[Back to Main Page]

NTFSfastFind - Quick file search of Windows NTFS file system using Master File Table MFT

Version

Author: Dennis Lang
Version: NTFSfastFind v2.9
Updated: Nov-2014
https://landenlabs.com

Download


Warning - Use at your own risk. No guaranties on reliability and accuracy of NTFSfastFind.
MIT license clause added to all source code files.

Intro

NTFSfastFind is a command line (console) program which finds files by searching the NTFS Master File Table (MFT) rather then the conventional way of iterating over directories or by creating and maintaining an index database.

NTFSfastFind is similar to the directory list command dir and needs a disk drive and optional file pattern.

Examples:

Sample output

 > NTFSfastFind.exe -f \Windows\*  c:*.log
Path
C:\Windows\PFRO.log
C:\Windows\WindowsUpdate.log
C:\Windows\setupact.log
C:\Windows\setuperr.log

 > NTFSfastFind.exe c:\windows\*.log
Path
C:\Windows\PFRO.log
C:\Windows\WindowsUpdate.log
C:\Windows\setupact.log
C:\Windows\setuperr.log

 > NTFSfastFind.exe -ITS -f \Windows\*  c:*.log
Parent    Modified Date                     Size Path
  5012 08/07/2011  12:14 PM                  308 C:\Windows\PFRO.log
  5012 08/07/2011   1:36 PM            1,440,386 C:\Windows\WindowsUpdate.log
  5012 08/07/2011  12:14 PM                   56 C:\Windows\setupact.log
  5012 08/07/2011   8:25 AM                    0 C:\Windows\setuperr.log


 > NTFSfastFind.exe -ITS# -f \Windows\*  c:*.log
Parent  #Data    Modified Date                     Size  #Name Path
  5012      1 08/07/2011  12:14 PM                  308      1 C:\Windows\PFRO.log
  5012      1 08/07/2011   1:36 PM            1,440,386      2 C:\Windows\WindowsUpdate.log
  5012      1 08/07/2011  12:14 PM                   56      1 C:\Windows\setupact.log
  5012      1 08/07/2011   8:25 AM                    0      1 C:\Windows\setuperr.log

File filter and using wildcards

File filtering can be done with either the -f <filter> or <drive>[<filter>] argument or both. The filter pattern is broken into two parts, directory and file. The split occurs between the last back slash '\' so be careful whether or not you include the slash.
Pattern Directory Pattern File Pattern
foo.dat Any directory Exact match to foo.dat
foo.* Any directory Any file starting with foo.
\tmp\ Exact match to directory \tmp Any files.
\tmp\foo.dat Exact match to directory \tmp Exact match to foo.dat
\tmp*\f*.dat Any directory under directory starting with \tmp Any file starting with f and ending with .dat

Here are some examples using combinations of -f and drive argument.

Command Description
NTFSfastFind.exe -f \Windows*\ c: -f Limits output to files which are in or below directories starting with Windows
NTFSfastFind.exe -f \Windows\ c: -f Limits output to files which are in directory \Windows
NTFSfastFind.exe -f \Windows c: -f Limits output to file Windows
 
NTFSfastFind.exe c:\Windows*\ Limits output to files which are in or below directories starting with Windows.
NTFSfastFind.exe c:\Windows\ Limits output to files which are in directory \Windows
NTFSfastFind.exe c:\Windows Limits output to file Windows
 
NTFSfastFind.exe -f \Windows*\ c:w*.dll -f Limits output to files which start with w and end in .dll, and are in or below directories starting with Windows.
NTFSfastFind.exe -f \Windows\ c:w*.dll -f Limits output to files which start with w and end in .dll, and are in directory \Windows
NTFSfastFind.exe -f \Windows c:w*.dll Invalid combination, because -f limits output to files Windows and
c:w*.dll limits output to files starting with w and ending in .dll
The wildcard engine only support ? and *, but allows the wildcard characters to appear multiple times, in the both the filename and directories.
Examples:
Pattern Results
* All files
??? File with 3 characters
*.txt Files ending with .txt
*Jan*.txt Files containing Jan and ending with .txt
c:\*\log\*.txt Files ending with .txt in a subdirectory \log one level below the base directory.
c:\Windows\System*\*.log Files ending with .log and in subdirectory starting with \Windows\System

Command Option Details

NTFSfastFind includes several optional arguments to control the filtering and presentation. The lowercase switches control the filtering and the uppercase switches control the presentation.

Filtering

When you use multile filters, only files which match ALL the rules will be reported. So, if you filter on file name and time both have to be true for the file to be reported. Here is an example filtering on directory path and file name.

NTFSfastFind -f \windows\* -f *.log c:

Note - the following will always fail because they both filter on the file extension, remember to use backslash to define a directory filter.
NTFSfastFind -f *.log -f *.txt c:

Command Description
-f <fileFilter> Use -f to define file filters using wildcards.
Identical file filter commands:
   NTFSfastFind -f *.log c:
   NTFSfastFind c:*.log
Example with file filter applied to multiple drives.
   NTFSfastFind -f *.log c: d:
-s <size> Filter by file size
Show files greater than 1000 bytes on d drive.
   NTFSfastFind -s 1000 d:
Show files less than 2000 bytes on c drive.
   NTFSfastFind -s -2000 c:
-t <relativeModifyDate> Filter by Modify Time, value is relative days.
Modified less than 2.5 days ago, file ends in .log on c drive.
   NTFSfastFind -t -2.5 -f *.log
Modified more than 7 days ago on e drive.
   NTFSfastFind -t +7 e:

Presentation

The uppercase switches control presentation. The switches control whether or not to include the field in the output report.
Command Description
-A Include attributes. R=readonly, H=hidden, S=system, D=directory.
-D Disable directory part of file path.
-I Include MTF index of parent directory.
-S Include size.
-T Include modify time.
-# Include stream and name counts
 
-Q Special mode, Query and display MFT detailed information.
The switch order does not affect the column order. The column order is fixed at:
Column Description Presentation switch
MFT parent index -I
Number of data streams -#
Modified Date & Time -T
File size -S
Attribute -A
Number of file names -#
Directory path -D
File name  

Example output showing ALL columns: 

 > NTFSfastFind.exe -AIST# -f \Windows\*  c:*.log
Parent  #Data    Modified Date          Size  Attribute  #Name Path
  5012      1 08/07/2011  12:14 PM       308         20      1 C:\Windows\PFRO.log
  5012      1 08/07/2011   6:59 PM 1,468,866         20      2 C:\Windows\WindowsUpdate.log
  5012      1 08/07/2011  12:14 PM        56         20      1 C:\Windows\setupact.log
  5012      1 08/07/2011   8:25 AM         0         20      1 C:\Windows\setuperr.log


Warning - Use at your own risk. No guaranties on reliability and accuracy of NTFSfastFind.

Help Banner: 

NTFS Fast File Find v2.9 - Sep 2, 2013
By: Dennis Lang
https://landenlabs.com//

Description:
   NTFSfastFind searches NTFS Master File Table (MFT) rather then iterating across directories.
   NTFSfastFind does not use or maintain an index database
   By reading the MFT directly, NTFSfastFind can locate files anywhere on a disk quickly.
   Note: Standard directory searching is faster if you know the directory to search.
   If you don't know the directory and need to search the entire disk drive, NTFSfastFind is fast.

   If you use the -z switch, it will iterate across the directories rather then using MFT.

Use:
   NTFSfastFind [options] <localNTFSdrivetoSearch>...
 Filter:
   -d <count>                        ; Filter by data stream count
   -f <fileFilter>                   ; Filter by filename, use * or ? patterns
   -s <size>                         ; Filter by file size
   -t <relativeModifyDate>           ; Filter by time modified, value is relative days
   -z                                ; Force slow style directory search
 Report:
   -A[=s|h|r|d|c]                    ; Include attributes, filter on attributes
   -D                                ; Include directory
   -I                                ; Include mft index
   -S                                ; Include size
   -T                                ; Include time
   -#                                ; Include stream and name counts

   -Q                                ; Query, Display system files (-A=s) and MFT information only

 Examples:
  No filtering:
    c:                 ; scan c drive, display filenames.
    -ITSA  c:          ; scan c drive, display mft index, time, size, attributes, directory.
  Filter examples (precede 'f' command letter with ! to invert rule):
    -f *.txt d:        ; files ending in .txt on d: drive
    -!f *.txt d:       ; files NOT ending in .txt on d: drive
    -t 2.5 -f *.log    ; modified more than 2.5 days and ending in .log on c drive
    -t -7 e:           ; modified less than 7 days ago on e drive
    -s 1000 d:         ; file size greater than 1000 bytes on d drive
    -s -1000 d: e:     ; file size less than 1000 bytes on d and e drive
    -f F* c: d:        ; limit scan to files starting with F on either C or D
    -d 1 d:            ; files with more than 1 data stream on d: drive
    -Q c:              ; Display special NTFS files
    -z c:\windows\system32\*.dll   ; Force slow directory search.

Note - there are plenty of similar and polished MFT search tools available for free on the net.

Everything Search Engine http://www.voidtools.com
Saleen ScanFS http://www.saleensoftware.com/ScanFS.aspx
Ultrasearch http://www.jam-software.com/ultrasearch/

I also found a tool to remove large series of null's from a file and convert it to a sparse file. This is completely unrelated to NTFS scanning, but nonetheless a special file type supported by NTFS.

Sparse Checker http://www.opalapps.com/sparse_checker/sparse_checker.html

Layout of the Window's NTFS Volume

The following NTFS volume layout is from Richard Russon's NTFS Documentation.
Inode Filename OS Description
0 $MFT   Master File Table - An index of every file
1 $MFTMirr   A backup copy of the first 4 records of the MFT
2 $LogFile   Transactional logging file
3 $Volume   Serial number, creation time, dirty flag
4 $AttrDef   Attribute definitions
5 . (dot)   Root directory of the disk
6 $Bitmap   Contains volume's cluster map (in-use vs. free)
7 $Boot   Boot record of the volume
8 $BadClus   Lists bad clusters on the volume
9 $Quota NT Quota information
9 $Secure 2K Security descriptors used by the volume
10 $UpCase   Table of uppercase characters used for collating
11 $Extend 2K A directory: $ObjId, $Quota, $Reparse, $UsnJrnl
       
12-15 <Unused>   Marked as in use but empty
16-23 <Unused>   Marked as unused
       
Any $ObjId 2K Unique Ids given to every file
Any $Quota 2K Quota information
Any $Reparse 2K Reparse point information
Any $UsnJrnl 2K Journalling of Encryption
       
> 24 A_File   An ordinary file
> 24 A_Dir   An ordinary directory
... ...   ...

Top

Blog about NTFSFastFind

myblog