Windows NTFS Tutorial

This short tutorial provides links to resources breaking down how the NTFS file system works, with details on NTFS vs FAT32, recovery techniques and management best practices.

NTFS is Microsoft's file system for Windows server and desktop operating systems. This short Windows NTFS tutorial provides information and links breaking down how it works, with details on NTFS vs FAT32, NTFS recovery techniques and management best practices. You'll also find resources dealing with NTFS compression, permissions and optimization.




Windows NTFS, or NT File System, is the standard file system of Microsoft operating systems, including Windows Server 2008 and Windows Vista. Before Windows NT, the preferred Windows file sytem was FAT (file allocation table).

FAT was designed to act as a map for all files stored on a hard disk. FAT went through several incarnations before the creation of NTFS, from FAT12 to FAT16 to, finally, FAT32. Because FAT32 was limited to volumes of 32 GBs, many users these days take advantage of NTFS for file system management.



NTFS has many advantages over FAT32, such as:

  • An access control list (ACL) that lets a server administrator control who can access specific files
  • Information about a file's clusters and other data is stored with each cluster, not just a governing table
  • Data security on both removable and fixed disks

Most using Windows 2000 and above choose NTFS over FAT. In simple terms, the difference betweek FAT and NTFS is that while the FAT file system has had a number of modifications made to allow it to work with larger hard drives, the NTFS file system was originally developed to support large hard drives from the beginning. Also, when looking at FAT vs NTFS, in addition to the use of larger drives, NTFS offers more secure directories and files against unauthorized users, has better data-protection technologies, and doesn't succumb to errors or fragmentation as easily as FAT32.

Another benefit of Windows NTFS over FAT32 involves NTFS permissions. Administrators can use the NTFS utility to track permissions and provide ownership of files and folders. This benefit led to NTFS file and folder permissions to quickly become the most common form of authorization back with Windows 2000.

Of course, NTFS permissions were not without some issues. For example, what if NTFS permissions were set to control user access to files, but administrators could still potentially grant themselves permissions to certain restricted documents? This classic "Who will watch the watcher" scenario is naturally all about trust, but was sometimes proacively dealt with for NTFS through auditing tools designed to inform you whenever a change was made.



As one would expect, recovery for NTFS works quite differently than FAT32 recovery. For starters, the NTFS file system is designed to perform file recovery on its own, without the need for third-party data recovery utilities or administrative actions. This is made possibe by two technologies: cluster remapping and transaction logging.

Cluster remapping is a technique that prevents data loss by automatically moving data from clusters containing bad sectors on the hard disk to good clusters. The transaction logging feature of the NTFS file system is designed to prevent data corruption. Although the mechanics behind transaction logging in NTFS are complicated, the basic idea is that when a write operation occurs, the Windows NTFS file system records the operation to a log file. Once the write operation is logged, NTFS updates the volume cache and then makes a log entry indicating that the transaction is complete. For more information on how cluster remapping and transaction logging work, check out this article on NTFS data recovery.

There are also some free NTFS recovery tools out there. One such tool is FreeUndelete 2.0, which is designed specifically for the recovery of files deleted from NTFS volumes. For example, say you accidentally deleted a file on an external NTFS-formatted hard drive, and you needed to get it back right away. FreeUndelete is a great free tool for fast NTFS data recovery in instances just like that.

What about NTFS recovery of encrypted files? The trick here is that you must have an authorized private key and a file encryption key that was encrypted using the corresponding public key. Without these keys, there is no way to recover NTFS encrypted files. For a detailed rundown of the process, check out this article on recovery of encrypted files on an NTFS partition.

While the NTFS file system was designed to be much less prone to corruption than FAT32, a corrupt boot sector can somtimes occur, requiring the recovery of NTFS data. The boot sector is critical to Windows NTFS, so if it's corrupt, the entire volume may be inaccessible. To repair a corrupt boot sector in NTFS, all you need to do is locate the backup copy, then use the information it contains to overwrite the primary boot sector. You can then begin the NTFS data recovery process.



There are several expert-recommended best practices to be aware of when working with Windows NTFS. One such suggestion involves NTFS cluster sizes. Since larger cluster sizes speed up disk access, it might be tempting to ramp up the cluster size as far as possible (up to 256K) on a big partition with big files. This isn't always the smartest thing to do, however, as many third-party utilities aren't designed to recognize NTFS clusters larger than 4K. Many defragmentation programs, for instance, cannot work correctly when confronted with a non-standard cluster size. Therefore, If you plan on using third-party disk tools, creating RAID arrays or mirrored disks, experts advise that you don't edit the NTFS cluster size by hand.

There are many different ways to optimize NTFS performance. These techniques include having you or an administrator format NTFS legacy filenames or resize the master file table. For the latter, this involves making sure that there is enough space reserved for the master file table at all times. This is important becuase the NTFS master file table is essentially a directory of all of the files and folders found on the hard disk volume (similar to FAT), so it is critical to the volume's performance that the master file table remains as unfragmented as possible.

Other Window NTFS optimization techniques include disabling the last access date security feature, minimizing the impact of antivirus utilities, and keeping NTFS compression to a minimum. The latter is especially important, because Windows NTFS compression doesn't compress files by clusters. Instead, it uses compression units of 16 clusters and calculates file space on the basis of the number of compression units needed. This wastes an average of eight clusters of additional space for each file. In a typical user's account with hundreds or thousands of files, that space adds up, and when it is charged against users' quotas, they run out of quota space even though the file size on their screen shows that they still have plenty of space left in their quotas.

It's also recommended that administrators beware of ACLs on NTFS volumes from old Windows installations. This is because NTFS Access Control Lists (ACLs) and Security Descriptors describe who can access what NTFS objects, and to what degree. If a given user or group has access to an object, the ACL for that object will contain a reference to that user or group not by their name, but by their GUID. This means that if you have an object somewhere on an NTFS partition that belongs to a user on a specific machine, those permissions are unique. You can't create a user with the same name on another machine and expect to have unrestricted access to that object; you have to take ownership of the object first. By following these steps, you can reverse Windows NTFS object ownership from administrators to object's creator.

Finally, administators should also take action against NTFS disks that fill up too quickly. This can be the result of compromised systems and corrupted disks, as well as other factors, such as master file table expansion and invalid file names.


Dig Deeper on Windows Server storage management