[Back to Main Page]
Author: Dennis Lang
Version: NTFSfastFind v2.9
Warning - Use at your own risk. No guaranties on reliability and accuracy of NTFSfastFind.
MIT license clause added to all source code files.
Download v2.9 source code: NTFSfastFind-v2.9-src.zip (C++/Visual Studio 8 & 10) Download v2.9 excutable: NTFSfastFind-x64.exe
Download v2.8 excutable: NTFSfastFind-x32.exe
Download v2.3 source code: NTFSfastFind-v2.3-src.zip (C++/Visual Studio 8 & 10) Download v2.3 excutable: NTFSfastFind.exe
NTFSfastFind is similar to the directory list command dir and needs a disk drive and optional file pattern.
NTFSfastFind c: NTFSfastFind d:*.log NTFSfastFind c:Foo*.txt NTFSfastFind c:Events??-Jan-??.txt NTFSfastFind c:\windows\system*\*.log NTFSfastFind -f *.log -s 1000 -t -1.0 c: d: e:
> NTFSfastFind.exe -f \Windows\* c:*.log Path C:\Windows\PFRO.log C:\Windows\WindowsUpdate.log C:\Windows\setupact.log C:\Windows\setuperr.log > NTFSfastFind.exe c:\windows\*.log Path C:\Windows\PFRO.log C:\Windows\WindowsUpdate.log C:\Windows\setupact.log C:\Windows\setuperr.log > NTFSfastFind.exe -ITS -f \Windows\* c:*.log Parent Modified Date Size Path 5012 08/07/2011 12:14 PM 308 C:\Windows\PFRO.log 5012 08/07/2011 1:36 PM 1,440,386 C:\Windows\WindowsUpdate.log 5012 08/07/2011 12:14 PM 56 C:\Windows\setupact.log 5012 08/07/2011 8:25 AM 0 C:\Windows\setuperr.log > NTFSfastFind.exe -ITS# -f \Windows\* c:*.log Parent #Data Modified Date Size #Name Path 5012 1 08/07/2011 12:14 PM 308 1 C:\Windows\PFRO.log 5012 1 08/07/2011 1:36 PM 1,440,386 2 C:\Windows\WindowsUpdate.log 5012 1 08/07/2011 12:14 PM 56 1 C:\Windows\setupact.log 5012 1 08/07/2011 8:25 AM 0 1 C:\Windows\setuperr.log
Pattern Directory Pattern File Pattern foo.dat Any directory Exact match to foo.dat foo.* Any directory Any file starting with foo. \tmp\ Exact match to directory \tmp Any files. \tmp\foo.dat Exact match to directory \tmp Exact match to foo.dat \tmp*\f*.dat Any directory under directory starting with \tmp Any file starting with f and ending with .dat
Here are some examples using combinations of -f and drive argument.
The wildcard engine only support ? and *, but allows the wildcard characters to appear multiple times, in the both the filename and directories.
Command Description NTFSfastFind.exe -f \Windows*\ c: -f Limits output to files which are in or below directories starting with Windows NTFSfastFind.exe -f \Windows\ c: -f Limits output to files which are in directory \Windows NTFSfastFind.exe -f \Windows c: -f Limits output to file Windows NTFSfastFind.exe c:\Windows*\ Limits output to files which are in or below directories starting with Windows. NTFSfastFind.exe c:\Windows\ Limits output to files which are in directory \Windows NTFSfastFind.exe c:\Windows Limits output to file Windows NTFSfastFind.exe -f \Windows*\ c:w*.dll -f Limits output to files which start with w and end in .dll, and are in or below directories starting with Windows. NTFSfastFind.exe -f \Windows\ c:w*.dll -f Limits output to files which start with w and end in .dll, and are in directory \Windows NTFSfastFind.exe -f \Windows c:w*.dll Invalid combination, because -f limits output to files Windows and
c:w*.dll limits output to files starting with w and ending in .dll
Pattern Results * All files ??? File with 3 characters *.txt Files ending with .txt *Jan*.txt Files containing Jan and ending with .txt c:\*\log\*.txt Files ending with .txt in a subdirectory \log one level below the base directory. c:\Windows\System*\*.log Files ending with .log and in subdirectory starting with \Windows\System
NTFSfastFind -f \windows\* -f *.log c:
Note - the following will always fail because they both filter on the file extension, remember to use backslash to define a directory filter.
NTFSfastFind -f *.log -f *.txt c:
Command Description -f <fileFilter> Use -f to define file filters using wildcards.
Identical file filter commands:
NTFSfastFind -f *.log c:
Example with file filter applied to multiple drives.
NTFSfastFind -f *.log c: d:
-s <size> Filter by file size
Show files greater than 1000 bytes on d drive.
NTFSfastFind -s 1000 d:
Show files less than 2000 bytes on c drive.
NTFSfastFind -s -2000 c:
-t <relativeModifyDate> Filter by Modify Time, value is relative days.
Modified less than 2.5 days ago, file ends in .log on c drive.
NTFSfastFind -t -2.5 -f *.log
Modified more than 7 days ago on e drive.
NTFSfastFind -t +7 e:
The switch order does not affect the column order. The column order is fixed at:
Command Description -A Include attributes. R=readonly, H=hidden, S=system, D=directory. -D Disable directory part of file path. -I Include MTF index of parent directory. -S Include size. -T Include modify time. -# Include stream and name counts -Q Special mode, Query and display MFT detailed information.
Column Description Presentation switch MFT parent index -I Number of data streams -# Modified Date & Time -T File size -S Attribute -A Number of file names -# Directory path -D File name
Example output showing ALL columns:> NTFSfastFind.exe -AIST# -f \Windows\* c:*.log Parent #Data Modified Date Size Attribute #Name Path 5012 1 08/07/2011 12:14 PM 308 20 1 C:\Windows\PFRO.log 5012 1 08/07/2011 6:59 PM 1,468,866 20 2 C:\Windows\WindowsUpdate.log 5012 1 08/07/2011 12:14 PM 56 20 1 C:\Windows\setupact.log 5012 1 08/07/2011 8:25 AM 0 20 1 C:\Windows\setuperr.log
NTFS Fast File Find v2.9 - Sep 2, 2013 By: Dennis Lang https://home.comcast.net/~lang.dennis/ Description: NTFSfastFind searches NTFS Master File Table (MFT) rather then iterating across directories. NTFSfastFind does not use or maintain an index database By reading the MFT directly, NTFSfastFind can locate files anywhere on a disk quickly. Note: Standard directory searching is faster if you know the directory to search. If you don't know the directory and need to search the entire disk drive, NTFSfastFind is fast. If you use the -z switch, it will iterate across the directories rather then using MFT. Use: NTFSfastFind [options]
... Filter: -d ; Filter by data stream count -f ; Filter by filename, use * or ? patterns -s ; Filter by file size -t ; Filter by time modified, value is relative days -z ; Force slow style directory search Report: -A[=s|h|r|d|c] ; Include attributes, filter on attributes -D ; Include directory -I ; Include mft index -S ; Include size -T ; Include time -# ; Include stream and name counts -Q ; Query, Display system files (-A=s) and MFT information only Examples: No filtering: c: ; scan c drive, display filenames. -ITSA c: ; scan c drive, display mft index, time, size, attributes, directory. Filter examples (precede 'f' command letter with ! to invert rule): -f *.txt d: ; files ending in .txt on d: drive -!f *.txt d: ; files NOT ending in .txt on d: drive -t 2.5 -f *.log ; modified more than 2.5 days and ending in .log on c drive -t -7 e: ; modified less than 7 days ago on e drive -s 1000 d: ; file size greater than 1000 bytes on d drive -s -1000 d: e: ; file size less than 1000 bytes on d and e drive -f F* c: d: ; limit scan to files starting with F on either C or D -d 1 d: ; files with more than 1 data stream on d: drive -Q c: ; Display special NTFS files -z c:\windows\system32\*.dll ; Force slow directory search.
Note - there are plenty of similar and polished MFT search tools available for free on the net.
Everything Search Engine http://www.voidtools.com NTFS Direct File Find http://ndff.hotbox.ru/en/index.html [link down] Saleen ScanFS http://www.saleensoftware.com/ScanFS.aspx Ultrasearch http://www.jam-software.com/ultrasearch/
I also found a tool to remove large series of null's from a file and convert it to a sparse file. This is completely unrelated to NTFS scanning, but nonetheless a special file type supported by NTFS.
Sparse Checker http://www.opalapps.com/sparse_checker/sparse_checker.html
Inode Filename OS Description 0 $MFT Master File Table - An index of every file 1 $MFTMirr A backup copy of the first 4 records of the MFT 2 $LogFile Transactional logging file 3 $Volume Serial number, creation time, dirty flag 4 $AttrDef Attribute definitions 5 . (dot) Root directory of the disk 6 $Bitmap Contains volume's cluster map (in-use vs. free) 7 $Boot Boot record of the volume 8 $BadClus Lists bad clusters on the volume 9 $Quota NT Quota information 9 $Secure 2K Security descriptors used by the volume 10 $UpCase Table of uppercase characters used for collating 11 $Extend 2K A directory: $ObjId, $Quota, $Reparse, $UsnJrnl 12-15 <Unused> Marked as in use but empty 16-23 <Unused> Marked as unused Any $ObjId 2K Unique Ids given to every file Any $Quota 2K Quota information Any $Reparse 2K Reparse point information Any $UsnJrnl 2K Journalling of Encryption > 24 A_File An ordinary file > 24 A_Dir An ordinary directory ... ... ...