DFSee version 17.0 2022-10-22 (c) 1994-2022: Jan van Wijk =========================[ www.dfsee.com ]========================== _______________________________________________________________________________ C O N T E N T S: _______________________________________________________________________________ Command reference = overview of NTFS specific commands Detailed description = description for every command Note: All generic commands can be found in DFSCMDS.TXT, for example: ALLOC, CHECK, CLONE, RESIZE, RECOVER, SAVETO, SCAN, WIPE _______________________________________________________________________________ C O M M A N D R E F E R E N C E: _______________________________________________________________________________ NTFS specific commands Active filesystem : NTFS, specific commands are: \[path-spec] = find and show ROOT or file/directory relative to root BOOTINI [part] = Find the (first) boot.ini file present in the filesystem BSCLEAR = Reset bad-sector/cluster administration to ZERO bad sectors CA [lsn][opt] = Check Allocation integrity for (current) MFT lsn DELFIND [name] = Find deleted files, with MFT containing (partial) name DFSNTLDR [img] = Create compressed imagefile containing the NTLDR sectors DIRTY [n|d] = Set NTFS $Volume 'CHKDSK required' flag to Normal or Dirty FILEFIND [name] = Find normal files, with MFT containing (partial) name FINDROOT [n][~] = find the Root directory without using the superblock starting the search at LSN [n]; [~] = use 8.3 names FINDMFT [lsn] = Locate the MFT (for FIXBOOT when no spare-copy available) FIXBOOT = Recover NTFS bootsector from spare-copy, or create new FIXNTLDR = Replace (the first sector of) NTLDR for an NTFS partition LABEL [label] = Display/edit 32-char volume label in the $Volume MFT record MFT [-v-] = Translate and display 'this' LSN as an MFT record nr MFT [rec#][-v-] = Calculate LSN for MFT record-nr and perform default display MIR [rec#][-v-] = Calculate LSN for MFT-mirror record-nr, do default display MFTEXT = Find all external MFT records (continuation for base-MFT) PATH [n][~] = Show all path-components for MFT, upto root [use 8.3] name For an up-to-date list of commands, use the '?' command NTFS specific sector types (see ??? command) 's' = NTLDR, 1st sector 'f' = MFT regular File 'D' = MFT regular Dir 'm' = MFT 2ndary File 'M' = MFT 2ndary Dir 'y' = MFT deleted Dir 'z' = MFT deleted File 'd' = DIR filename INDX 'i' = SII security INDX 'S' = SDH security INDX 'j' = LOG restart Area 'J' = LOG record Page 'Z' = MFT Ghost record 'Y' = MFT empty record 'c' = Past last cluster For an up-to-date list, use the '???" command _______________________________________________________________________________ D E T A I L E D D E S C R I P T I O N: _______________________________________________________________________________ \path-spec = find and show file/directory specified by path-spec Purpose: Locate the MFT-record for a known file or directory Parameters: path-spec full path specification with no intervening space after the '\' command character Output: Search result list starting at the ROOT directory up to the requested file or directory. It is either followed by an error message if the path-spec was not found or by the display of the corresponding MFT-record information. Remarks: The search algorithm depends on the ROOT MFT being intact. _______________________________________________________________________________ BOOTINI [part] = Find the (first) BOOT.INI file present in the filesystem Purpose: Display, and optionally FIX the Windows BOOT.INI file Parameters: part optional partition number to be used for the current partition in the 'default=' line in the BOOT.INI file. Specify '*' to use the value as calculated by DFSee ... Options: -c Work on the CURRENT sector, do not search the file -2 Try to update the 2nd line with same ARC path too. (making the change complete in almost all cases) Remarks: When found, some info of the file will be displayed, and the line containing the DEFAULT partition to be booted will be displayed including the 'partition(W)' partition index. It should look like: default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS Below that line, the partition index calculated by DFSee is shown. This is based on the assumption you want to boot to an installed Windows-NT/W2K/XP in THIS SAME partition! For booting to other partitions with Windows installed, use the value shown in the 'BI' column that is included in the 'part -s' display. Incorrect values for the default partition index will lead to boot failures with messages like: Windows could not start because the following file is missing or corrupt: Windows\system32\Hal.dll The specified or calculated value will be substituted for the partition index in the default line (and second one with '-2') Of course you need to reboot to test if this fix worked ... Note: When the '-2' option is not specified, or when updating the second line with the same numbers has failed for some reason, this is not a full 'REPAIR' of your BOOT.INI, but the minimum update to allow booting Windows again! You need to properly edit BOOT.INI once Windows is running again, or use the 'bootcfg /rebuild' command from the recovery console that can be started from regular Windows installation CDs. When there is damage to the BOOT.INI file beyond an incorrect partition index, fixing it this way might not be possible. _______________________________________________________________________________ CA [lsn][opt] = Check Allocation for (current) MFT lsn Purpose: Check allocation integrity for current MFT Parameters: lsn optional LSN of the MFT record opt optional Options: v = Verbose, show progress Output: ¯ Start of one file-extent (fragmented file) ú One cluster, small green dot: allocation OK þ One cluster, big red dot: allocation error Also a summary is given with the number of (failed) sectors Remarks: MFT-entry may be for a regular file (sectors must be ALLOCATED) or for a deleted file (sectors must be FREE) _______________________________________________________________________________ CHECK [drive] = Check filesystem integrity for drive-letter (CHKDSK) Purpose: Perform a filesystem check, and report the errors found Parameters: drive PID or driveletter for partition to check. When not specified, the CURRENT object is checked. Options: -r Force refresh of the Sector Lookup Table (SLT) even if one exists already Output: Two lines for each sector in error that is found, the first lists the sector number, where it is referenced from and a short description. The second line is an error description For NTFS the reported errors are: 0x000001 Linked to some structure, but not in allocation-map 0x000002 Allocated in allocation-map, but no known link 0x000004 MFT record has invalid contents, bad signature 0x000008 MFT record has invalid fixup values, damaged 0x800000 The filesystem is marked DIRTY (open files) this may cause bogus errors to be displayed! Remarks: Some of the errors are generic, but most are filesystem specific. The generic ones are also listed with the 'SLT' command in dfscmds.txt. _______________________________________________________________________________ CL = Translate and display 'this' LSN as a cluster number Purpose: Find out what cluster number corresponds to current LSN Parameters: none Output: The cluster number, or an error message when invalid _______________________________________________________________________________ CL clust [cmd] =Translate specified cluster number to LSN, display with cmd Purpose: Display data using a cluster number instead of an LSN Parameters: clust mandatory The cluster number of interest cmd optional DFS generic command to execute with clust as its first and only parameter (like 'H') Output: The output for the cmd, when no explicit cmd is specified this will be the DFS default for the corresponding LSN, usually a display of that sector(s) in an appropriate format. _______________________________________________________________________________ DELFIND [name] = Find deleted files, limit to MFT records containing [name] Purpose: Find deleted files, with name starting at current LSN Parameters: name optional part of filename wanted, not a true wildcard, but may start and end in a '*' character Options: -a Search ANY/ALL files, deleted and normal -D search directories only, not files+directories -c Start from current sector, not start of volume -d- Search outside Master File Table too (SLOW!) -v Verbose search, list files while found (SLOW!) Output: Find-result list (as "find -type:z") on screen and in memory Remarks: All deleted files, or the ones where the MFT record contains the specified UNICODE string, will be found and added to the list. The [name] selection aims at the FILENAME part only. To select on part of the full path for the file, use the wildcard select parameters on the DELSHOW and RECOVER commands The [name] is NOT case-sensitive, and there is a slight chance of 'false-hits' when other parts of the MFT contains this string List can be manipulated as usual, best viewed with "delshow" By default, only the MFT area is searched, which is at least a hundred times faster as searching the whole filesystem. _______________________________________________________________________________ DFSNTLDR [img] = Create compressed imagefile containing the NTLDR sectors Purpose: Create an imagefile with the NTLDR sectors, for later fixing. This works on the 15 sector first-stage of NTLDR that is part of the $Boot system-file on NTFS filesystems, and is located directly after the normal bootsector. Parameters: img optional Name of imagefile with NTLDR code (15 sectors) with a default of 'dfsntldr' Output: Progress and error messages _______________________________________________________________________________ DIRTY [n|d] = Set NTFS $Volume 'CHKDSK required' flag to Normal or Dirty Purpose: Set the flag that indicates a CHKDSK is required to 'normal' or to 'dirty'. The latter causes a CHKDSK on the next Window boot. Parameters: value optional '1', 'd' or 'D' to set to DIRTY any other value resets it to NORMAL Output: Display $Volume info including flags and $Logfile status-flags Remarks: The 'CHKDSK required' flag is used to force Windows to perform an error correcting 'CHKDSK /f' on the next boot. This would be good to do after major changes to the filesystem like a DFSee 'resize' operation, or manual editing :-) Note that this is NOT the same as the filesystem being 'clean' or 'dirty' with no changes pending. The latter is kept in the $Logfile special file (displayed here as well, but not changed) _______________________________________________________________________________ FILEFIND [name] = Find normal files, limit to MFT records containing [name] Purpose: Find normal (not deleted) files. Where the name contains a wildcard, the found files can be copied to another disk using the RECOVER or SAVEAS commands, just as with deleted files. Parameters: name optional part of filename wanted, not a true wildcard, but may start and end in a '*' character Options: -a Search ANY/ALL files, deleted and normal -D search directories only, not files+directories -c Start from current sector, not start of volume -d- Search outside Master File Table too (SLOW!) -v Verbose search, list files while found (SLOW!) Output: Find-result list (as "find -type:f") on screen and in memory Remarks: All deleted files, or the ones where the MFT record contains the specified UNICODE string, will be found and added to the list. The [name] selection aims at the FILENAME part only. To select on part of the full path for the file, use the wildcard select parameters on the DELSHOW and RECOVER commands. The [name] is NOT case-sensitive, and there is a slight chance of 'false-hits' when other parts of the MFT contains this string List can be manipulated as usual, best viewed with "delshow" or the equivalent "list -f" By default, only the MFT area is searched, which is at least a hundred times faster as searching the whole filesystem. _______________________________________________________________________________ FINDROOT [n][~] = find the Root directory without using the bootrec info starting the search at LSN [n]; [~] = use 8.3 names Purpose: Find the MFT for the ROOT directory, even if parts of the volume, including the boot record, are damaged. Parameters: n optional Start LSN for the search ~ optional Use the short 8.3 name when available Output: Search result list starting at the first MFT record encountered up to the MFT record for the ROOT directory when found. Remarks: none _______________________________________________________________________________ FINDMFT [lsn] = find the Master File Table (MFT) to prepare for FIXBOOT Purpose: Find the LSN for the start of the main MFT file, without using any info from the bootsector (prepare for fixboot) Parameters: lsn optional Start LSN for the search Output: Progress while searching for the unique $AttrDef MFT record ans default display of the $MFT record when found Remarks: This can be a very time-consuming operation (hours on large disk) but may be required if the bootsector is damaged, and no spare copy is present at the end of the partition. The FIXBOOT command will automatically use the found location as its MFT-location parameter 'mftLSN' _______________________________________________________________________________ FIXBOOT = Recover NTFS bootsector from the spare copy (saved by format) Purpose: Fix corrupted bootsector for an NTFS partition Parameters: mftLSN optional sectornumber of the $MFT record (default from bootsector, or FINDMFT) Options: -c[:n] use current, or specified clustersize (default is 8) -s- do NOT try to copy the existing spare-bootsector first -V- Use Windows NT/XP 'NTLDR', not Vista/W7/8/10 'BOOTMGR' Output: Progress and confirmation info Remarks: This will locate the copy of the bootsector saved by format, and when found copy it to the bootsector location (sector 0), or create a new one from a template or specified imagefile. The partition table info (type and size) must still be valid! When creating a new bootsctor from a template/imagefile, the required MFT location will be the result of a previous FINDMFT command, or a fixed default of 0x60000 (Windows XP, smallish) _______________________________________________________________________________ FIXNTLDR = Replace (the first sector of) NTLDR for an NTFS partition Purpose: Fix a damaged NTLDR so Windows will boot correctly again. This works on the 15 sector first-stage of NTLDR that is part of the $Boot system-file on NTFS filesystems, and is located directly after the normal bootsector. Parameters: -I[:image] Name of imagefile with NTLDR code (15 sectors) with a default of 'dfsntldr.imz' When not specified at all, only the FIRST sector will be replaced, using a copy builtin to DFSee. Options: -V- Use Windows NT/XP 'NTLDR', not Vista/W7/8/10 'BOOTMGR' Output: Progress and error messages Remarks: DFSee comes with two NTLDR imagefiles, which are intended for: DFSNTLDR.IMZ : Windows-NT, Windows-2000 and Windows-XP DFSNTLDR.IM7 : Windows-7 and later versions (perhaps Vista too) _______________________________________________________________________________ LABEL [label] = Display/edit the volume label in the $Volume MFT file Purpose: Set a volume label in the $Volume special file in the MFT Parameters: label optional New volume label, maximum length 32 Default value is the current volume label Options -!- Skip input dialog for a new value Output: Progress information Remarks: On NTFS there is NO label in the bootsector, but it resides ONLY in the $Volume special file in the Master-File-Table which is updated by DFSee when changing the label value. The NTFS label in the $Volume MFT record is 32 characters _______________________________________________________________________________ MFT [rec#][-v-] = Calculate LSN for MFT record-nr and perform a default display Purpose: Display a sector, probably an MFT-record, by specifying its MFT number. The logical sector number is based on the MFT-0 pointer in the boot record an a calculated sectors per MFT. Parameters: rec# The record number for the MFT record 0 is the first MFT, regarding the MFT itself Options -v- Non-verbose, basic info and NAME attribute only -R[:attr-id] Build and display an allocation runlist for the non-resident unnamed data-attribute or another attribute specified by 'Id' (this option is for testing purposes mainly) Output: Display of the MFT record contents, or an error message _______________________________________________________________________________ MIR [rec#][-v-] = Calculate LSN for MFT-mirror record-nr, do default display Purpose: Display a sector by specifying its MFT number as an index into the MFT-mirror area. (effect as 'MFT' command) Parameters: rec# The record number for the MFT record Options -v- Non-verbose, basic info and NAME attribute only Output: Display of the MFT record contents, or an error message Remarks: The MFT mirror area only contains a subset (usually 4 records) The main purpose for the MFT mirror is as a backup for the important (system) files like the MFT and root directory. _______________________________________________________________________________ MFTEXT = Find all external MFT records (continuation for base-MFT) Purpose: Quickly find all MFT records that are continuations for others Parameters: none Output: Standard find-progress, and one line per hit Remarks: Continuation MFT records link back to the base-MFT. This link will be recorded in the 'up' shortcut. (command 'u') From the base MFT-record, the first external continuation MFT will be recorded in the 'eXtra' shortcut (command 'x') Existence of a continuation record is a sure sign for very heavy fragmentation of the file in question. _______________________________________________________________________________ PATH [n][~] = Show all path components for MFT, up to root [use 8.3] name Purpose: Show the directory branch that contains current file/dir Parameters: n optional Start LSN for the search ~ optional Use the short 8.3 name when available Output: One line for each found 'parent' directory, up to the root Remarks: NTFS remarks: Date and time information in the NTFS filesystem is stored as a time offset in units of 100ns starting on 1st of January 1601. It is a 64-bit number. The date and time is stored as a Universal Coordinated Time (UTC/GMT) and displayed as such by DFSee. If you want timestamps to correspond to your local timezone, you can set the 'TZDFSEE' environment variable to a signed number of minutes, being the offset to GMT. _______________________________________________________________________________