Troubleshooting Windows NT File Systems

Tweak your file systems
This month I discuss how to improve your file system performance and how tomanipulate the way Windows NT handles file systems. Tweaking file systemperformance involves modifying the Registry, so you need to create an EmergencyRepair Disk (ERD).

The easiest way to boost your file system performance is to defragment yourhard disk regularly. The blocks that make up a file become separated over thedisk, so the physical disk heads must move over more of the disk to find them.Disk defragmentation moves these blocks to contiguous disk areas and thusresults in faster access.

Microsoft originally thought NTFS did not fragment, so NT does not come witha defragmentation tool. You can use a third-party disk defragmenter such asDiskeeper Lite, Executive Software's free defragmentation tool. You can downloadthis scaled-down version or order the full version (Diskeeper 3.0) fromhttp://www.execsoft.com.

How do I convert a FAT or High-Performance File System (HPFS) partitionto NTFS?

You can use Windows NT's convert.exe utility to convert a FAT or HPFSpartition to NTFS. Go to the command line and type

The /v setting is an optional command that runs the conversion in verbosemode and gives you conversion details on a file-by-file basis. Listing 1, page156, shows the output of a nonverbose conversion.

Sometimes you cannot lock a drive for exclusive use (e.g., if you convertthe boot partition, which is where NT resides). If you cannot lock the drive youwant to convert, the conversion schedules for the next reboot. If you need tocancel the conversion, you must edit the Registry.

Start regedt32.exe, and go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager key. Double-clickthe BootExecute value in the right-hand pane. Select autocheck autoconv ??drive:/FS:ntfs, as Screen 1, page 156, shows, and press the delete key. Click OK, andclose the Registry editor. You might get a warning such as the one in Screen 2,page 156, because the line you deleted left a blank string. If you get thismessage, click OK. To prevent this message, press the backspace key rather thanthe delete key.

After you convert a FAT partition to NTFS, users have full permissions. Ifyou converted the boot partition, you'll want to modify users' permissions. Fora list of suggested permissions, see the Microsoft Support Online article "DefaultNTFS Permissions in Windows NT" (http://support.microsoft.com/support/kb/articles/q148/4/37.asp).

You can use the Microsoft Windows NT Server 4.0 Resource Kit, SupplementTwo fixacls.exe utility to automatically set file protections. Log on as anaccount with backup file and folder privileges. From the Start menu, select Run,and enter

Click OK. You need access to %systemroot%infperms.inf to run fixacls.exe,because the utility sets permissions on this file.

NT's convert.exe utility does not work in reverse, so you cannot convert anNTFS partition to FAT. Instead, you need to back up the data, reformat thepartition as FAT, and restore your backup.

How much hard disk space do I need to convert a FAT partition to NTFS?

You can use the following calculation for standard disks with 512 bytes persector. Divide the size of the partition by 100. If the result is less than1,048,576, use 1,048,576 as the value. If the result is greater than 4,194,304,use 4,194,304. Then, divide the size of the partition by 803, and add the resultto the first number you obtained (i.e., 1,048,576 or 4,194,304). Next, multiplythe number of files and directories by 1280, and add the result to the lastnumber you obtained. (To determine the number of files and directories, use thedir /s command at the base of the partition.) Finally, add 196,096 to yourprevious result.

Does Windows NT support FAT32?

NT 5.0 will support FAT32. NT 4.0 does not support FAT32, but you candownload a free read-only FAT32 driver for NT 4.0 from http://www.sysinternals.com. You can download a fully writable FAT32 driver for NT 4.0from http://www.winternals.com.

How do I read an NTFS partition from DOS?

You cannot read an NTFS partition with standard DOS. However, the NTFSDOSutility, available at http://www.sysinternals.com, lets you read NTFS partitions.

How do I manipulate filename creation on FAT and NTFS partitions?

Long filenames replaced 8.3 filenames as the standard filenaming format.However, Windows NT creates an 8.3 alias for long filenames, for compatibilityon VFAT and NTFS partitions.

On VFAT, NT uses linked directory entries to store long filenames. A longfilename uses one directory entry for its alias (i.e., the 8.3 filename NTgenerates), and a hidden directory entry for every 13 characters in its name.Thus, a long filename with 200 characters uses 17 entries.

To generate an alias on VFAT, NT uses the first six characters of the longfilename, a circumflex character (i.e., ~), and a number for the first fourfiles that have the same first six characters. For example, the aliases for thefiles john savills file.txt and john savills other file.txt arejohnsa~1.txt and johnsa~2.txt. If you have more than four files with the samefirst six characters, NT uses only the first two characters of the filename, andgenerates the last four characters (e.g., jo0E38~1.txt). NTFS simply stores the8.3 filename as a second entry in the directory structure.

You might not want NT to create long filenames, because some third-partydisk utilities directly manipulate FAT and destroy long filenames. DOS 6.x andlater utilities such as scandisk.exe and defrag.exe do not harm longfilenames. On a FAT partition, go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem key, and change the value ofWin31FileSystem from 0 to 1. NT then creates only 8.3 filenames. You need toreboot after making these Registry changes.

Conversely, you might not want NT to create 8.3 filenames. To prevent NTfrom creating an 8.3 alias, you need to modify the Registry, as Screen 3 shows.On an NTFS partition, go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem key, and change the value ofNtfsDisable8dot3NameCreation from 0 to 1. On a VFAT partition, go to theHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem key, andchange the value of Win95TruncatedExtensions to 0.

How many files can I create on the root of a FAT partition?

The root of a FAT drive holds only 512 entries. Remember that long filenamesuse multiple entries. Thus, creating numerous long filenames on the root of apartition uses space quickly.

How many characters can a filename have?

The maximum number of characters you can use for a filename depends onwhether the file is on an NTFS partition or a FAT partition. You can have a256-character filename on an NTFS partition but only an 11-character filename onan FAT partition (i.e., an 8-character filename with a 3-character extension).The version of FAT that comes with Windows NT 4.0 supports 255-characterfilenames, unless you turn on Win 3.1. VFAT uses 256-character filenames.

NTFS filenames are case sensitive (except during searches), whereas FATfilenames do not retain case. NTFS filenames can contain any characters,including spaces and uppercase, except " * : / ? < > |. VFATfilenames must start with a letter or number and can contain any charactersexcept / : | ? " ^.

How do I stop chkdsk from checking a particular volume at boot time?

When Windows NT boots, it checks all volumes for the dirty bit. Theoperating system (OS) sets the dirty bit, which is a bit setting in thepartition. If the dirty bit is set, NT runs the chkdsk utility. You might wantto exclude drives (e.g., a removable Iomega drive) to stop NT from checking thedirty bit.

To exclude a drive, start regedt32.exe, and go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager key. Double-click theBootExecute value in the right-hand pane, and change autocheck autochk * toautocheck autochk /k:drive letter *. For example, to stop the check ondrive F, type

To stop the check on multiple volumes, enter multiple drive names. Forexample, to stop the check on drives E and G, type

If you are using NT 4.0 with Service Pack 2 (SP2) or later, you can use thechkntfs.exe command to exclude drives from the check. Go to the command line andtype

To set NT to check all drives again, type

You might want to cancel a chkdsk command. Suppose you configured a fullchkdsk on a drive for the next reboot, using the command chkdsk drive letter:/f /r. This command finds bad sectors, recovers information from the sectors,and fixes errors on the disk. To cancel the command, go to theHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager key,select BootExecute, and change the value from autocheck autochk * /rDosDevicedriveletter: to autocheck autochk *.

How do I view a user's file permissions from the command line?

The Microsoft Windows NT Server 4.0 Resource Kit perms.exeutility shows permissions on files and directories. Go to the command line andtype

Table 1 shows file and directory permissions.

Add /s to show details of subfiles and subdirectories. To output thepermissions to a file, add > filename.txt, using the name of the fileyou want to direct the output to. The perms.exe utility has a bug that keeps itfrom recognizing permissions given via a global group.

You can use NT's cacls.exe command to change a user's permissions from thecommand line. To give a user named John read access to a directory called files,go to the command line and type

The /e setting edits the access control list (ACL) instead of replacing it,so other file and directory permissions do not change. The /p setting sets theuser's permissions. For more information about this command, go to the commandline and type

Can I delete files beginning with $ at the root of my NTFS drive?

You cannot delete files beginning with $ because you cannot remove the hidden flags. Moreover, you do not want to delete the files because they hold your NTFS volume information. Table 2 lists NTFS files. If you want to view the files, go to the command line and type

What cluster size do FAT and NTFS partitions use?

Table 3 lists the default cluster size for FAT partitions. In Inside theWindows NT File System, Microsoft does not recommend FAT volumeslarger than 511MB because the cluster increases to more than 16KB and wastesspace.

Table 4 lists the default cluster size for NTFS partitions. NTFS balancesthe tradeoff of disk defragmentation from small clusters and wasted space fromlarge clusters.

When you format a drive, you can use the /a:size switch to changethe cluster size. Go to the command line and type

What can I do if Windows NT becomes unresponsive during an NTFS diskoperation (e.g., dir)?

When you perform a large NTFS disk operation such as dir/s *.* or ntbackup:*.*, NT might become unresponsive. NT updates NTFS files with a last accessstamp, and viewing thousands of files fills the NTFS log. NT locks up as itwaits to flush the NTFS log file to the hard disk.

You can prevent NTFS from updating the last access stamp. Start regedit.exe, and go to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem key. Select New, DWORD Value from the Edit menu, enter thename NtfsDisableLastAccessUpdate, and click OK. Double-click the new value,change the value to 1, and click OK. Close the Registry editor, and reboot.

What are alternate data streams?

You can use alternate data streams to hide data from Explorer and the dir command in NTFS files. You must know the file's stream name to view the data. A stream is an entry point into a file. You can create multiple streams to an NTFS file in the form filename:stream name.

Start a console window (cmd.exe). At the prompt, type

Enter some text, and save the file on an NTFS partition. Edit the fileagain, with a different stream (e.g., notepad normal.txt:hidden.txt). The systemthen prompts you to create a new file. Enter some text, and save the file. Whenyou run the dir command, you see only the file normal.txt, with its originalsize.

Each file can have multiple streams. When you copy a file, the streamsremain. Thus, if you copy the file normal.txt to the file john.txt, you get thehidden stream (i.e., john.txt:hidden). You cannot use streams from the commandprompt because the command prompt does not recognize colons in filenames (exceptin drive letters).

Microsoft does not provide a method to detect or delete hidden streams. Todetect streams, use March Information Systems' utility (http://streams.march.co.uk), or Frank Heyne's List Alternate Data Streams (LADS) command line tool(http://rcswww.urz.tu-dresden.de/~fh/nt/ntfs-ads). To delete a stream,copy the file to a FAT partition and then back to the NTFS partition. Type