NTFS (File system with journaling and access control)

NTFS is the primary file system for Windows, replacing the outdated FAT. It can store files of any size, keep an operation journal to protect against crashes, and assign access rights to each user. This is the foundation on which all disk operations are built in modern versions of Windows.

NTFS is used on all system drives of personal computers and servers running Windows. It is installed on internal hard drives and solid-state drives, as well as on large-capacity external USB drives. The system is in demand in corporate storage where detailed rights differentiation is required. For small removable flash drives, exFAT is still often used, but NTFS is indispensable wherever security, stability, and support for files over 4 gigabytes are needed.

exFAT (File system for flash drives without FAT32 limitations)

Typical problems

The main problem is file fragmentation on hard drives, slowing down reading. File system errors often occur after a sudden power loss, requiring a disk check utility to be run. Strict access rights create difficulties when moving a drive to another computer: the file owner may not match, causing an access denial. Additionally, journaling creates extra load on SSD memory cells, and in macOS and Linux, native write support for NTFS remains limited without additional software.

How NTFS works

At the core of NTFS lies the Master File Table, where absolutely everything, including directories and the system metadata itself, is represented as files. The first record in the MFT is the MFT file itself, which elegantly loops the structure. During formatting, the disk is divided into clusters, blocks of a fixed size, and each file occupies a whole number of such clusters. Cluster addresses are stored in MFT records as segments of continuous areas called extents. If a file is very small, its content can be embedded directly into the MFT record as a resident attribute, drastically speeding up access.

Reliability is ensured by journaling. Before any metadata change, such as moving or deleting a file, NTFS first writes the intention to a special log file. Only after the transaction is committed in the journal is the actual structure change performed on the disk. If power fails in the middle of an operation, on the next boot the system reads the log, rolls back incomplete actions, and returns the disk to a consistent state, eliminating data loss due to an interrupted operation.

The security system is built on access descriptors stored for each object in the form of ACL lists. Each user or group receives a set of permissions for reading, writing, executing, or deleting, and the inheritance mechanism allows flexible distribution of rights down the folder tree. In addition, NTFS supports real-time compression without an archiver, EFS encryption to protect confidential files using operating system tools, and hard and symbolic links for creating references. Shadow copies and restore points are also built on top of the NTFS driver, allowing files or the entire system to be rolled back. The flexible structure of MFT records and the rich set of attributes make this file system not just a storage container, but a powerful data management mechanism, extensible without changing the architecture.

NTFS functionality

  1. USN change journal. The file system keeps a strictly sequential record of all metadata and content changes through the Update Sequence Number Journal. Each entry records the operation type, file identifier, and parent directory, allowing antivirus software and indexers to instantly detect modified objects without a full volume scan.
  2. Master File Table. The central element of the volume is the MFT, where every file and directory is represented by at least one fixed-size record. The record stores a set of attributes: standard information, name, data, or references to external clusters. Resident data fitting into the MFT record is read without additional input-output operations.
  3. Data streams. The file entity is not limited to a single unnamed stream. NTFS allows attaching multiple named streams to an object, isolating heterogeneous data. This mechanism is actively used by the Windows subsystem to store information about the Internet download zone in the Zone.Identifier stream.
  4. Volume-level compression. The LZNT1 transparent compression function reduces occupied space without creating containers. The driver processes compression units of 16 clusters in size. If a data fragment does not compress efficiently enough, the system leaves it in its original form, preventing record fragmentation and performance degradation during random access.
  5. Sparse files. When a file is marked as sparse, the system does not allocate physical clusters for zero ranges. Applications reserve gigabytes of virtual space, while the actual volume on disk grows only as non-zero data is written, which is critically important for virtual machine images and streaming writes.
  6. Disk space quotas. The administrator imposes limits on file owners based on security identifiers. The driver tracks the total volume of occupied objects for each user and, upon attempting to exceed the hard threshold, returns a write error, preventing volume monopolization by a single subject.
  7. Access control lists. Each NTFS object contains a security descriptor. Discretionary lists define the owner and permission mask for subjects, while system lists set audit operations. Rights checking occurs when opening a descriptor; entry inheritance automatically propagates permissions from a parent to child objects.
  8. Reparse points. This is a mechanism for extending file system logic through filter drivers. A specialized tag and data block are stored in a file or directory. When the input-output manager detects such a point, it redirects the request to the corresponding mini-filter, implementing symbolic links or volume mount points.
  9. Hard links. NTFS allows multiple paths to refer to one physical file through the hard link mechanism. All names are equal and point to one MFT record. The file is not released until all links are deleted and the link counter in the standard information attribute reaches zero.
  10. File-level encryption. Implemented through the Encrypting File System, where the driver interacts with cryptographic providers. The symmetric file key is encrypted with the user’s public certificate and stored in an alternate stream. Read and write operations transparently decrypt and encrypt sectors on the fly.
  11. Self-healing data. The concept of a transactional model guarantees metadata integrity. Journaled operations are written to the log before being applied to volume structures. In case of a sudden power loss, the log dispatcher rolls back incomplete transactions, eliminating the appearance of broken links or cluster loss.
  12. Fragmentation planning. The driver uses a strategy of delayed allocation and searching for continuous areas through the bitmap. The system reserves blocks for the data attribute in advance, especially during sequential writing, minimizing external fragmentation without the need for manual defragmentation.
  13. Block-level shadow copies. The Volume Snapshot Service interacts with NTFS through a copy-on-write mechanism. When a sector of the original volume is changed, its original content is moved to the differential data storage area, capturing the file system state at a specific point in time.
  14. Symbolic links. Starting from a certain kernel version, NTFS supports symlinks operating at the file system object level. Unlike junction points, they can point to arbitrary relative or absolute paths, including non-existent files, which is critically important for application compatibility.
  15. Volume-level disk quotas. Differing from owner quotas, this function allows setting limits for specific directory trees. The quota tracker calculates usage for any branch of the file system without requiring binding to the security context of a specific user-owner.
  16. Transaction log segments. The $LogFile metadata file is divided into cyclic segments. During recovery, redo and undo areas are analyzed. Records that fall into the active tail zone of the log are reapplied to the volume, and data of incomplete operations is purged to maintain strict metadata integrity.
  17. Distributed link tracking. NTFS provides unique object identifiers for tracking moved files on a volume. Even if the target file is renamed or moved to another directory, shell shortcuts using the Distributed Link Tracking service can find it by the saved identifier within the volume.
  18. File ID management. Each object receives a unique 64-bit index that does not change when renamed. The OpenFileById function allows programs to open a file directly by its internal MFT segment number and generation sequence number, bypassing long path limitations and name locks.
  19. Extended attributes and indexing. NTFS directories store names in binary trees, making searching in folders with millions of files logarithmic in complexity. Attribute indices, such as file name, are ordered according to lexicographic rules to speed up open-by-exact-match operations.

Comparisons

  • NTFS change journal vs XFS journal. NTFS journals only metadata to guarantee directory structure integrity, whereas XFS uses write-ahead metadata journaling with asynchronous data writing, which reduces fragmentation and speeds up mounting, but creates a risk of losing file contents during a power failure without using write barriers.
  • NTFS compression vs Btrfs compression. NTFS applies transparent compression at the level of individual files and folders using the LZNT1 algorithm without creating special partitions, which is convenient but fragments the stream. Btrfs uses zoned compression (ZSTD) at the extent level with ratio control and the ability to force activation for the entire subvolume, noticeably winning in utilization ratio.
  • EFS encryption vs ext4/fscrypt encryption. Encrypting File System in NTFS works at the level of individual files tied to a user certificate, providing granular control, but is vulnerable to leakage through temporary files. Native ext4 encryption via fscrypt operates at the directory and kernel key level, isolating metadata and excluding file name compromise in auxiliary FS structures.
  • EXT4 (Journaling file system for Linux)
  • NTFS symbolic links vs ReFS hard links. NTFS symlinks correctly handle relative and absolute paths with intermediate parse rail buffering, working with mounted volumes. ReFS deliberately abandoned hard links, replacing them with block cloning of metadata, which eliminates loss of block uniqueness during deduplication and ensures atomicity of copy operations within a volume.
  • Shadow copies (VSS) vs ZFS snapshots. VSS creates block-level recovery coordinate points through a write coordinator inside the NTFS volume, intercepting changes before commit. ZFS snapshots are based on a COW-tree and block cloning without space reservation, creating an instant consistent copy of an entire file system without the overhead of a write prologue inside the guest file system.

OS and driver support

NTFS is the native file system of the Windows NT line, where full read and write support is implemented through the NTFS.SYS kernel driver, while in macOS the driver operates in read-only mode due to the lack of licensed write code, and in Linux reliable writing is achieved through the FUSE driver ntfs-3g in user space or through the NTFS3 kernel module from Paragon that appeared in kernel 5.15, which provides native-code-level performance.

Security

NTFS security is built on security descriptors stored in the $Secure metafile, where each file and folder is assigned a 32-bit identifier referencing discretionary access control lists (DACL) defining permissions for users and groups, and system access control lists (SACL) responsible for auditing, while the mechanism of inheriting permissions from parent objects allows administrators to automatically propagate settings down the directory hierarchy, eliminating the need for manual configuration of each content unit.

Logging

NTFS fault tolerance is implemented through metadata journaling in the $LogFile, where before any change to the directory structure, file creation, or cluster allocation, NTFS writes a redo operation and an undo operation to a circular buffer, and in case of a system failure during reboot, the chkdsk utility or the native recovery engine is launched, which either completes unfinished operations to the end or rolls back interrupted transactions, guaranteeing metadata consistency but not file content.

Limitations

The fundamental limitations of NTFS include a maximum single file size of 16 exabytes on disk (theoretically, with a 64 KB cluster size, although current Windows implementations strictly limit the volume to 256 terabytes), the inability to store names containing forbidden characters (?, <, >, *), and a maximum path length of 260 characters without enabling the long paths policy; besides this, high fragmentation of the $MFT metafile on old disks without timely defragmentation leads to performance degradation, and native data deduplication is only available in Windows Server editions.

History and development

Developed in 1993 under the leadership of Helen Custer to replace the outdated FAT in Windows NT 3.1, NTFS went through several major revisions: version 1.2 appeared in NT 3.51, version 3.0 in Windows 2000 brought quotas, reparse points, and EFS encryption, and version 3.1 in Windows XP added sparse file support and extended attributes, maintaining backward compatibility due to the fact that the driver of a newer OS is always capable of mounting a volume of an older version without structure conversion.

Latest publications