While wandering the web looking for explanations of how to read/write MFT I found the folowing section:(http://www.installsetupconfig.com/win32programming/1996%20AppE_apnilife.pdf)
If NtfsProtectSystemFiles is set to FALSE, then the special files can be opened. There are, however, some drawbacks associated with attempting to do this: Because many of the special files are opened in a special way when mounting the volume, they are not prepared to handle the IRP_MJ_READ requests resulting from a call to ZwReadFile, and the system crashes if such a request is received. These special files can be read by mapping the special file with ZwCreateSection and ZwMapViewOfSection and then reading the mapped data. A further problem is that a few of the special files are not prepared to handle the IRP_MJ_CLEANUP request that is generated when the last handle to a file object is closed, and the system crashes if such a request is received. The only option is to duplicate the open handle to the special file into a process that never terminates (such as the system process).
- What does it mean “they are not prepared to handle the IRP_MJ_READ requests” what kind of preparation is needed? What is IRP_MJ_READ?
- “Mapping the special file with ZwCreateSection and ZwMapViewOfSection and then reading the mapped data” How does that solve the problem?
- What does it means “files are not prepared to handle the IRP_MJ_CLEANUP request that is generated when the last handle to a file object is closed” again what is that preparation? What is IRP_MJ_CLEANUP?
- “Duplicate the open handle to the special file into a process that never terminates” How does that solve the problem?
