: 0
[0x224] Index Entry Content
$Reparse:$R
Index key is Reparse Tag & $MFT reference nr.
Index Entry Nr: 1
[0x158] Index Entry Offset to Data: 28
[0x15A] Index Entry Data Size: 0
[0x160] Index Entry Length: 40
[0x162] Index Entry Key Size: 12
[0x164] Index Entry Flag [0x01]: Child node in $Index_Allocation
[0x168] Index Entry Key: IO_REPARSE_TAG_CLOUD_4
[0x168] Reparse Tag: 9000401A
[-----] Reference MFT record ID: 000200000000006F
[0x16C] Reference MFT record Nr: 111
[0x172] Reference MFT Sequence Nr: 2
Index Entry Nr: 2
[0x180] Index Entry Offset to Data: 28
[0x182] Index Entry Data Size: 0
[0x188] Index Entry Length: 40
[0x18A] Index Entry Key Size: 12
[0x18C] Index Entry Flag [0x01]: Child node in $Index_Allocation
[0x190] Index Entry Key: IO_REPARSE_TAG_CLOUD_4
[0x190] Reparse Tag: 9000401A
[-----] Reference MFT record ID: 00020000000000AE
[0x194] Reference MFT record Nr: 174
[0x19A] Reference MFT Sequence Nr: 2
MFTBrowser.exe (x64)
[Update]
- Added support for $Reparse Tag 0x80000014 (NFS)
- Fixed bug with Non-Resident $Reparse_Point attribute
- Updated bitmap resident content parser and its output:
E.g:
Allocated 4kb Index Blocks(s):
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
48 49 50 51 52 53 54 55 56 57 58 59 60 61
Resident Content (Hex):
FF FF FF FF FF FF FF 3F
MFTBrowser.exe (x64)
[Update]
- Added options to copy the whole $MFT file record details or selected parts (node & sub-nodes) to clipboard
- Added option to copy the Full Path of the selected file/folder in the Directory tree to clipboard
E.g.:
Full path: (copied)
.\Windows\System32\drivers\AcpiDev.sys
Attribute (copied node):
[0x230] ID: 00003, Type: 00010000 - $Logged_Utility_Stream
[0x234] Attribute Length: 40
[0x238] Attribute Non-Resident Status: Resident
[0x239] Length of Stream Name: 4
[0x23A] Offset to Stream Name: 24
[0x23C] Attribute Flags: (0x0000)
[0x23E] Attribute ID: 3
[0x240] Resident Content Size: 8
[0x244] Resident Content Offset: 32
[0x248] Stream Name: $DSC
[0x250] Tier Class: Performance
[0x254] Flags: 0x00000000
[0x250] Resident Content
Object ID (copied node):
[0x1C0] ObjectID: CE810208-6EDF-11E1-A3F8-005056A50010
GUID Version: 1
GUID Variant: 2
GUID Sequence: 9208
GUID created at: 15/03/2012 20:45:31.9149064
MAC Address: 00:50:56:A5:00:10
MFTBrowser.exe (x64)
[Update]
- bug fix in file/folder treeview
- updates & corrections in $KERNEL and WSL related $EA attributes
- other minor corrections & updates
MFTBrowser.exe (x64)
[Update]
- Updated $EA Attribute entries content with stream names $KERNEL.PURGE.ESBCACHE & $KERNEL.PURGE.APPXFICACHE (related info: here)
- Other minor corrections
MFTBrowser.exe (x64)
[Update]
- Many small corrections & updates
MFTBrowser.exe (x64)
[Update]
-
(experimental) Support for $Logged_Utility stream $EFS resident content (EFSRPC Metadata Version3)
-
Small GUI tree-view fixes & code optimizations