<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=unicode" /> <meta http-equiv="Content-Language" content="en-us" /> <style> <!-- p.MsoNormal {margin-top:0mm; margin-right:0mm; margin-bottom:10.0pt; margin-left:0mm; line-height:115%; font-size:11.0pt; font-family:"Calibri","sans-serif";} a:link {color:blue; text-decoration:underline;} a:visited {color:purple; text-decoration:underline;} p {margin-right:0mm; margin-left:0mm; font-size:12.0pt; font-family:"Times New Roman","serif";} --> </style> <title>Listing the Deleted Files from Master File Table (MFT) C program example </title> <meta name="keywords" content="MFT, Master File Table, Windows system, programming, code samples, program examples, source code, visual studio, hardware, storage, boot sector" /> <meta name="description" content="Extracting, listing and deleting files from Master File Table (MFT) program example using C/C++" /> </head> <body lang="EN-US" link="#0000FF" vlink="#800080" topmargin="20" leftmargin="20" rightmargin="20" bottommargin="20"> <div class="Section1"> <h1 align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center"><font size="5" face="Times New Roman"> <span style="line-height:115%;font-family:&quot;Arial&quot;; font-weight:400"> Win32 Windows Volume Program and Code Example 23</span></font></h1> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt" align="center"> <font size="3" face="Times New Roman"> <span style="font-size:12.0pt;line-height:115%; font-family:&quot;Arial&quot;">&nbsp;</span></font><script type="text/javascript"> <!-- google_ad_client = "pub-8089415323104206"; google_ad_slot = "0761177910"; google_ad_width = 728; google_ad_height = 90; //--> </script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> </p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><b><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;;font-weight:bold">Listing the Deleted Files from Master File Table (MFT)</span></font></b></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">The following program example uses undocumented Windows types that can be found in the Internet domain and a complete version is available as an open source used by Linux/UNIX to read the Windows NTFS MFT.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Create a new Win32 console application project and give a suitable project name.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="540" height="368" src="windowsvolumeapis1_files/win32volume075.png" alt="Listing the Deleted Files from Master File Table (MFT) - creating a new Win32 console mode application project" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Add the source file and give a suitable name.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="540" height="338" src="windowsvolumeapis1_files/win32volume076.png" alt="Listing the Deleted Files from Master File Table (MFT) - adding a new C++ source file" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Add the following source code.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">// Not using winioctl.h lol!</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">#include</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="#a31515"><span style="color:#A31515">&lt;windows.h&gt;</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">#include</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="#a31515"><span style="color:#A31515">&lt;stdlib.h&gt;</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">#include</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="#a31515"><span style="color:#A31515">&lt;stdio.h&gt;</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">#include</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="#a31515"><span style="color:#A31515">&quot;ntfs.h&quot;</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="#a31515" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:#A31515">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">// Global variables</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">ULONG BytesPerFileRecord;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">HANDLE hVolume;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">BOOT_BLOCK bootb;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">PFILE_RECORD_HEADER MFT;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">// Template for padding</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">template</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> &lt;<font color="blue"><span style="color:blue">class</span></font> T1, <font color="blue"><span style="color:blue">class</span></font> T2&gt; <font color="blue"><span style="color:blue">inline</span></font> T1* Padd(T1* p, T2 n)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> (T1*)((<font color="blue"><span style="color:blue">char</span></font> *)p + n);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">ULONG RunLength(PUCHAR run)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;In RunLength()...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> (*run &amp; 0xf) + ((*run &gt;&gt; 4) &amp; 0xf) + 1; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">LONGLONG RunLCN(PUCHAR run)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LONG i = 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR n1 = 0 , n2 = 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LONGLONG lcn = 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;In RunLCN()...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; n1 = *run &amp; 0xf;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; n2 = (*run &gt;&gt; 4) &amp; 0xf;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lcn = n2 == 0 ? 0 : CHAR(run[n1 + n2]);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">for</span></font> (i = n1 + n2 - 1; i &gt; n1; i--)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lcn = (lcn &lt;&lt; 8) + run[i];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> lcn;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">ULONGLONG RunCount(PUCHAR run)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR n = *run &amp; 0xf;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG count = 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG i;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;In RunCount()...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">for</span></font> (i = n; i &gt; 0; i--)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; count = (count &lt;&lt; 8) + run[i];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> count;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">BOOL FindRun(PNONRESIDENT_ATTRIBUTE attr, ULONGLONG vcn, PULONGLONG lcn, PULONGLONG count)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PUCHAR run = NULL;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *lcn = 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG base = attr-&gt;LowVcn;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;In FindRun()...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (vcn &lt; attr-&gt;LowVcn || vcn &gt; attr-&gt;HighVcn)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> FALSE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">for</span></font>(run = PUCHAR(Padd(attr, attr-&gt;RunArrayOffset));&nbsp;&nbsp; *run != 0;&nbsp; run += RunLength(run))</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *lcn += RunLCN(run);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *count = RunCount(run);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (base &lt;= vcn &amp;&amp; vcn &lt; base + *count)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *lcn = RunLCN(run) == 0 ? 0 : *lcn + vcn - base;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *count -= ULONG(vcn - base);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> TRUE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">else</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; base += *count;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> FALSE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">PATTRIBUTE FindAttribute(PFILE_RECORD_HEADER file,ATTRIBUTE_TYPE type, PWSTR name)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PATTRIBUTE attr = NULL;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;FindAttribute() - Finding attributes...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">for</span></font> (attr = PATTRIBUTE(Padd(file, file-&gt;AttributesOffset));</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attr-&gt;AttributeType != -1;attr = Padd(attr, attr-&gt;Length))</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (attr-&gt;AttributeType == type)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (name == 0 &amp;&amp; attr-&gt;NameLength == 0)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> attr;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (name != 0 &amp;&amp; wcslen(name) == attr-&gt;NameLength &amp;&amp; _wcsicmp(name,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PWSTR(Padd(attr, attr-&gt;NameOffset))) == 0)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> attr;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID FixupUpdateSequenceArray(PFILE_RECORD_HEADER file)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG i = 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PUSHORT usa = PUSHORT(Padd(file, file-&gt;Ntfs.UsaOffset));</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PUSHORT sector = PUSHORT(file);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;In FixupUpdateSequenceArray()...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">for</span></font> (i = 1; i &lt; file-&gt;Ntfs.UsaCount; i++)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sector[255] = usa[i];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sector += 256;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID ReadSector(ULONGLONG sector, ULONG count, PVOID buffer)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULARGE_INTEGER offset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OVERLAPPED overlap = {0};</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG n;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;ReadSector() - Reading the sector...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;Sector: %lu\n&quot;</span></font>, sector);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; offset.QuadPart = sector * bootb.BytesPerSector;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; overlap.Offset = offset.LowPart;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; overlap.OffsetHigh = offset.HighPart;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadFile(hVolume, buffer, count * bootb.BytesPerSector, &amp;n, &amp;overlap);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID ReadLCN(ULONGLONG lcn, ULONG count, PVOID buffer)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;\nReadLCN() - Reading the LCN, LCN: 0X%.8X\n&quot;</span></font>, lcn);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadSector(lcn * bootb.SectorsPerCluster,count * bootb.SectorsPerCluster, buffer);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">// Non resident attributes</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID ReadExternalAttribute(PNONRESIDENT_ATTRIBUTE attr,ULONGLONG vcn, ULONG count, PVOID buffer)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG lcn, runcount;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG readcount, left;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PUCHAR bytes = PUCHAR(buffer);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;ReadExternalAttribute() - Reading the Non resident attributes...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">for</span></font>(left = count; left &gt; 0; left -= readcount)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FindRun(attr, vcn, &amp;lcn, &amp;runcount);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; readcount = ULONG(min(runcount, left));</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG n = readcount * bootb.BytesPerSector * bootb.SectorsPerCluster;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font>(lcn == 0)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memset(bytes, 0, n);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">else</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadLCN(lcn, readcount, bytes);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;LCN: 0X%.8X\n&quot;</span></font>, lcn);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font> </p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; vcn += readcount;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bytes += n;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">ULONG AttributeLength(PATTRIBUTE attr)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;In AttributeLength()...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> attr-&gt;Nonresident == FALSE ? PRESIDENT_ATTRIBUTE(attr)-&gt;ValueLength : ULONG(PNONRESIDENT_ATTRIBUTE(attr)-&gt;DataSize);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">ULONG AttributeLengthAllocated(PATTRIBUTE attr)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;\nIn AttributeLengthAllocated()...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> attr-&gt;Nonresident == FALSE ? PRESIDENT_ATTRIBUTE(attr)-&gt;ValueLength : ULONG(PNONRESIDENT_ATTRIBUTE(attr)-&gt;AllocatedSize); </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID ReadAttribute(PATTRIBUTE attr, PVOID buffer)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PRESIDENT_ATTRIBUTE rattr = NULL;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PNONRESIDENT_ATTRIBUTE nattr = NULL;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;ReadAttribute() - Reading the attributes...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (attr-&gt;Nonresident == FALSE)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;Resident attribute...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rattr = PRESIDENT_ATTRIBUTE(attr);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memcpy(buffer, Padd(rattr, rattr-&gt;ValueOffset), rattr-&gt;ValueLength);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">else</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;Non-resident attribute...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nattr = PNONRESIDENT_ATTRIBUTE(attr);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadExternalAttribute(nattr, 0, ULONG(nattr-&gt;HighVcn) + 1, buffer);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID ReadVCN(PFILE_RECORD_HEADER file, ATTRIBUTE_TYPE type,ULONGLONG vcn, ULONG count, PVOID buffer)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PATTRIBUTE attrlist = NULL;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PNONRESIDENT_ATTRIBUTE attr = PNONRESIDENT_ATTRIBUTE(FindAttribute(file, type, 0));</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;In ReadVCN()...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (attr == 0 || (vcn &lt; attr-&gt;LowVcn || vcn &gt; attr-&gt;HighVcn))</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// Support for huge files</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attrlist = FindAttribute(file, AttributeAttributeList, 0);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DebugBreak();</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadExternalAttribute(attr, vcn, count, buffer);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID ReadFileRecord(ULONG index, PFILE_RECORD_HEADER file)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG clusters = bootb.ClustersPerFileRecord;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;ReadFileRecord() - Reading the file records..\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (clusters &gt; 0x80)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; clusters = 1;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PUCHAR p = <font color="blue"><span style="color:blue">new</span></font> UCHAR[bootb.BytesPerSector* bootb.SectorsPerCluster * clusters];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG vcn = ULONGLONG(index) * BytesPerFileRecord/bootb.BytesPerSector/bootb.SectorsPerCluster;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadVCN(MFT, AttributeData, vcn, clusters, p);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LONG m = (bootb.SectorsPerCluster * bootb.BytesPerSector/BytesPerFileRecord) - 1;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG n = m &gt; 0 ? (index &amp; m) : 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memcpy(file, p + n * BytesPerFileRecord, BytesPerFileRecord);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">delete</span></font> [] p;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FixupUpdateSequenceArray(file); </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID LoadMFT()</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;In LoadMFT() - Loading MFT...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; BytesPerFileRecord = bootb.ClustersPerFileRecord &lt; 0x80</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ? bootb.ClustersPerFileRecord* bootb.SectorsPerCluster</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * bootb.BytesPerSector: 1 &lt;&lt; (0x100 - bootb.ClustersPerFileRecord);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;\nBytes Per File Record = %u\n\n&quot;</span></font>, BytesPerFileRecord);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;======THESE INFO ARE NOT ACCURATE FOR DISPLAY LOL!=====\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.BootSectors = %u\n&quot;</span></font>, bootb.BootSectors);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.BootSignature = %u\n&quot;</span></font>, bootb.BootSignature);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.BytesPerSector = %u\n&quot;</span></font>, bootb.BytesPerSector);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.ClustersPerFileRecord = %u\n&quot;</span></font>, bootb.ClustersPerFileRecord);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.ClustersPerIndexBlock = %u\n&quot;</span></font>, bootb.ClustersPerIndexBlock);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.Code = %u\n&quot;</span></font>, bootb.Code);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.Format = %u\n&quot;</span></font>, bootb.Format);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.Jump = %u\n&quot;</span></font>, bootb.Jump);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.Mbz1 = %u\n&quot;</span></font>, bootb.Mbz1);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.Mbz2 = %u\n&quot;</span></font>, bootb.Mbz2);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.Mbz3 = %u\n&quot;</span></font>, bootb.Mbz3);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.MediaType = 0X%X\n&quot;</span></font>, bootb.MediaType);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.Mft2StartLcn = 0X%.8X\n&quot;</span></font>, bootb.Mft2StartLcn);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.MftStartLcn = 0X%.8X\n&quot;</span></font>, bootb.MftStartLcn);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.NumberOfHeads = %u\n&quot;</span></font>, bootb.NumberOfHeads);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.PartitionOffset = %lu\n&quot;</span></font>, bootb.PartitionOffset);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.SectorsPerCluster = %u\n&quot;</span></font>, bootb.SectorsPerCluster);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.SectorsPerTrack = %u\n&quot;</span></font>, bootb.SectorsPerTrack);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.TotalSectors = %lu\n&quot;</span></font>, bootb.TotalSectors);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;bootb.VolumeSerialNumber = 0X%.8X%.8X\n\n&quot;</span></font>, bootb.VolumeSerialNumber.HighPart, bootb.VolumeSerialNumber.HighPart);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; MFT = PFILE_RECORD_HEADER(<font color="blue"><span style="color:blue">new</span></font> UCHAR[BytesPerFileRecord]);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadSector((bootb.MftStartLcn)*(bootb.SectorsPerCluster), (BytesPerFileRecord)/(bootb.BytesPerSector), MFT);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FixupUpdateSequenceArray(MFT);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">BOOL bitset(PUCHAR bitmap, ULONG i)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> (bitmap[i &gt;&gt; 3] &amp; (1 &lt;&lt; (i &amp; 7))) != 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID FindDeleted()</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PATTRIBUTE attr = FindAttribute(MFT, AttributeBitmap, 0);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PUCHAR bitmap = <font color="blue"><span style="color:blue">new</span></font> UCHAR[AttributeLengthAllocated(attr)];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadAttribute(attr, bitmap);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG n = AttributeLength(FindAttribute(MFT, AttributeData, 0))/BytesPerFileRecord;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;FindDeleted() - Finding the deleted files...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PFILE_RECORD_HEADER file = PFILE_RECORD_HEADER(<font color="blue"><span style="color:blue">new</span></font> UCHAR[BytesPerFileRecord]);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">for</span></font>(ULONG i = 0; i &lt; n; i++)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (bitset(bitmap, i))</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">continue</span></font>;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadFileRecord(i, file);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (file-&gt;Ntfs.Type == <font color="#a31515"><span style="color:#A31515">&#39;ELIF&#39;</span></font> &amp;&amp; (file-&gt;Flags &amp; 1) == 0)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attr = FindAttribute(file, AttributeFileName, 0);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (attr == 0)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">continue</span></font>;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PFILENAME_ATTRIBUTE name = PFILENAME_ATTRIBUTE(Padd(attr,PRESIDENT_ATTRIBUTE(attr)-&gt;ValueOffset));</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// * means the width/precision was supplied in the argument list</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// ws ~ wide character string</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;\n%10u %u %.*s\n\n&quot;</span></font>, i, <font color="blue"><span style="color:blue">int</span></font>(name-&gt;NameLength), <font color="blue"><span style="color:blue">int</span></font>(name-&gt;NameLength), name-&gt;Name);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// To see the very long output short, uncomment the following line</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// _getwch();</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">VOID DumpData(ULONG index, WCHAR* filename)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PATTRIBUTE attr = NULL;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HANDLE hFile = NULL;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PFILE_RECORD_HEADER file = PFILE_RECORD_HEADER(<font color="blue"><span style="color:blue">new</span></font> UCHAR[BytesPerFileRecord]);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG n;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadFileRecord(index, file);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;Dumping the data...\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (file-&gt;Ntfs.Type != <font color="#a31515"><span style="color:#A31515">&#39;ELIF&#39;</span></font>)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font>;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attr = FindAttribute(file, AttributeData, 0);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (attr == 0)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font>;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PUCHAR buf = <font color="blue"><span style="color:blue">new</span></font> UCHAR[AttributeLengthAllocated(attr)];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ReadAttribute(attr, buf);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hFile = CreateFile((LPCWSTR)filename, GENERIC_WRITE, 0, 0,CREATE_ALWAYS, 0, 0);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font>(hFile == INVALID_HANDLE_VALUE)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;CreateFile() failed, error %u\n&quot;</span></font>, GetLastError());</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font>;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font>(WriteFile(hFile, buf, AttributeLength(attr), &amp;n, 0) == 0)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;WriteFile() failed, error %u\n&quot;</span></font>, GetLastError());</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font>;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CloseHandle(hFile);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">delete</span></font> [] buf;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">int</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> wmain(<font color="blue"><span style="color:blue">int</span></font> argc, WCHAR **argv)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">{</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// Default primary partition</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WCHAR drive[] = L<font color="#a31515"><span style="color:#A31515">&quot;\\\\.\\C:&quot;</span></font>;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG n;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// No argument supplied</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (argc &lt; 2)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;Usage:\n&quot;</span></font>);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;Find deleted files: %s &lt;primary_partition&gt;\n&quot;</span></font>, argv[0]);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;Read the file records: %s &lt;primary_partition&gt; &lt;index&gt; &lt;file_name&gt;\n&quot;</span></font>, argv[0]);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// Just exit</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exit(1);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// More code to stop the user from entering the non-primary partition</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// Read the user input</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; drive[4] = *argv[1];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// Get the handle to the primary partition/volume/physical disk</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hVolume = CreateFile(</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; drive,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; GENERIC_READ,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FILE_SHARE_READ | FILE_SHARE_WRITE,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OPEN_EXISTING,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font>(hVolume == INVALID_HANDLE_VALUE)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;CreateFile() failed, error %u\n&quot;</span></font>, GetLastError());</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exit(1);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// Reads data from the specified input/output (I/O) device - volume/physical disk</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font>(ReadFile(hVolume, &amp;bootb, <font color="blue"><span style="color:blue">sizeof</span></font> bootb, &amp;n, 0) == 0)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; wprintf(L<font color="#a31515"><span style="color:#A31515">&quot;ReadFile() failed, error %u\n&quot;</span></font>, GetLastError());</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exit(1);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LoadMFT();</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// The primary partition supplied else</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// default C:\ will be used</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (argc == 2)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FindDeleted();</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// Need to convert the recovered filename to long file name</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// Not implemented here. It is 8.3 file name format</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// The primary partition, index and file name to be recovered</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// are supplied</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">if</span></font> (argc == 4)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DumpData(wcstoul(argv[2], 0, 0), argv[3]);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CloseHandle(hVolume);</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">return</span></font> 0;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">}</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Add the ntfs.h header file.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="540" height="330" src="windowsvolumeapis1_files/win32volume077.png" alt="Listing the Deleted Files from Master File Table (MFT) - adding ntfs.h header file to the existing project" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Add the following source code.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">///ntfs.h</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">// These types are not available in MSDN documentation</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">// It is taken from Internet and Linux documentation</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">// and not the whole code...</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">// Copyrights and trademarks must go to the original</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="green" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:green">// authors and/or publishers</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG Type;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT UsaOffset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT UsaCount;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USN Usn;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} NTFS_RECORD_HEADER, *PNTFS_RECORD_HEADER;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTFS_RECORD_HEADER Ntfs;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT SequenceNumber;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT LinkCount;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT AttributesOffset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Flags; <font color="green"><span style="color:green">// 0x0001 = InUse, 0x0002= Directory</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG BytesInUse;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG BytesAllocated;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG BaseFileRecord;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT NextAttributeNumber;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} FILE_RECORD_HEADER, *PFILE_RECORD_HEADER;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">enum</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeStandardInformation = 0x10,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeAttributeList = 0x20,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeFileName = 0x30,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeObjectId = 0x40,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeSecurityDescriptor = 0x50,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeVolumeName = 0x60,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeVolumeInformation = 0x70,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeData = 0x80,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeIndexRoot = 0x90,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeIndexAllocation = 0xA0,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeBitmap = 0xB0,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeReparsePoint = 0xC0,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeEAInformation = 0xD0,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeEA = 0xE0,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributePropertySet = 0xF0,</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeLoggedUtilityStream = 0x100</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} ATTRIBUTE_TYPE, *PATTRIBUTE_TYPE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ATTRIBUTE_TYPE AttributeType;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG Length;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; BOOLEAN Nonresident;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR NameLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT NameOffset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Flags; <font color="green"><span style="color:green">// 0x0001 = Compressed</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT AttributeNumber;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} ATTRIBUTE, *PATTRIBUTE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ATTRIBUTE Attribute;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG ValueLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT ValueOffset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Flags; <font color="green"><span style="color:green">// 0x0001 = Indexed</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} RESIDENT_ATTRIBUTE, *PRESIDENT_ATTRIBUTE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ATTRIBUTE Attribute;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG LowVcn;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG HighVcn;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT RunArrayOffset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR CompressionUnit;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR AlignmentOrReserved[5];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG AllocatedSize;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG DataSize;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG InitializedSize;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG CompressedSize; <font color="green"><span style="color:green">// Only when compressed</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} NONRESIDENT_ATTRIBUTE, *PNONRESIDENT_ATTRIBUTE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG CreationTime;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG ChangeTime;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG LastWriteTime;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG LastAccessTime;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG FileAttributes;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG AlignmentOrReservedOrUnknown[3];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG QuotaId;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// NTFS 3.0</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG SecurityId;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"> <span style="color:green">// NTFS 3.0</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG QuotaCharge;&nbsp; <font color="green"><span style="color:green">// NTFS 3.0</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USN Usn;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// NTFS 3.0</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} STANDARD_INFORMATION, *PSTANDARD_INFORMATION;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ATTRIBUTE_TYPE AttributeType;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Length;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR NameLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR NameOffset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG LowVcn;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG FileReferenceNumber;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT AttributeNumber;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT AlignmentOrReserved[3];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} ATTRIBUTE_LIST, *PATTRIBUTE_LIST;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG DirectoryFileReferenceNumber;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color: green">//</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG CreationTime;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"> <span style="color:green">// Saved when filename last changed</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG ChangeTime;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// </span></font></span> </font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG LastWriteTime;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"> <span style="color:green">// </span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG LastAccessTime;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"> <span style="color:green">// </span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG AllocatedSize;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"> <span style="color:green">// </span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG DataSize;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// </span></font></span> </font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG FileAttributes;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// </span></font></span> </font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG AlignmentOrReserved;&nbsp;&nbsp;&nbsp; <font color="green"> <span style="color:green">//</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR NameLength;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">//</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR NameType;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// 0x01 = Long, 0x02 = Short</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WCHAR Name[1];&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">//</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} FILENAME_ATTRIBUTE, *PFILENAME_ATTRIBUTE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; GUID ObjectId;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">union</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; GUID BirthVolumeId;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; GUID BirthObjectId;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; GUID DomainId;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; };</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR ExtendedInfo[48];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; };</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} OBJECTID_ATTRIBUTE, *POBJECTID_ATTRIBUTE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG Unknown[2];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR MajorVersion;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR MinorVersion;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Flags;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} VOLUME_INFORMATION, *PVOLUME_INFORMATION;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG EntriesOffset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG IndexBlockLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG AllocatedSize;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG Flags; <font color="green"><span style="color:green">// 0x00 = Small directory, 0x01 = Large directory</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} DIRECTORY_INDEX, *PDIRECTORY_INDEX;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG FileReferenceNumber;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Length;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT AttributeLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG Flags; <font color="green"><span style="color:green">// 0x01 = Has trailing VCN, 0x02 = Last entry</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// FILENAME_ATTRIBUTE Name;</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// ULONGLONG Vcn; // VCN in IndexAllocation of earlier entries</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} DIRECTORY_ENTRY, *PDIRECTORY_ENTRY;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ATTRIBUTE_TYPE Type;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG CollationRule;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG BytesPerIndexBlock;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG ClustersPerIndexBlock;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DIRECTORY_INDEX DirectoryIndex;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} INDEX_ROOT, *PINDEX_ROOT;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NTFS_RECORD_HEADER Ntfs;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG IndexBlockVcn;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DIRECTORY_INDEX DirectoryIndex;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} INDEX_BLOCK_HEADER, *PINDEX_BLOCK_HEADER;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG ReparseTag;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT ReparseDataLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Reserved;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR ReparseData[1];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} REPARSE_POINT, *PREPARSE_POINT;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG EaLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG EaQueryLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} EA_INFORMATION, *PEA_INFORMATION;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG NextEntryOffset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR Flags;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR EaNameLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT EaValueLength;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CHAR EaName[1];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <font color="green"><span style="color:green">// UCHAR EaData[];</span></font></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} EA_ATTRIBUTE, *PEA_ATTRIBUTE;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; WCHAR AttributeName[64];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG AttributeNumber;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG Unknown[2];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG Flags;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG MinimumSize;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG MaximumSize;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} ATTRIBUTE_DEFINITION, *PATTRIBUTE_DEFINITION;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">#pragma</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">pack</span></font>(<font color="blue"><span style="color:blue">push</span></font>, 1)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">typedef</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">struct</span></font> {</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR Jump[3];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR Format[8];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT BytesPerSector;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR SectorsPerCluster;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT BootSectors;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR Mbz1;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Mbz2;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Reserved1;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR MediaType;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT Mbz3;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT SectorsPerTrack;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT NumberOfHeads;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG PartitionOffset;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG Reserved2[2];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG TotalSectors;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG MftStartLcn;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONGLONG Mft2StartLcn;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG ClustersPerFileRecord;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ULONG ClustersPerIndexBlock;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LARGE_INTEGER VolumeSerialNumber;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UCHAR Code[0x1AE];</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; USHORT BootSignature;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">} BOOT_BLOCK, *PBOOT_BLOCK;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal;text-autospace:none"><font size="3" face="Courier New"> <span style="font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" color="blue" face="Courier New"> <span style="font-family:&quot;Arial&quot;;color:blue">#pragma</span></font><font size="3" face="Courier New"><span style="font-family:&quot;Arial&quot;"> <font color="blue"><span style="color:blue">pack</span></font>(<font color="blue"><span style="color:blue">pop</span></font>)</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Build and run the project. The following screenshot is an output sample.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="597" height="151" src="windowsvolumeapis1_files/win32volume078.png" alt="Listing the Deleted Files from Master File Table (MFT) - sample output without any argument supplied" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">The following sample outputs run with the primary partition supplied as an argument.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="605" height="151" src="windowsvolumeapis1_files/win32volume079.png" alt="Listing the Deleted Files from Master File Table (MFT) - sample output with primary partition as the argument" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="549" height="475" src="windowsvolumeapis1_files/win32volume080.png" alt="Listing the Deleted Files from Master File Table (MFT) - sample output showing the deleted files found in MFT" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">To save all the deleted file names you may want to redirect the output into a text file as shown below.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="445" height="91" src="windowsvolumeapis1_files/win32volume081.png" alt="Listing the Deleted Files from Master File Table (MFT) - redirecting output into a text file" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Then open the text file using any unformatted text editor such as WordPad.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="640" height="283" src="windowsvolumeapis1_files/win32volume082.png" alt="Listing the Deleted Files from Master File Table (MFT) - text file that contains the console application output" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="537" height="617" src="windowsvolumeapis1_files/win32volume083.png" alt="Listing the Deleted Files from Master File Table (MFT) - sample output with MFT information and list of deleted files" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Next we will try to recover a file. We got the file name and index from the previous output.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="469" height="91" src="windowsvolumeapis1_files/win32volume084.png" alt="Listing the Deleted Files from Master File Table (MFT) - sample program running to recover a text file" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">The following is a sample output.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="541" height="835" src="windowsvolumeapis1_files/win32volume085.png" alt="Listing the Deleted Files from Master File Table (MFT) - the text file should be recovered" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Next, the recovered file should be stored in the project s Debug folder.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="640" height="283" src="windowsvolumeapis1_files/win32volume086.png" alt="Listing the Deleted Files from Master File Table (MFT) - the recovered file stored under the project's Debug folder" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="474" height="119" src="windowsvolumeapis1_files/win32volume087.png" alt="Listing the Deleted Files from Master File Table (MFT) - the content of the recovered text file" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt" align="center"> <script type="text/javascript"><!-- google_ad_client = "pub-8089415323104206"; google_ad_slot = "2156170134"; google_ad_width = 728; google_ad_height = 15; //--> </script> &nbsp;<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script></p> <h3 align="center" style="margin-top: 0; margin-bottom: 0"> <font face="Byington"><span style="font-weight: 400">&nbsp; &lt; <a title="Master File Table Program Example 3: Using Non-Windows Types (undocumented)" href="windowsvolumeapis1_21.html"> Windows Volume 22</a> | <a title="The Win32 programming tutorial using Visual Studio, C and C++ languages" href="index.html"> Win32 Programming Index</a> | <a title="Windows storage/volume programming tutorials" href="windowsvolumeapis1index.html"> Windows Volume Index</a> | <a title="Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table" href="windowsvolumeapis1_23.html"> Windows Volume 24</a> &gt;</span></font></h3> <div align="center"> <script src="http://tag.contextweb.com/TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=527221&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=82741"></script> </div> </div> </body> </html>