I am trying to delete a file record from MFT which I am doing successfully if I open the raw partition and reaching to required file record by parsing MFT file. Problem with this approach is that I have to lock the volume first so that I can write zeros on any MFT file record and if some other process is holding the volume lock (which is very very probable), write to raw volume fails due Windows OS restrictions.
The other approach that I think of is opening "$MFT" as file and then read and write to it. By this way I THINK I wont have to lock the volume. But when I try to open $MFT file through createfile winapi function, "Access denied" error is raised even if I run my program as an Administrator?
My question is that how can I open $MFT system file to write and read? Does windows OS allows system files to read and write in normal way? If not, what else can I do?
Any help would be appreciated.
$MFT isn't accessible from user-mode programs. (Thank god.) It's maintained by the NTFS driver, and the NTFS driver alone knows how to keep it up to date.
For your planned implementation, I'd suggest either using the file system directly, or implement a file system filter driver. There's a tutorial on writing a file system filter driver, and some pointers on detecting deletions. (As always, there are some tricky bits...)