Skip navigation

Troubleshooting Windows NT File Systems

Tweak your file systems
This month I discuss how to improve your file system performance and how to manipulate the way Windows NT handles file systems. Tweaking file system performance involves modifying the Registry, so you need to create an Emergency Repair Disk (ERD).

The easiest way to boost your file system performance is to defragment your hard disk regularly. The blocks that make up a file become separated over the disk, so the physical disk heads must move over more of the disk to find them. Disk defragmentation moves these blocks to contiguous disk areas and thus results in faster access.

Microsoft originally thought NTFS did not fragment, so NT does not come with a defragmentation tool. You can use a third-party disk defragmenter such as Diskeeper Lite, Executive Software's free defragmentation tool. You can download this scaled-down version or order the full version (Diskeeper 3.0) from http://www.execsoft.com.

How do I convert a FAT or High-Performance File System (HPFS) partition to NTFS?

You can use Windows NT's convert.exe utility to convert a FAT or HPFS partition to NTFS. Go to the command line and type

convert <drive>: /fs:ntfs \[/v\]

The /v setting is an optional command that runs the conversion in verbose mode and gives you conversion details on a file-by-file basis. Listing 1, page 156, shows the output of a nonverbose conversion.

Sometimes you cannot lock a drive for exclusive use (e.g., if you convert the boot partition, which is where NT resides). If you cannot lock the drive you want to convert, the conversion schedules for the next reboot. If you need to cancel the conversion, you must edit the Registry.

Start regedt32.exe, and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager key. Double-click the BootExecute value in the right-hand pane. Select autocheck autoconv \??\drive: /FS:ntfs, as Screen 1, page 156, shows, and press the delete key. Click OK, and close the Registry editor. You might get a warning such as the one in Screen 2, page 156, because the line you deleted left a blank string. If you get this message, click OK. To prevent this message, press the backspace key rather than the delete key.

After you convert a FAT partition to NTFS, users have full permissions. If you converted the boot partition, you'll want to modify users' permissions. For a list of suggested permissions, see the Microsoft Support Online article "Default NTFS Permissions in Windows NT" (http://support.microsoft.com/support/kb/articles/q148/4/37.asp).

You can use the Microsoft Windows NT Server 4.0 Resource Kit, Supplement Two fixacls.exe utility to automatically set file protections. Log on as an account with backup file and folder privileges. From the Start menu, select Run, and enter

fixacls.exe

Click OK. You need access to %systemroot%\inf\perms.inf to run fixacls.exe, because the utility sets permissions on this file.

NT's convert.exe utility does not work in reverse, so you cannot convert an NTFS partition to FAT. Instead, you need to back up the data, reformat the partition as FAT, and restore your backup.

How much hard disk space do I need to convert a FAT partition to NTFS?

You can use the following calculation for standard disks with 512 bytes per sector. Divide the size of the partition by 100. If the result is less than 1,048,576, use 1,048,576 as the value. If the result is greater than 4,194,304, use 4,194,304. Then, divide the size of the partition by 803, and add the result to the first number you obtained (i.e., 1,048,576 or 4,194,304). Next, multiply the number of files and directories by 1280, and add the result to the last number you obtained. (To determine the number of files and directories, use the dir /s command at the base of the partition.) Finally, add 196,096 to your previous result.

Does Windows NT support FAT32?

NT 5.0 will support FAT32. NT 4.0 does not support FAT32, but you can download a free read-only FAT32 driver for NT 4.0 from http://www.sysinternals.com. You can download a fully writable FAT32 driver for NT 4.0 from http://www.winternals.com.

How do I read an NTFS partition from DOS?

You cannot read an NTFS partition with standard DOS. However, the NTFSDOS utility, available at http://www.sysinternals.com, lets you read NTFS partitions.

How do I manipulate filename creation on FAT and NTFS partitions?

Long filenames replaced 8.3 filenames as the standard filenaming format. However, Windows NT creates an 8.3 alias for long filenames, for compatibility on VFAT and NTFS partitions.

On VFAT, NT uses linked directory entries to store long filenames. A long filename uses one directory entry for its alias (i.e., the 8.3 filename NT generates), and a hidden directory entry for every 13 characters in its name. Thus, a long filename with 200 characters uses 17 entries.

To generate an alias on VFAT, NT uses the first six characters of the long filename, a circumflex character (i.e., ~), and a number for the first four files that have the same first six characters. For example, the aliases for the files john savills file.txt and john savills other file.txt are johnsa~1.txt and johnsa~2.txt. If you have more than four files with the same first six characters, NT uses only the first two characters of the filename, and generates the last four characters (e.g., jo0E38~1.txt). NTFS simply stores the 8.3 filename as a second entry in the directory structure.

You might not want NT to create long filenames, because some third-party disk utilities directly manipulate FAT and destroy long filenames. DOS 6.x and later utilities such as scandisk.exe and defrag.exe do not harm long filenames. On a FAT partition, go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem key, and change the value of Win31FileSystem from 0 to 1. NT then creates only 8.3 filenames. You need to reboot after making these Registry changes.

Conversely, you might not want NT to create 8.3 filenames. To prevent NT from creating an 8.3 alias, you need to modify the Registry, as Screen 3 shows. On an NTFS partition, go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem key, and change the value of NtfsDisable8dot3NameCreation from 0 to 1. On a VFAT partition, go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem key, and change the value of Win95TruncatedExtensions to 0.

How many files can I create on the root of a FAT partition?

The root of a FAT drive holds only 512 entries. Remember that long filenames use multiple entries. Thus, creating numerous long filenames on the root of a partition uses space quickly.

How many characters can a filename have?

The maximum number of characters you can use for a filename depends on whether the file is on an NTFS partition or a FAT partition. You can have a 256-character filename on an NTFS partition but only an 11-character filename on an FAT partition (i.e., an 8-character filename with a 3-character extension). The version of FAT that comes with Windows NT 4.0 supports 255-character filenames, unless you turn on Win 3.1. VFAT uses 256-character filenames.

NTFS filenames are case sensitive (except during searches), whereas FAT filenames do not retain case. NTFS filenames can contain any characters, including spaces and uppercase, except " * : / \ ? < > |. VFAT filenames must start with a letter or number and can contain any characters except / \ : | ? " ^.

How do I stop chkdsk from checking a particular volume at boot time?

When Windows NT boots, it checks all volumes for the dirty bit. The operating system (OS) sets the dirty bit, which is a bit setting in the partition. If the dirty bit is set, NT runs the chkdsk utility. You might want to exclude drives (e.g., a removable Iomega drive) to stop NT from checking the dirty bit.

To exclude a drive, start regedt32.exe, and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager key. Double-click the BootExecute value in the right-hand pane, and change autocheck autochk * to autocheck autochk /k:drive letter *. For example, to stop the check on drive F, type

autocheck autochk /k:f *

To stop the check on multiple volumes, enter multiple drive names. For example, to stop the check on drives E and G, type

autocheck autochk /k:eg *

If you are using NT 4.0 with Service Pack 2 (SP2) or later, you can use the chkntfs.exe command to exclude drives from the check. Go to the command line and type

chkntfs /x <drive letter>:

To set NT to check all drives again, type

chkntfs /d

You might want to cancel a chkdsk command. Suppose you configured a full chkdsk on a drive for the next reboot, using the command chkdsk drive letter: /f /r. This command finds bad sectors, recovers information from the sectors, and fixes errors on the disk. To cancel the command, go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager key, select BootExecute, and change the value from autocheck autochk * /r\DosDevice\drive letter: to autocheck autochk *.

How do I view a user's file permissions from the command line?

The Microsoft Windows NT Server 4.0 Resource Kit perms.exe utility shows permissions on files and directories. Go to the command line and type

perms <domain>\<user> <file>

Table 1 shows file and directory permissions.

Add /s to show details of subfiles and subdirectories. To output the permissions to a file, add > filename.txt, using the name of the file you want to direct the output to. The perms.exe utility has a bug that keeps it from recognizing permissions given via a global group.

You can use NT's cacls.exe command to change a user's permissions from the command line. To give a user named John read access to a directory called files, go to the command line and type

cacls files /e /p john:r

The /e setting edits the access control list (ACL) instead of replacing it, so other file and directory permissions do not change. The /p setting sets the user's permissions. For more information about this command, go to the command line and type

cacls /?

Can I delete files beginning with $ at the root of my NTFS drive?

You cannot delete files beginning with $ because you cannot remove the hidden flags. Moreover, you do not want to delete the files because they hold your NTFS volume information. Table 2 lists NTFS files. If you want to view the files, go to the command line and type

dir /ah $mft

What cluster size do FAT and NTFS partitions use?

Table 3 lists the default cluster size for FAT partitions. In Inside the Windows NT File System, Microsoft does not recommend FAT volumes larger than 511MB because the cluster increases to more than 16KB and wastes space.

Table 4 lists the default cluster size for NTFS partitions. NTFS balances the tradeoff of disk defragmentation from small clusters and wasted space from large clusters.

When you format a drive, you can use the /a:size switch to change the cluster size. Go to the command line and type

format d: /a:1024 /fs:ntfs

What can I do if Windows NT becomes unresponsive during an NTFS disk operation (e.g., dir)?

When you perform a large NTFS disk operation such as dir/s *.* or ntbackup :\*.*, NT might become unresponsive. NT updates NTFS files with a last access stamp, and viewing thousands of files fills the NTFS log. NT locks up as it waits to flush the NTFS log file to the hard disk.

You can prevent NTFS from updating the last access stamp. Start regedit.exe, and go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem key. Select New, DWORD Value from the Edit menu, enter the name NtfsDisableLastAccessUpdate, and click OK. Double-click the new value, change the value to 1, and click OK. Close the Registry editor, and reboot.

What are alternate data streams?

You can use alternate data streams to hide data from Explorer and the dir command in NTFS files. You must know the file's stream name to view the data. A stream is an entry point into a file. You can create multiple streams to an NTFS file in the form filename:stream name.

Start a console window (cmd.exe). At the prompt, type

notepad normal.txt

Enter some text, and save the file on an NTFS partition. Edit the file again, with a different stream (e.g., notepad normal.txt:hidden.txt). The system then prompts you to create a new file. Enter some text, and save the file. When you run the dir command, you see only the file normal.txt, with its original size.

Each file can have multiple streams. When you copy a file, the streams remain. Thus, if you copy the file normal.txt to the file john.txt, you get the hidden stream (i.e., john.txt:hidden). You cannot use streams from the command prompt because the command prompt does not recognize colons in filenames (except in drive letters).

Microsoft does not provide a method to detect or delete hidden streams. To detect streams, use March Information Systems' utility (http://streams.march.co.uk), or Frank Heyne's List Alternate Data Streams (LADS) command line tool (http://rcswww.urz.tu-dresden.de/~fh/nt/ntfs-ads). To delete a stream, copy the file to a FAT partition and then back to the NTFS partition. Type

- ren <file> temp.temp
- cat temp.temp > <file>
- del temp.temp
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish