[clue] NTFS logical structure corruption?

Jim Ockers ockers at ockers.net
Thu Mar 8 10:03:42 MST 2012


Hi Bruce,

I think the answer to your question "Why does NTFS need the elaborate 
fix procedure you show above" has to do with the fact that the problem 
was created by malware, which by definition doesn't follow the rules, 
and could create corruption of data structures in memory and on disk, or 
just create some data structures on disk that we don't have good and 
easily available tools to resolve.

I think an analogy might be if someone changed the filesystem attributes 
of a file or directory to immutable on linux, and then you weren't able 
to do anything with that particular file or directory, AND you didn't 
have chattr or debuge2fs utilities available to you to fix it. e2fsck 
might not report anything wrong because immutable is a perfectly 
legitimate attribute. What would you do to get rid of the last traces of 
malware in that case? I'm just giving this as an example of why NTFS 
might be more problematic to debug and fix than ext[234]fs, especially 
because NTFS has the rich ACL permissions model.

Jim
-- 
Jim Ockers, P.E., P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.net/


Bruce Ediger wrote:
> On Wed, 7 Mar 2012, David L. Willson wrote:
>
>   
>> 1) Use CHKDSK to repair the filesystem
>> 2) Use TAKEOWN to ...
>> 3) Use ICACLS to ...
>>     
>
> I thought about this for a while, and I worry about being contentious
> or whatever, so feel free to slap me down for this...
>
> I also may be showing my age.  In 1993-94, when NT first came out, the
> Windows advocates were all saying that NTFS would never require the
> moral eqivalent of a "fsck", because of the great design of NTFS.
>
> Although I've been an at-work Windows user for 8 years now, I've never
> really experienced an NTFS oddity that required a CHKDSK (which is the
> moral equivalent of "fsck", right?).
>
> On the other hand, I've never since 1988 had a Unix or NetBSD or Linux
> filesystem not easily fixable by "fsck -p", except when the disk drive
> died with audible scraping noises and thunks.
>
> Why does NTFS need the elaborate fix procedure you show above?  And why
> is NTFS so "magical" that alternate (linux) tools can't fix it?  The
> NetBSD folks were able to modify UFS to become ext2fs fairly readily,
> and at least a couple of Linux reverse-engineered NTFS implementations
> exist, right?
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
>   


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20120308/f3cc6afd/attachment.html 


More information about the clue mailing list