Recently, I encountered an unknown problem causing particular folder in NTFS folder to be corrupted in multiple computers. I need to detect if the folder is corrupted and perform actions like relocate the folder or send notifications. However I do not know how to do it yet. The normal APIs, like OpenFile/CreateFile seems to be malfunctioning with the corrupted folder and I can not use them to determine if a Folder is corrupted. So I plan to parse MTF structure and check for problem directly.
Therefore, I began to study the NTFS MFT structure. I found that $Volume has a dirty flag to determine if a drive needs chkdisk. But it is not directly related to file corruption and will be set if Windows is shutdown unexpectedly. DI failed to find a particular flag or anything to determine if an INDEX or FILE is corrupted in MFT structure.
Could I know if there is a way to determine a corrupted NTFS Folder?
Any help is appreciated!
I found 3 things that are related with NTFS disk corruption issues. It is incomplete; however, without updated NTFS source code, it is very hard to find out what Microsoft was really doing in chkdisk. I will just post what I found it in case if anyone needs to know it.
1 Dirty Flag in $BadClus of "File Records" section
If the flag in $BadClus is set to ON, then the operating system will perform a disk scan at boot-up. I believe NTFS module would set the flag to ON if encounter disk operation.
2 "BAAD" in identification field of a file record
If there is something wrong with file record, for example USA/USN unmatched, then MFT may replace "FILE" with "BAAD" in identification field of a file record structure. It can be used to identify corrupted file/directory quickly.
3 Compare USA/USN in every FILE/INDX record
Both FILE/INDX structure contains USA/USN for corruption check. Scan through the system and compare USA and USN could help you discover corruption issue.