<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=unicode" /> <meta http-equiv="Content-Language" content="en-us" /> <style> <!-- p.MsoNormal, li.MsoNormal {margin-top:0mm; margin-right:0mm; margin-bottom:10.0pt; margin-left:0mm; line-height:115%; font-size:11.0pt; font-family:"Calibri","sans-serif";} a:link {color:blue; text-decoration:underline;} a:visited {color:purple; text-decoration:underline;} p {margin-right:0mm; margin-left:0mm; font-size:12.0pt; font-family:"Times New Roman","serif";} ol {margin-bottom:0mm;} --> </style> <title>Deleting the files from the Windows Master File Table (MFT) C/C++ program example</title> <meta name="keywords" content="Windows MFT, Master File Table, C codes, C++ program examples, programming, tutorials, system, storage, hard disk, volume, directory" /> <meta name="description" content="Viewing the Windows deleted files which extracted from the Windows Master File Tables (MFT)" /> </head> <body lang="EN-US" link="#0000FF" vlink="#800080" topmargin="20" leftmargin="20" rightmargin="20" bottommargin="20"> <div class="Section1"> <h1 align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center"><font size="5" face="Times New Roman"> <span style="line-height:115%;font-family:&quot;Arial&quot;; font-weight:400"> Win32 Windows Volume Program and Code Example 26</span></font></h1> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt" align="center"> <script type="text/javascript"><!-- google_ad_client = "pub-8089415323104206"; google_ad_slot = "0761177910"; google_ad_width = 728; google_ad_height = 90; //--> </script> &nbsp;<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Next, open the <b>DeletedFile.txt</b>.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal">&nbsp;</p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="564" height="277" src="windowsvolumeapis1_files/win32volume093.png" alt="Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - a list of deleted files should be stored in the DeletedFile.txt" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Then let try to recover a file.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="413" height="460" src="windowsvolumeapis1_files/win32volume094.png" alt="Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - a list of deleted file names, file size and the reference indices" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">From the DeletedFile.txt, we choose one file. In this case, <b>TECHNOTE.TXT</b> (with index <b>416394</b>). Then we re-run the program with the index and file name as the arguments.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="629" height="367" src="windowsvolumeapis1_files/win32volume095.png" alt="Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - running the program to recover a deleted text file" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">The recovered file should be stored under the project&#39;s Debug folder.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="521" height="582" src="windowsvolumeapis1_files/win32volume096.png" alt="Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - the recovered file content" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">The next task is to delete the file reference in MFT. By using the index we re-run the program with the index as an argument. </span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="629" height="499" src="windowsvolumeapis1_files/win32volume097.png" alt="Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - removing the deleted file reference in MFT" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Then, let verify the previous task. Re-run the program to recover the same file as done previously.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="629" height="367" src="windowsvolumeapis1_files/win32volume098.png" alt="Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - retry to recover the previously deleted file reference in MFT" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">Re-open the recovered file. As shown in the following Figure, the files content is filled with 0. Just zeroing out the &#39;content&#39; huh?</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" align="center" style="margin-bottom:0mm;margin-bottom:.0001pt; text-align:center;line-height:normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <img border="0" width="519" height="579" src="windowsvolumeapis1_files/win32volume099.png" alt="Another Day, Another MFT Program Example: List, Recover and Delete the Deleted Files from Master File Table - the deleted file in MFT shows the file content with zeros" /></span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">More information for Windows MFT can be found in the following links:</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-top:0mm;margin-right:0mm;margin-bottom:0mm; margin-left:18.0pt;margin-bottom:.0001pt;text-indent:-18.0pt;line-height:normal"> <font size="3" face="Arial"><span style="font-size:12.0pt;">1.</span></font><font size="3" face="Times New Roman"><span style="font-family:&quot;Times New Roman&quot;,&quot;serif&quot;"><font face="Times New Roman"><span style="font-style:normal; font-variant:normal; font-weight:normal; font-family:Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></span> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <a href="http://www.alex-ionescu.com/NTFS.pdf" title="1. NTFS On-Disk Structures - Visual Basic NTFS Programmer s Guide by Alex Ionescu (pdf)"> NTFS On-Disk Structures</a> - Visual Basic NTFS Programmer s Guide by Alex Ionescu (pdf) </span></font></p> <p class="MsoNormal" style="margin-top:0mm;margin-right:0mm;margin-bottom:0mm; margin-left:18.0pt;margin-bottom:.0001pt;text-indent:-18.0pt;line-height:normal"> <font size="3" face="Arial"><span style="font-size:12.0pt;">2.</span></font><font size="3" face="Times New Roman"><span style="font-family:&quot;Times New Roman&quot;,&quot;serif&quot;"><font face="Times New Roman"><span style="font-style:normal; font-variant:normal; font-weight:normal; font-family:Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></span> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <a href="http://data.linux-ntfs.org/ntfsdoc.pdf" title="NTFS Documentation - the Linux NTFS driver by Richard Russon and Yuval Fledel (pdf)"> NTFS Documentation</a> - the Linux NTFS driver by Richard Russon and Yuval Fledel (pdf)</span></font></p> <p class="MsoNormal" style="margin-top:0mm;margin-right:0mm;margin-bottom:0mm; margin-left:18.0pt;margin-bottom:.0001pt;text-indent:-18.0pt;line-height:normal"> <font size="3" face="Arial"><span style="font-size:12.0pt;">3.</span></font><font size="3" face="Times New Roman"><span style="font-family:&quot;Times New Roman&quot;,&quot;serif&quot;"><font face="Times New Roman"><span style="font-style:normal; font-variant:normal; font-weight:normal; font-family:Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></span> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <a href="http://doxygen.reactos.org/dir_c19e5fd4265d3da94959c77699bcfd0a.html" target="_blank" title="The ReactOS: Windows OS clon in the making"> ReactOS</a>  The Windows clone project.</span></font></p> <p class="MsoNormal" style="margin-top:0mm;margin-right:0mm;margin-bottom:0mm; margin-left:18.0pt;margin-bottom:.0001pt;text-indent:-18.0pt;line-height:normal"> <font size="3" face="Arial"><span style="font-size:12.0pt;">4.</span></font><font size="3" face="Times New Roman"><span style="font-family:&quot;Times New Roman&quot;,&quot;serif&quot;"><font face="Times New Roman"><span style="font-style:normal; font-variant:normal; font-weight:normal; font-family:Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></span> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> <a href="http://my.safaribooksonline.com/9780735625303" target="_blank" title="The Windows Internals, Fifth Edition"> Windows Internals, Fifth Edition</a></span></font></p> <p class="MsoNormal" style="margin-top:0mm;margin-right:0mm;margin-bottom:0mm; margin-left:18.0pt;margin-bottom:.0001pt;text-indent:-18.0pt;line-height:normal"> <font size="3" face="Arial"><span style="font-size:12.0pt;">5.</span></font><font size="3" face="Times New Roman"><span style="font-family:&quot;Times New Roman&quot;,&quot;serif&quot;"><font face="Times New Roman"><span style="font-style:normal; font-variant:normal; font-weight:normal; font-family:Arial">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></span></font> <font size="3" color="red" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;;color:red"> <a target="_blank" title="The NTFS On-Disk Structures  C code and older version" href="1996%20AppE_apnilife.pdf"> NTFS On-Disk Structures</a> </span></font> <font size="3" face="Times New Roman"> <span style="font-size:12.0pt;font-family:&quot;Arial&quot;"> C code and older version compared to no. 1 (pdf).</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><b><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;;font-weight:bold">Windows Master Boot Record (MBR)</span></font></b></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">There is &#39;no&#39; information to extract or manipulate the Windows MBR data in MSDN. Many people use Hex editor to view the MBR. Most of the headers dealing with MBR are available in Windows Driver Kit (WDK). However, there are many headers and libraries created by third party and individual for Windows MBR. For Windows 7 and Server 2008 R2, FSCTL_GET_BOOT_AREA_INFO control code can be used together with BOOT_AREA_INFO structure to retrieve the locations of boot sectors for a volume. Hopefully, the libraries will be expanded for more features in the future. The following list redirects you for more information on Windows MBR.</span></font></p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;">&nbsp;</span></font></p> <ol style="margin-top:0mm" start="1" type="1"> <li class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;"> <a href="http://www.codeproject.com/KB/tips/boot-loader.aspx" target="_blank" title="The CodeProject: How to develop your own Boot Loader"> CodeProject: How to develop your own Boot Loader</a></span></font></li> <li class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;"> <a href="http://www.microsoft.com/whdc/devtools/wdk/default.mspx" target="_blank" title="The Official WDK and Developer Tools Home"> Official WDK and Developer Tools Home</a></span></font></li> <li class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;"> <a href="http://blogs.msdn.com/wdkdocs/" target="_blank" title="The Windows Driver Kit (WDK) Documentation Blog"> Windows Driver Kit (WDK) Documentation Blog</a></span></font></li> <li class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal"><font size="3" face="Times New Roman"> <span style="font-size:12.0pt; font-family:&quot;Arial&quot;"> <a href="http://www.cgsecurity.org/wiki/TestDisk_Compilation" target="_blank" title="The TestDisk tool: A very nice multi OS data recovery"> TestDisk: A very nice multi OS data recovery</a>  for MBR and MFT.</span></font></li> </ol> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt;line-height: normal">&nbsp;</p> <p class="MsoNormal" style="margin-bottom:0mm;margin-bottom:.0001pt" align="center"> <script type="text/javascript"><!-- google_ad_client = "pub-8089415323104206"; google_ad_slot = "2156170134"; google_ad_width = 728; google_ad_height = 15; //--> </script> &nbsp;<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script></p> <h3 align="center" style="margin-top: 0; margin-bottom: 0"> <font face="Byington"><span style="font-weight: 400">&nbsp; &lt; <a title="Adding the ntfs.h header file to the Master File Table (MFT) visual studio project" href="windowsvolumeapis1_24.html"> Windows Volume 25</a> | <a title="The Win32 programming tutorial using Visual Studio, C and C++ languages" href="index.html"> Win32 Programming Index</a> | <a title="Windows storage/volume programming tutorials" href="windowsvolumeapis1index.html"> Windows Volume Index</a> | <a title="The Windows volume APIs: Functions, Control Codes and structures" href="windowsvolumeapis1_26.html"> Windows Volume 27</a> &gt;</span></font></h3> <div align="center"> <script src="http://tag.contextweb.com/TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=527221&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=82741"></script> </div> </div> </body> </html>