How to find MFT Record Number of file in c++?

Question

In linux there is the fstat system call which gives the inode number of a filedescriptor.

Is there any system call or winapi function which would give MFT Record Number of a given file, from its HANDLE or file path?

If there isn't any function or system call so how should I reach to the MFT Record of a file in MFT Table?

Answer 1

for got MFT Record Number for given file need use FileInternalInformation - here returned FILE_INTERNAL_INFORMATION. really this is 48 low bit MftRecordIndex and 16 high bit SequenceNumber

struct 
{
    LONGLONG    MftRecordIndex : 48;
    LONGLONG    SequenceNumber : 16;
};

look also MFT_SEGMENT_REFERENCE - this is same struct

then for got MFT Record use FSCTL_GET_NTFS_FILE_RECORD as input data - FileReferenceNumber - this is FILE_INTERNAL_INFORMATION.IndexNumber but(!) only low 48 bits(MftRecordIndex) so you need zero high 16 bits(SequenceNumber) and then use FILE_INTERNAL_INFORMATION in place NTFS_FILE_RECORD_INPUT_BUFFER for know NTFS_FILE_RECORD_OUTPUT_BUFFER size - you need first get NTFS_VOLUME_DATA_BUFFER with help FSCTL_GET_NTFS_VOLUME_DATA and use NTFS_VOLUME_DATA_BUFFER.BytesPerFileRecordSegment

NTSTATUS Test(POBJECT_ATTRIBUTES poa)
{
    HANDLE hFile, hVolume = 0;
    IO_STATUS_BLOCK iosb;

    NTSTATUS status = NtOpenFile(&hFile, SYNCHRONIZE, poa, &iosb, FILE_SHARE_VALID_FLAGS, FILE_SYNCHRONOUS_IO_NONALERT);

    if (0 <= status)
    {
        union 
        {
            FILE_INTERNAL_INFORMATION fii;

            NTFS_FILE_RECORD_INPUT_BUFFER nfrib;

            struct  
            {
                LONGLONG MftRecordIndex : 48;
                LONGLONG SequenceNumber : 16;
            };
        };

        if (0 <= (status = NtQueryInformationFile(hFile, &iosb, &fii, sizeof(fii), FileInternalInformation)))
        {
            //need open '\Device\HarddiskVolume<N>' or '<X>:'
            status = OpenVolume(hFile, &hVolume);
        }

        NtClose(hFile);

        if (0 <= status)
        {
            NTFS_VOLUME_DATA_BUFFER nvdb;

            if (0 <= (status = NtFsControlFile(hVolume, 0, 0, 0, &iosb, FSCTL_GET_NTFS_VOLUME_DATA, 0, 0, &nvdb, sizeof(nvdb))))
            {
                DWORD cb = FIELD_OFFSET(NTFS_FILE_RECORD_OUTPUT_BUFFER,
                    FileRecordBuffer[nvdb.BytesPerFileRecordSegment]);

                PNTFS_FILE_RECORD_OUTPUT_BUFFER pnfrob = (PNTFS_FILE_RECORD_OUTPUT_BUFFER)alloca(cb);

                SequenceNumber = 0;

                if (0 <= (status = NtFsControlFile(hVolume, 0, 0, 0, &iosb, 
                    FSCTL_GET_NTFS_FILE_RECORD, &nfrib, sizeof nfrib, pnfrob, cb)))
                {
                    NTFS_FILE_RECORD_HEADER* pnfrh = (NTFS_FILE_RECORD_HEADER*)pnfrob->FileRecordBuffer;;
                }
            }

            NtClose(hVolume);
        }
    }

    return status;
}

NTFS_FILE_RECORD_HEADER - this is FILE_RECORD_SEGMENT_HEADER (i take self structs name from here)