5.2 NTFS Attribute Types

On a NTFS volume, each unit of information associated with a file including its name, its owner, its timestamp, its contents, and so on, is implemented as a file attribute. A file's data is an attribute; the "Data Attribute" known as $DATA. A number of attributes exist on a NTFS volume. The attribute names used by NTFS are listed in the table below.

Attribute Name

Description

$ATTRIBUTE_LIST

Lists the location of all attribute records that do not fit in the MFT record

$BITMAP

Attribute for Bitmaps

$DATA

Contains the default file data

$EA

Extended the attribute index

$EA_INFORMATION

Extended attribute information

$FILE_NAME

File name

$INDEX_ALLOCATION

The type name for a Directory Stream. A string for the attribute code for index allocation

$INDEX_ROOT

Used to support folders and other indexes

$LOGGED_UTILITY_STREAM

Use by the encrypting file system

$OBJECT_ID

Unique GUID for every MFT record

$PROPERTY_SET

Obsolete

$REPARSE_POINT

Used for volume mount points

$SECURITY_DESCRIPTOR

Security descriptor stores ACL and SIDs

$STANDARD_INFORMATION

Standard information, such as file times and quota data

$SYMBOLIC_LINK

Obsolete

$TXF_DATA

Transactional NTFS data

$VOLUME_INFORMATION

Version and state of the volume

$VOLUME_NAME

Name of the volume

$VOLUME_VERSION

Obsolete. Volume version

A comprehensive discussion and explanation about attributes is available in [WININTERNALS]   Chapter 12 and [MSFT-NTFSWorks].

Show: