Newer versions of Windows 10 use several reparse tags for files which
are synchronized to OneDrive cloud storage (0x9000301a, 0x9000601a,
0x9000701a, ...). identify them as IO_REPARSE_TAG_CLOUD and use a
single plugin to process them.
Since its 2017 edition, Windows 10 has stopped mirroring $MFT to the
full size of $MFTMirr leading to mounts of partitions with big clusters
to be rejected because of mismatches. With this patch, only 16 records
are checked, though mirroring is still done for all records in $MFTMirr.
At least when there is a shortage of space on the target device, several
redo actions are associated to undoing a CompensationlogRecord, and they
should be redone upon recovery.
Under some circumstances, the temporary log file blocks are not the
latest ones, so check whether there are more recent ones.
Only done for log version 1.x, as log version 2.x follow a different
logic.
The logic for determining where the actions SetIndexEntryVcnRoot and
SetIndexEntryVcnAllocation had to insert a new vcn was unclear and was
wrong in some situations. This is to fix the logic as determined by new
evidence.
When a file is partially truncated, the highest_vcn has to be recomputed
before the file size is adjusted. As a consequence the unmapped run
inserted at the end of runlist to match the file size should not be taken
into account when determining the higest_vcn.
When the fast restart mode of Windows 8 (or later) is activated, the
log file format is different (version 2.0 instead of 1.1), having 32
temporaty blocks instead of 2. This patch upgrades ntfsrecover to take
the new format into account.
When using option --ignore-fs-check in ntfsclone, doubly allocated cluster
still lead to aborting the process. Bypassing the error is useful for
creating a metadata image intended for debugging, for example when the
partition was not closed properly and the logfile has to be applied to
restore the integrity of metadata.
The computing of replacement bytes for overwriting undeletable files
uses random values and standard ones instead of the values provided in
option --bytes. Fix the mixup between both logics, mention the difference
in the documentation and reject defining both options --bytes and --undel.
The license for using the boot loader which used to be inserted by mkntfs
is unclear, so remove it, and only keep the boot sector restricted to
what is needed for having it recognized as such. The space for a loader
is still reserved so that an operating system being installed can insert
its own loader.
The bad cluster list may be updated in ntfsresize and ntfsfix. Though
technically it is organized as a sparse file, Windows does not set
the sparse flags. Do the same to avoid problems with third-party
packages.
The new ntfsrecover option --kill-fast-restart can be used to delete
the Windows fast-restart indication before playing the log. This can
lead to data loss, but is needed before mounting a partition improperly
unmounted from Windows when remounting on Windows is inconvenient.
ntfsrecover -f -v <log file> receives a SIGSEGV because of trying to
read memory outside allocated buffer because of no sanity checks on
restart page header values. This happens on an empty $LogFile because
of no basic checks present. Attached patch adds basic checks similar
to those inside logfile library and allows tool to exit with more
suitable message.
(contributed by Rakesh Pandit)
These tools were originally developed for running on Windows and later
ported to libntfs-3g. This patch makes them similar to other ntfsprogs
tools, dropping the native Windows interfaces and using libntfs-3g on
all platforms.
There is no change in usage or supported features, only the command
names have changed.
These tools were developped before the ntfsprogs were merged into ntfs-3g,
redesigning them like the ntfsprogs make the code simpler.
Note : at this stage secaudit and usermap cannot be built any more.
Prepare merging ntfsrecover.h into logfile.h by adding a usn field to
RESTART_PAGE_HEADER. As this changes the record size, ignore the new
field in existing code.
Usually, only a few pages of the Windows log file are saved in an
ntfsclone image. This is inappropriate for building reference images
for recovering the log, and the --full-logfile option serves that
purpose.
When an INDX or MFT record could not be read while undoing the creation
of this record, there is nothing to do. However if this was undoing the
deletion of the last entry in an index, a new void index block has to be
created.
