0

I have to read the MFT file of a running Windows (XP or higher) and through it to reach the HD sectors that held the contents ($DATA) of a specific file that exists on the machine.

The problem is that between the time of reading the MFT until the fetching of the relevant sectors and reading them, the file system structure can vary and the locations may not be relevant anymore.

Is there a way to "freeze" the system for a certain time? Perhaps guarantee that there will not be changes for this file? Lock a specific file in order to make it not moving between sectors? (Including due to optimizations and changes in indirect)

Of course I would prefer not to copy the entire hard disk and to work statically since it's a slow operation that would disallow normal use of the system at this time. Needless to say, I don't want to use the API functions of the OS or to write a driver.

Reflection
  • 1,936
  • 3
  • 21
  • 39
  • From the question I don't understand whether you really want to read contents of the $DATA attribute, or actual file data - it's not the same thing, due to delayed write operations and several other circumstances. – Robert Goldwein Aug 10 '15 at 15:55
  • I actually need the real data as it's shown when we call ReadFile. – Reflection Aug 10 '15 at 15:56
  • Off in another weird direction - you can install a pre-boot OS like WinPE, and do your work from there. In such an environment, you're the sole user process and you can have your way with all the files without interference. I work on a "repair and imaging" product that does this. Messing with the BCD is a bit of a dance, but having fixed, stable file state is so marvelous. The user process in winPE run as admin, btw. – Clay Aug 12 '15 at 21:49
  • The stackoverflow 'mft' tag doesn't refer to the master file table. It stands for Media Foundation Transform, which doesn't seem to apply here. – David Wohlferd Aug 24 '15 at 04:24
  • Perhaps a volume [shadow copy](https://en.wikipedia.org/wiki/Shadow_Copy) may be worth considering in this situation. – Larry B Oct 09 '19 at 21:35

2 Answers2

0

I'd simply open the file, requesting read/write access, with read share mode. If you succeed to open the file, you're guaranteed that data will not change until you close the handle. See https://msdn.microsoft.com/en-us/library/windows/desktop/hh449422%28v=vs.85%29.aspx

If you want to achieve that on files that are already opened and locked by different processes, that's entirely different story and I believe you have to write own filter driver.

Robert Goldwein
  • 5,805
  • 6
  • 33
  • 38
  • The issue is that I need not to affect the system logs and not to leave a trace or make changes to the file system – Reflection Aug 10 '15 at 19:23
  • Unless you perform write operation on the file, you won't change the file (its content), but you will change file's access time. I'm not sure what logs you have in mind (auditing, journal), or how you define a trace - ? Nevertheless, I believe this is the only high-level option. – Robert Goldwein Aug 10 '15 at 22:27
0

If the file location in the system varies, it will be accordingly reflected in the MFT. So instead of trying to stop any activity for the file you can simply compare the MFT info before and after reading the file. Unless you are de-fragmenting or deleting contents of the file the file storage structure will not change. Additions to files do not affect the consistency of data that you read. So if this is your scenario, you can just go ahead with the above method.

kishore
  • 604
  • 3
  • 7
  • 13