NTFSfastFind

Version

Author: Dennis Lang
Version: NTFSfastFind v2.3
Updated: Aug-2011
http://home.comcast.net/~lang.dennis/

Download

Warning - Use at your own risk. No guaranties on reliability and accuracy of NTFSfastFind.
Download v2.3 source code: NTFSfastFind-v2.3-src.zip (C++/Visual Studio 8 & 10)
Download v2.3 excutable: NTFSfastFind.exe

Intro

NTFSfastFind is a command line (console) program which finds files by searching the NTFS Master File Table (MFT) rather then the conventional way of iterating over directories or by creating and maintaining an index database.

NTFSfastFind is similar to the directory list command dir and needs a disk drive and optional file pattern.

Examples:
NTFSfastFind c:
NTFSfastFind d:*.log
NTFSfastFind c:Foo*.txt
NTFSfastFind c:Events??-Jan-??.txt
NTFSfastFind c:\windows\system*\*.log
NTFSfastFind -f *.log -s 1000 -t -1.0 c: d: e:

Sample output

 > NTFSfastFind.exe -f \Windows\*  c:*.log
Path
C:\Windows\PFRO.log
C:\Windows\WindowsUpdate.log
C:\Windows\setupact.log
C:\Windows\setuperr.log

 > NTFSfastFind.exe c:\windows\*.log
Path
C:\Windows\PFRO.log
C:\Windows\WindowsUpdate.log
C:\Windows\setupact.log
C:\Windows\setuperr.log

 > NTFSfastFind.exe -ITS -f \Windows\*  c:*.log
Parent    Modified Date                     Size Path
  5012 08/07/2011  12:14 PM                  308 C:\Windows\PFRO.log
  5012 08/07/2011   1:36 PM            1,440,386 C:\Windows\WindowsUpdate.log
  5012 08/07/2011  12:14 PM                   56 C:\Windows\setupact.log
  5012 08/07/2011   8:25 AM                    0 C:\Windows\setuperr.log


 > NTFSfastFind.exe -ITS# -f \Windows\*  c:*.log
Parent  #Data    Modified Date                     Size  #Name Path
  5012      1 08/07/2011  12:14 PM                  308      1 C:\Windows\PFRO.log
  5012      1 08/07/2011   1:36 PM            1,440,386      2 C:\Windows\WindowsUpdate.log
  5012      1 08/07/2011  12:14 PM                   56      1 C:\Windows\setupact.log
  5012      1 08/07/2011   8:25 AM                    0      1 C:\Windows\setuperr.log

File filter and using wildcards

File filtering can be done with either the -f <filter> or <drive>[<filter>] argument or both. The filter pattern is broken into two parts, directory and file. The split occurs between the last back slash '\' so be careful whether or not you include the slash.

Pattern Directory Pattern File Pattern
foo.dat Any directory Exact match to foo.dat
foo.* Any directory Any file starting with foo.
\tmp\ Exact match to directory \tmp Any files.
\tmp\foo.dat Exact match to directory \tmp Exact match to foo.dat
\tmp*\f*.dat Any directory under directory starting with \tmp Any file starting with f and ending with .dat

Pattern	Directory Pattern	File Pattern
foo.dat	Any directory	Exact match to foo.dat
foo.*	Any directory	Any file starting with foo.
\tmp\	Exact match to directory \tmp	Any files.
\tmp\foo.dat	Exact match to directory \tmp	Exact match to foo.dat
\tmp\f.dat	Any directory under directory starting with \tmp	Any file starting with f and ending with .dat

Here are some examples using combinations of -f and drive argument.

Command Description
NTFSfastFind.exe -f \Windows*\ c: -f Limits output to files which are in or below directories starting with Windows
NTFSfastFind.exe -f \Windows\ c: -f Limits output to files which are in directory \Windows
NTFSfastFind.exe -f \Windows c: -f Limits output to file Windows

NTFSfastFind.exe c:\Windows*\ Limits output to files which are in or below directories starting with Windows.
NTFSfastFind.exe c:\Windows\ Limits output to files which are in directory \Windows
NTFSfastFind.exe c:\Windows Limits output to file Windows

NTFSfastFind.exe -f \Windows*\ c:w*.dll -f Limits output to files which start with w and end in .dll, and are in or below directories starting with Windows.
NTFSfastFind.exe -f \Windows\ c:w*.dll -f Limits output to files which start with w and end in .dll, and are in directory \Windows
NTFSfastFind.exe -f \Windows c:w*.dll Invalid combination, because -f limits output to files Windows and
c:w*.dll limits output to files starting with w and ending in .dll

Command	Description
NTFSfastFind.exe -f \Windows*\ c:	-f Limits output to files which are in or below directories starting with Windows
NTFSfastFind.exe -f \Windows\ c:	-f Limits output to files which are in directory \Windows
NTFSfastFind.exe -f \Windows c:	-f Limits output to file Windows

NTFSfastFind.exe c:\Windows*\	Limits output to files which are in or below directories starting with Windows.
NTFSfastFind.exe c:\Windows\	Limits output to files which are in directory \Windows
NTFSfastFind.exe c:\Windows	Limits output to file Windows

NTFSfastFind.exe -f \Windows\ c:w.dll	-f Limits output to files which start with w and end in .dll, and are in or below directories starting with Windows.
NTFSfastFind.exe -f \Windows\ c:w*.dll	-f Limits output to files which start with w and end in .dll, and are in directory \Windows
NTFSfastFind.exe -f \Windows c:w*.dll	Invalid combination, because -f limits output to files Windows and c:w*.dll limits output to files starting with w and ending in .dll

The wildcard engine only support ? and *, but allows the wildcard characters to appear multiple times, in the both the filename and directories.

Examples:

Pattern Results
* All files
??? File with 3 characters
*.txt Files ending with .txt
*Jan*.txt Files containing Jan and ending with .txt
c:\*\log\*.txt Files ending with .txt in a subdirectory \log one level below the base directory.
c:\Windows\System*\*.log Files ending with .log and in subdirectory starting with \Windows\System

Pattern	Results
*	All files
???	File with 3 characters
*.txt	Files ending with .txt
Jan.txt	Files containing Jan and ending with .txt
c:\\log\.txt	Files ending with .txt in a subdirectory \log one level below the base directory.
c:\Windows\System\.log	Files ending with .log and in subdirectory starting with \Windows\System

Command Option Details

NTFSfastFind includes several optional arguments to control the filtering and presentation. The lowercase switches control the filtering and the uppercase switches control the presentation.

Filtering

When you use multile filters, only files which match ALL the rules will be reported. So, if you filter on file name and time both have to be true for the file to be reported. Here is an example filtering on directory path and file name.

NTFSfastFind -f \windows\* -f *.log c:

Note - the following will always fail because they both filter on the file extension, remember to use backslash to define a directory filter.
NTFSfastFind -f *.log -f *.txt c:

Command Description
-f <fileFilter> Use -f to define file filters using wildcards.
Identical file filter commands:
   NTFSfastFind -f *.log c:
   NTFSfastFind c:*.log
Example with file filter applied to multiple drives.
   NTFSfastFind -f *.log c: d:
-s <size> Filter by file size
Show files greater than 1000 bytes on d drive.
   NTFSfastFind -s 1000 d:
Show files less than 2000 bytes on c drive.
   NTFSfastFind -s -2000 c:
-t <relativeModifyDate> Filter by Modify Time, value is relative days.
Modified less than 2.5 days ago, file ends in .log on c drive.
   NTFSfastFind -t -2.5 -f *.log
Modified more than 7 days ago on e drive.
   NTFSfastFind -t +7 e:

Command	Description
-f <fileFilter>	Use -f to define file filters using wildcards. Identical file filter commands: NTFSfastFind -f .log c: NTFSfastFind c:.log Example with file filter applied to multiple drives. NTFSfastFind -f *.log c: d:
-s <size>	Filter by file size Show files greater than 1000 bytes on d drive. NTFSfastFind -s 1000 d: Show files less than 2000 bytes on c drive. NTFSfastFind -s -2000 c:
-t <relativeModifyDate>	Filter by Modify Time, value is relative days. Modified less than 2.5 days ago, file ends in .log on c drive. NTFSfastFind -t -2.5 -f *.log Modified more than 7 days ago on e drive. NTFSfastFind -t +7 e:

Presentation

The uppercase switches control presentation. The switches control whether or not to include the field in the output report.

Command Description
-A Include attributes. R=readonly, H=hidden, S=system, D=directory.
-D Disable directory part of file path.
-I Include MTF index of parent directory.
-S Include size.
-T Include modify time.
-# Include stream and name counts

-Q Special mode, Query and display MFT detailed information.

Command	Description
-A	Include attributes. R=readonly, H=hidden, S=system, D=directory.
-D	Disable directory part of file path.
-I	Include MTF index of parent directory.
-S	Include size.
-T	Include modify time.
-#	Include stream and name counts

-Q	Special mode, Query and display MFT detailed information.

The switch order does not affect the column order. The column order is fixed at:

Column Description	Presentation switch
MFT parent index	-I
Number of data streams	-#
Modified Date & Time	-T
File size	-S
Attribute	-A
Number of file names	-#
Directory path	-D
File name

Example output showing ALL columns:

 > NTFSfastFind.exe -AIST# -f \Windows\*  c:*.log
Parent  #Data    Modified Date          Size  Attribute  #Name Path
  5012      1 08/07/2011  12:14 PM       308         20      1 C:\Windows\PFRO.log
  5012      1 08/07/2011   6:59 PM 1,468,866         20      2 C:\Windows\WindowsUpdate.log
  5012      1 08/07/2011  12:14 PM        56         20      1 C:\Windows\setupact.log
  5012      1 08/07/2011   8:25 AM         0         20      1 C:\Windows\setuperr.log

Warning - Use at your own risk. No guaranties on reliability and accuracy of NTFSfastFind.

Help Banner:

NTFS Fast File Find v2.3 - Aug  13 2011
By: Dennis Lang
https://home.comcast.net/~lang.dennis/

Description:
   NTFSfastFind searches NTFS Master File Table (MFT) rather then iterating across directories.
   NTFSfastFind does not use or maintain an index database
   By reading the MFT directly, NTFSfastFind can locate files anywhere on a disk quickly.
   Note: Standard directory searching is faster if you know the directory to search.
   If you don't know the directory and need to search the entire disk drive, NTFSfastFind is fast.

   If you use the -z switch, it will iterate across the directories rather then using MFT.

Use:
   NTFSfastFind [options] ...
 Filter:
   -d                         ; Filter by data stream count
   -f                    ; Filter by filename, use * or ? patterns
   -s                          ; Filter by file size
   -t            ; Filter by time modified, value is relative days
   -z                                ; Force slow style directory search
 Report:
   -A                                ; Include attributes
   -D                                ; Include directory
   -I                                ; Include mft index
   -S                                ; Include size
   -T                                ; Include time
   -#                                ; Include stream and name counts

   -Q                                ; Query / Display MFT information only

 Examples:
  No filtering:
    c:                 ; scan c drive, display filenames.
    -ITSA  c:          ; scan c drive, display mft index, time, size, attributes, directory.
  Filter examples (precede 'f' command letter with ! to invert rule):
    -f *.txt d:        ; files ending in .txt on d: drive
    -!f *.txt d:       ; files NOT ending in .txt on d: drive
    -t 2.5 -f *.log    ; modified more than 2.5 days and ending in .log on c drive
    -t -7 e:           ; modified less than 7 days ago on e drive
    -s 1000 d:         ; file size greater than 1000 bytes on d drive
    -s -1000 d: e:     ; file size less than 1000 bytes on d and e drive
    -f F* c: d:        ; limit scan to files starting with F on either C or D
    -d 1 d:            ; files with more than 1 data stream on d: drive
    -Q c:              ; Display special NTFS files
    -z c:\windows\system32\*.dll   ; Force slow directory search.

Note - there are plenty of similar and polished MFT search tools available for free on the net. I recommend using Everything if you want a fast NTFS search tool with a clean interface.

Everything Search Engine http://www.voidtools.com
NTFS Direct File Find http://ndff.hotbox.ru/en/index.html
Saleen ScanFS http://www.saleensoftware.com/ScanFS.aspx
Ultrasearch http://www.jam-software.com/ultrasearch/

Layout of the Window's NTFS Volume

The following NTFS volume layout is from Richard Russon's NTFS Documentation.

Inode Filename OS Description
0 $MFT Master File Table - An index of every file
1 $MFTMirr A backup copy of the first 4 records of the MFT
2 $LogFile Transactional logging file
3 $Volume Serial number, creation time, dirty flag
4 $AttrDef Attribute definitions
5 . (dot) Root directory of the disk
6 $Bitmap Contains volume's cluster map (in-use vs. free)
7 $Boot Boot record of the volume
8 $BadClus Lists bad clusters on the volume
9 $Quota NT Quota information
9 $Secure 2K Security descriptors used by the volume
10 $UpCase Table of uppercase characters used for collating
11 $Extend 2K A directory: $ObjId, $Quota, $Reparse, $UsnJrnl

12-15 <Unused> Marked as in use but empty
16-23 <Unused> Marked as unused

Any $ObjId 2K Unique Ids given to every file
Any $Quota 2K Quota information
Any $Reparse 2K Reparse point information
Any $UsnJrnl 2K Journalling of Encryption

> 24 A_File An ordinary file
> 24 A_Dir An ordinary directory
... ... ...

Inode	Filename	OS	Description
0	$MFT		Master File Table - An index of every file
1	$MFTMirr		A backup copy of the first 4 records of the MFT
2	$LogFile		Transactional logging file
3	$Volume		Serial number, creation time, dirty flag
4	$AttrDef		Attribute definitions
5	. (dot)		Root directory of the disk
6	$Bitmap		Contains volume's cluster map (in-use vs. free)
7	$Boot		Boot record of the volume
8	$BadClus		Lists bad clusters on the volume
9	$Quota	NT	Quota information
9	$Secure	2K	Security descriptors used by the volume
10	$UpCase		Table of uppercase characters used for collating
11	$Extend	2K	A directory: $ObjId, $Quota, $Reparse, $UsnJrnl

12-15	<Unused>		Marked as in use but empty
16-23	<Unused>		Marked as unused

Any	$ObjId	2K	Unique Ids given to every file
Any	$Quota	2K	Quota information
Any	$Reparse	2K	Reparse point information
Any	$UsnJrnl	2K	Journalling of Encryption

> 24	A_File		An ordinary file
> 24	A_Dir		An ordinary directory
...	...		...

Top

Everything Search Engine	http://www.voidtools.com
NTFS Direct File Find	http://ndff.hotbox.ru/en/index.html
Saleen ScanFS	http://www.saleensoftware.com/ScanFS.aspx
Ultrasearch	http://www.jam-software.com/ultrasearch/