Click here to Skip to main content
15,885,365 members
Search within:


Given an NTFS File ID, is there any official way to get the file names
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Windows
If I have an NTFS File ID, is there an official way to get the file names from that file ID? (Other then scanning every file on the hard drive...?)

It appears that I can at least verify that a file ID is valid by calling NtCreateFile, although Microsoft's documentation has a big fat warning that the API is subject to change.
Posted
Updated 21-Jul-18 18:42pm
Add a Solution

2 solutions

OK, just taking a stab at it, could you use OpenFileById OpenFileById [^]to get you a handle, then GetFileInformationByHandleEx [^]to return a FILE_NAME_INFO[^]structure?

I would have thought there would be a way to get the name directly from the ID, but perhaps that capability is missing because FileIDs are re-used by the system so the same ID won't always point to the same file as time passes. If the system is static (read-only) this won't be a problem, but it still probably isn't a good practice.
 
Share this answer
 
Posted
On NTFS the $MFT file itself has an entry for every file. The FileId has 16 bits of sequence number and 48-bits of $MFT file index. FileId => [seq << 48 | mft_index]. You can read $MFT records using 
DeviceIoControl(hVolume, FSCTL_GET_NTFS_FILE_RECORD, ...)
to obtain 
NTFS_FILE_RECORD_OUTPUT_BUFFER
and access its 
FileRecordBuffer
member which the NTFS info for the fileId in the 
FileReferenceNumber
parameter of the 
NTFS_FILE_RECORD_OUTPUT_BUFFER
matching the 
NTFS_FILE_RECORD_INPUT_BUFFER
unless the fileId is invalid.

The MFT is fairly well documented in many places on the web. That said, it is important to note that an MFT FILE-RECORD contains key-value pairs of attributes. Among the things in those attributes are the hardlink names, any reparse-point, and any NTFS streams (like a dir) that are part of that file.

Put another way, a given fileId can refer to multiple "file names" if it has multiple hardlinks pointing to it. So the canonical name is the first hardlink found in the key-value attributes of the $MFT record, which is then walked backward/up through the parent directory tree to build the canonical path to the file.
 
Share this answer
 
Posted
Updated 21-Jul-18 18:52pm
v7
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to Save upload file with the name of the ID in the database to have unique name
System.invalidoperationexception: the given column name 'milliseconds' does not match up with any column
Wipe all files absolutely in a folder in NTFS
How to create a file in given form from two input files
How to build a gui program that locks an exe file with given password by user
How path is stored in MFT[NTFS file system]
C# program to find the number of files based on the category (i.e doc files, xls files, pdf files, etc., ) in the given directory and its sub folders
Convert FAT file system 2 NTFS file system
How to open file explorer at given location in c#?
How to get file name

Advertise
Privacy
Cookies
Terms of Use
Last Updated 22 Jul 2018
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900