2.3.10.2 NTFS_STATISTICS
The NTFS_STATISTICS data element is returned with a FSCTL_FILESYSTEM_GET_STATISTICS reply message when NTFS file system statistics are requested. The NTFS_STATISTICS data element is as follows:









LogFileFullExceptions (4 bytes): A 32bit unsigned integer value containing the number of exceptions generated due to the log file being full.
OtherExceptions (4 bytes): A 32bit unsigned integer value containing the number of other exceptions generated.
MftReads (4 bytes): A 32bit unsigned integer value containing the number of read operations on the Master File Table (MFT).
MftReadBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes read from the MFT.
MftWrites (4 bytes): A 32bit unsigned integer value containing the number of write operations on the MFT.
MftWriteBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes written to the MFT.
MftWritesUserLevel (8 bytes): An MftWritesUserLevel structure containing statistics about writes resulting from certain userlevel operations.
MftWritesFlushForLogFileFull (2 bytes): A 16bit unsigned integer containing the number of flushes of the MFT performed because the log file was full.
MftWritesLazyWriter (2 bytes): A 16bit unsigned integer containing the number of MFT write operations performed by the lazy writer thread.
MftWritesUserRequest (2 bytes): A 16bit unsigned integer that is the sum of the four fields in the MftWritesUserLevel structure.
Padding1 (2 bytes): Unused. This field SHOULD be set to 0 and MUST be ignored.
Mft2Writes (4 bytes): A 32bit unsigned integer value containing the number of write operations on the master file table mirror (MFT2).
Mft2WriteBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes written to the MFT2.
Mft2WritesUserLevel (8 bytes): An MftWritesUserLevel structure containing statistics about writes resulting from certain userlevel operations.
Mft2WritesFlushForLogFileFull (2 bytes): A 16bit unsigned integer containing the number of flushes of the MFT2 performed because the log file was full.
Mft2WritesLazyWriter (2 bytes): A 16bit unsigned integer containing the number of MFT2 write operations performed by the lazy writer thread.
Mft2WritesUserRequest (2 bytes): A 16bit unsigned integer that contains the sum of the four fields in the Mft2WritesUserLevel structure.
Padding2 (2 bytes): Unused. This field SHOULD be set to 0 and MUST be ignored.
RootIndexReads (4 bytes): A 32bit unsigned integer value containing the number of read operations on the root index.
RootIndexReadBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes read from the root index.
RootIndexWrites (4 bytes): A 32bit unsigned integer value containing the number of write operations on the root index.
RootIndexWriteBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes written to the root index.
BitmapReads (4 bytes): A 32bit unsigned integer value containing the number of read operations on the cluster allocation bitmap.
BitmapReadBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes read from the cluster allocation bitmap.
BitmapWrites (4 bytes): A 32bit unsigned integer value containing the number of write operations on the cluster allocation bitmap. This is the sum of the BitmapWritesFlushForLogFileFull, BitmapWritesLazyWriter and BitmapWritesUserRequest fields.
BitmapWriteBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes written to the cluster allocation bitmap.
BitmapWritesFlushForLogFileFull (2 bytes): A 16bit unsigned integer containing the number of flushes of the bitmap performed because the log file was full.
BitmapWritesLazyWriter (2 bytes): A 16bit unsigned integer containing the number of bitmap write operations performed by the lazy writer thread.
BitmapWritesUserRequest (2 bytes): A 16bit unsigned integer that is the sum of the fields in the BitmapWritesUserLevel structure.
BitmapWritesUserLevel (6 bytes): A BitmapWritesUserLevel structure containing statistics about bitmap writes resulting from certain userlevel operations.
MftBitmapReads (4 bytes): A 32bit unsigned integer value containing the number of read operations on the MFT bitmap.
MftBitmapReadBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes read from the MFT bitmap.
MftBitmapWrites (4 bytes): A 32bit unsigned integer value containing the number of write operations on the MFT bitmap. This value is the sum of the MftBitmapWritesFlushForLogFileFull, MftBitmapWritesLazyWriter and MftBitmapWritesUserRequest fields.
MftBitmapWriteBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes written to the MFT bitmap.
MftBitmapWritesFlushForLogFileFull (2 bytes): A 16bit unsigned integer containing the number of flushes of the MFT bitmap performed because the log file was full.
MftBitmapWritesLazyWriter (2 bytes): A 16bit unsigned integer value containing the number of MFT bitmap write operations performed by the lazy writer thread.
MftBitmapWritesUserRequest (2 bytes): A 16bit unsigned integer that is the sum of all the fields in the MftBitmapWritesUserLevel structure.
MftBitmapWritesUserLevel (8 bytes): An MftBitmapWritesUserLevel structure containing statistics about MFT bitmap writes resulting from certain userlevel operations.
Padding3 (2 bytes): Unused. This field SHOULD be set to 0 and MUST be ignored.
UserIndexReads (4 bytes): A 32bit unsigned integer value containing the number of read operations on the user index.
UserIndexReadBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes read from user indices.
UserIndexWrites (4 bytes): A 32bit unsigned integer value containing the number of write operations on user indices.
UserIndexWriteBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes written to user indices.
LogFileReads (4 bytes): A 32bit unsigned integer value containing the number of read operations on the log file.
LogFileReadBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes read from the log file.
LogFileWrites (4 bytes): A 32bit unsigned integer value containing the number of write operations on the log file.
LogFileWriteBytes (4 bytes): A 32bit unsigned integer value containing the number of bytes written to the log file.
Allocate (40 bytes): An Allocate structure describes cluster allocation patterns in NTFS.