      DFSee version 17.0 2022-10-22  (c) 1994-2022: Jan van Wijk
 =========================[ www.dfsee.com ]==========================

_______________________________________________________________________________

C O N T E N T S:
_______________________________________________________________________________

   Command reference    = overview of NTFS specific commands
   Detailed description = description for every command


  Note: All generic commands can be found in DFSCMDS.TXT, for example:

        ALLOC,  CHECK,  CLONE,  RESIZE,  RECOVER,  SAVETO,  SCAN,  WIPE

_______________________________________________________________________________

C O M M A N D   R E F E R E N C E:
_______________________________________________________________________________

NTFS specific commands

Active filesystem : NTFS, specific commands are:

 \[path-spec]    = find and show ROOT or file/directory relative to root
 BOOTINI  [part] = Find the (first) boot.ini file present in the filesystem
 BSCLEAR         = Reset bad-sector/cluster administration to ZERO bad sectors
 CA   [lsn][opt] = Check Allocation integrity for (current) MFT lsn
 DELFIND  [name] = Find deleted files, with MFT containing (partial) name
 DFSNTLDR  [img] = Create compressed imagefile containing the NTLDR sectors
 DIRTY     [n|d] = Set NTFS $Volume 'CHKDSK required' flag to Normal or Dirty
 FILEFIND [name] = Find normal files,  with MFT containing (partial) name
 FINDROOT [n][~] = find the Root directory without using the superblock
                   starting the search at LSN [n]; [~] = use 8.3 names
 FINDMFT   [lsn] = Locate the MFT (for FIXBOOT when no spare-copy available)
 FIXBOOT         = Recover NTFS bootsector from spare-copy, or create new
 FIXNTLDR        = Replace (the first sector of) NTLDR for an NTFS partition
 LABEL   [label] = Display/edit 32-char volume label in the $Volume MFT record
 MFT       [-v-] = Translate and display 'this' LSN as an MFT record nr
 MFT [rec#][-v-] = Calculate LSN for MFT record-nr and perform default display
 MIR [rec#][-v-] = Calculate LSN for MFT-mirror record-nr, do default display
 MFTEXT          = Find all external MFT records (continuation for base-MFT)
 PATH     [n][~] = Show all path-components for MFT, upto root [use 8.3] name


 For an up-to-date list of commands, use the '?' command

 NTFS specific sector types  (see ??? command)

 's' = NTLDR, 1st sector    'f' = MFT regular File     'D' = MFT  regular Dir
 'm' = MFT  2ndary  File    'M' = MFT  2ndary  Dir     'y' = MFT  deleted Dir
 'z' = MFT  deleted File    'd' = DIR filename INDX    'i' = SII security INDX
 'S' = SDH security INDX    'j' = LOG  restart Area    'J' = LOG  record  Page
 'Z' = MFT Ghost record     'Y' = MFT empty record     'c' = Past last cluster

             For an up-to-date list, use the '???" command
_______________________________________________________________________________

D E T A I L E D   D E S C R I P T I O N:
_______________________________________________________________________________

 \path-spec     = find and show file/directory specified by path-spec

 Purpose:       Locate the MFT-record for a known file or directory

 Parameters:    path-spec          full path specification with no intervening
                                   space after the '\' command character

 Output:        Search result list starting at the ROOT directory up to the
                requested file or directory. It is either followed by an error
                message if the path-spec was not found or by the display of
                the corresponding MFT-record information.

 Remarks:       The search algorithm depends on the ROOT MFT being intact.
_______________________________________________________________________________
 BOOTINI  [part] = Find the (first) BOOT.INI file present in the filesystem

 Purpose:       Display, and optionally FIX the Windows BOOT.INI file

 Parameters:    part        optional   partition number to be used for the
                                       current partition in the 'default='
                                       line in the BOOT.INI file.
                                       Specify '*' to use the value as
                                       calculated by DFSee ...

 Options:       -c          Work on the CURRENT sector, do not search the file

                -2          Try to update the 2nd line with same ARC path too.
                            (making the change complete in almost all cases)


 Remarks: When found, some info of the file will be displayed, and the line
          containing the DEFAULT partition to be booted will be displayed
          including the 'partition(W)' partition index. It should look like:

              default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

          Below that line, the partition index calculated by DFSee is shown.
          This is based on the assumption you want to boot to an installed
          Windows-NT/W2K/XP in THIS SAME partition! For booting to other
          partitions with Windows installed, use the value shown in the
          'BI' column that is included in the 'part -s' display.

          Incorrect values for the default partition index will lead to
          boot failures with messages like:

              Windows could not start because the following file
              is missing or corrupt: Windows\system32\Hal.dll

          The specified or calculated value will be substituted for the
          partition index in the default line (and second one with '-2')

          Of course you need to reboot to test if this fix worked ...

          Note: When the '-2' option is not specified, or when updating the
                second line with the same numbers has failed for some reason,
                this is not a full 'REPAIR' of your BOOT.INI, but the minimum
                update to allow booting Windows again! You need to properly
                edit BOOT.INI once Windows is running again, or use the
                'bootcfg /rebuild' command from the recovery console that
                can be started from regular Windows installation CDs.

                When there is damage to the BOOT.INI file beyond an incorrect
                partition index, fixing it this way might not be possible.
_______________________________________________________________________________

 CA   [lsn][opt] = Check Allocation for (current) MFT lsn

 Purpose:       Check allocation integrity for current MFT

 Parameters:    lsn         optional   LSN of the MFT record
                opt         optional   Options:  v   = Verbose, show progress

 Output:                   Start of one file-extent (fragmented file)
                           One cluster, small green dot: allocation OK
                           One cluster, big red dot: allocation error

                Also a summary is given with the number of (failed) sectors

 Remarks:       MFT-entry may be for a regular file (sectors must be ALLOCATED)
                or for a deleted file (sectors must be FREE)
_______________________________________________________________________________

 CHECK   [drive] = Check filesystem integrity for drive-letter (CHKDSK)

 Purpose:       Perform a filesystem check, and report the errors found

 Parameters:    drive     PID or driveletter for partition to check.
                          When not specified, the CURRENT object is checked.

 Options:       -r        Force refresh of the Sector Lookup Table (SLT)
                          even if one exists already


 Output:        Two lines for each sector in error that is found, the first
                lists the sector number, where it is referenced from and a
                short description. The second line is an error description

                For NTFS the reported errors are:

                0x000001  Linked to some structure, but not in allocation-map
                0x000002  Allocated in allocation-map, but no known link
                0x000004  MFT record has invalid contents, bad signature
                0x000008  MFT record has invalid fixup values, damaged
                0x800000  The filesystem is marked DIRTY (open files)
                          this may cause bogus errors to be displayed!


 Remarks:       Some of the errors are generic, but most are filesystem
                specific. The generic ones are also listed with the 'SLT'
                command in dfscmds.txt.
_______________________________________________________________________________

 CL             = Translate and display 'this' LSN as a cluster number

 Purpose:       Find out what cluster number corresponds to current LSN

 Parameters:    none

 Output:        The cluster number, or an error message when invalid
_______________________________________________________________________________

 CL clust [cmd] =Translate specified cluster number to LSN, display with cmd

 Purpose:       Display data using a cluster number instead of an LSN

 Parameters:    clust   mandatory  The cluster number of interest

                cmd     optional   DFS generic command to execute with clust
                                   as its first and only parameter (like 'H')

 Output:        The output for the cmd, when no explicit cmd is specified this
                will be the DFS default for the corresponding LSN, usually a
                display of that sector(s) in an appropriate format.
_______________________________________________________________________________

 DELFIND [name] = Find deleted files, limit to MFT records containing [name]

 Purpose:       Find deleted files, with name starting at current LSN

 Parameters:    name        optional   part of filename wanted, not a true
                                       wildcard, but may start and end in
                                       a '*' character

 Options:       -a          Search ANY/ALL files, deleted and normal
                -D          search directories only, not files+directories
                -c          Start from current sector, not start of volume
                -d-         Search outside Master File Table too   (SLOW!)
                -v          Verbose search, list files while found (SLOW!)

 Output:        Find-result list (as "find -type:z") on screen and in memory

 Remarks:       All deleted files, or the ones where the MFT record contains the
                specified UNICODE string, will be found and added to the list.

                The [name] selection aims at the FILENAME part only. To select
                on part of the full path for the file, use the wildcard select
                parameters on the DELSHOW and RECOVER commands

                The [name] is NOT case-sensitive, and there is a slight chance
                of 'false-hits' when other parts of the MFT contains this string

                List can be manipulated as usual, best viewed with "delshow"

                By default, only the MFT area is searched, which is at least
                a hundred times faster as searching the whole filesystem.
_______________________________________________________________________________

 DFSNTLDR  [img] = Create compressed imagefile containing the NTLDR sectors

 Purpose:       Create an imagefile with the NTLDR sectors, for later fixing.
                This works on the 15 sector first-stage of NTLDR that is part
                of the $Boot system-file on NTFS filesystems, and is located
                directly after the normal bootsector.

 Parameters:    img     optional   Name of imagefile with NTLDR code
                                   (15 sectors) with a default of 'dfsntldr'

 Output:        Progress and error messages
_______________________________________________________________________________

 DIRTY     [n|d] = Set NTFS $Volume 'CHKDSK required' flag to Normal or Dirty

 Purpose:       Set the flag that indicates a CHKDSK is required to 'normal' or
                to 'dirty'. The latter causes a CHKDSK on the next Window boot.

 Parameters:    value       optional   '1', 'd' or 'D' to set to DIRTY
                                       any other value resets it to NORMAL

 Output:        Display $Volume info including flags and $Logfile status-flags

 Remarks:       The 'CHKDSK required' flag is used to force Windows to perform
                an error correcting 'CHKDSK /f' on the next boot.
                This would be good to do after major changes to the filesystem
                like a DFSee 'resize' operation, or manual editing :-)

                Note that this is NOT the same as the filesystem being 'clean'
                or 'dirty' with no changes pending. The latter is kept in the
                $Logfile special file (displayed here as well, but not changed)
_______________________________________________________________________________

 FILEFIND [name] = Find normal files, limit to MFT records containing [name]

 Purpose:       Find normal (not deleted) files. Where the name contains a
                wildcard, the found files can be copied to another disk using
                the RECOVER or SAVEAS commands, just as with deleted files.

 Parameters:    name        optional   part of filename wanted, not a true
                                       wildcard, but may start and end in
                                       a '*' character

 Options:       -a          Search ANY/ALL files, deleted and normal
                -D          search directories only, not files+directories
                -c          Start from current sector, not start of volume
                -d-         Search outside Master File Table too   (SLOW!)
                -v          Verbose search, list files while found (SLOW!)

 Output:        Find-result list (as "find -type:f") on screen and in memory

 Remarks:       All deleted files, or the ones where the MFT record contains the
                specified UNICODE string, will be found and added to the list.

                The [name] selection aims at the FILENAME part only. To select
                on part of the full path for the file, use the wildcard select
                parameters on the DELSHOW and RECOVER commands.

                The [name] is NOT case-sensitive, and there is a slight chance
                of 'false-hits' when other parts of the MFT contains this string

                List can be manipulated as usual, best viewed with "delshow" or
                the equivalent "list -f"

                By default, only the MFT area is searched, which is at least
                a hundred times faster as searching the whole filesystem.
_______________________________________________________________________________

 FINDROOT [n][~] = find the Root directory without using the bootrec info
                   starting the search at LSN [n]; [~] = use 8.3 names

 Purpose:       Find the MFT for the ROOT directory, even if parts of
                the volume, including the boot record, are damaged.

 Parameters:    n           optional   Start LSN for the search

                ~           optional   Use the short 8.3 name when available

 Output:        Search result list starting at the first MFT record encountered
                up to the MFT record for the ROOT directory when found.

 Remarks:       none
_______________________________________________________________________________

 FINDMFT   [lsn] = find the Master File Table (MFT) to prepare for FIXBOOT

 Purpose:       Find the LSN for the start of the main MFT file, without
                using any info from the bootsector (prepare for fixboot)

 Parameters:    lsn         optional   Start LSN for the search


 Output:        Progress while searching for the unique $AttrDef MFT record
                ans default display of the $MFT record when found

 Remarks:       This can be a very time-consuming operation (hours on large disk)
                but may be required if the bootsector is damaged, and no spare
                copy is present at the end of the partition.

                The FIXBOOT command will automatically use the found location
                as its MFT-location parameter 'mftLSN'
_______________________________________________________________________________

 FIXBOOT        = Recover NTFS bootsector from the spare copy (saved by format)

 Purpose:       Fix corrupted bootsector for an NTFS partition

 Parameters:    mftLSN      optional   sectornumber of the $MFT record
                                       (default from bootsector, or FINDMFT)

 Options:       -c[:n]      use current, or specified clustersize (default is 8)
                -s-      do NOT try to copy the existing spare-bootsector first
                -V-      Use Windows NT/XP 'NTLDR', not Vista/W7/8/10 'BOOTMGR'

 Output:        Progress and confirmation info

 Remarks:       This will locate the copy of the bootsector saved by format,
                and when found copy it to the bootsector location (sector 0),
                or create a new one from a template or specified imagefile.

                The partition table info (type and size) must still be valid!

                When creating a new bootsctor from a template/imagefile, the
                required MFT location will be the result of a previous FINDMFT
                command, or a fixed default of 0x60000 (Windows XP, smallish)
_______________________________________________________________________________

 FIXNTLDR       = Replace (the first sector of) NTLDR for an NTFS partition

 Purpose:       Fix a damaged NTLDR so Windows will boot correctly again.
                This works on the 15 sector first-stage of NTLDR that is part
                of the $Boot system-file on NTFS filesystems, and is located
                directly after the normal bootsector.

 Parameters:    -I[:image]   Name of imagefile with NTLDR code (15 sectors)
                             with a default of 'dfsntldr.imz'
                             When not specified at all, only the FIRST sector
                             will be replaced, using a copy builtin to DFSee.

 Options:       -V-          Use Windows NT/XP 'NTLDR', not Vista/W7/8/10 'BOOTMGR'

 Output:        Progress and error messages

 Remarks:       DFSee comes with two NTLDR imagefiles, which are intended for:

                DFSNTLDR.IMZ : Windows-NT, Windows-2000 and Windows-XP
                DFSNTLDR.IM7 : Windows-7 and later versions (perhaps Vista too)
_______________________________________________________________________________

 LABEL    [label] = Display/edit the volume label in the $Volume MFT file

 Purpose:       Set a volume label in the $Volume special file in the MFT

 Parameters:    label   optional   New volume label, maximum length 32
                                   Default value is the current volume label

 Options        -!-                Skip input dialog for a new value

 Output:        Progress information

 Remarks:       On NTFS there is NO label in the bootsector, but it resides
                ONLY in the $Volume special file in the Master-File-Table
                which is updated by DFSee when changing the label value.

                The NTFS label in the $Volume MFT record is 32 characters
_______________________________________________________________________________

 MFT [rec#][-v-] = Calculate LSN for MFT record-nr and perform a default display

 Purpose:       Display a sector, probably an MFT-record, by specifying its
                MFT number. The logical sector number is based on the MFT-0
                pointer in the boot record an a calculated sectors per MFT.

 Parameters:    rec#               The record number for the MFT record
                                   0 is the first MFT, regarding the MFT itself

 Options        -v-                Non-verbose, basic info and NAME attribute only

                -R[:attr-id]       Build and display an allocation runlist
                                   for the non-resident unnamed data-attribute
                                   or another attribute specified by 'Id'
                                   (this option is for testing purposes mainly)


 Output:        Display of the MFT record contents, or an error message
_______________________________________________________________________________

 MIR [rec#][-v-] = Calculate LSN for MFT-mirror record-nr, do default display

 Purpose:       Display a sector by specifying its MFT number as an index
                into the MFT-mirror area. (effect as 'MFT' command)

 Parameters:    rec#               The record number for the MFT record

 Options        -v-                Non-verbose, basic info and NAME attribute only

 Output:        Display of the MFT record contents, or an error message

 Remarks:       The MFT mirror area only contains a subset (usually 4 records)
                The main purpose for the MFT mirror is as a backup for the
                important (system) files like the MFT and root directory.
_______________________________________________________________________________

 MFTEXT         = Find all external MFT records (continuation for base-MFT)

 Purpose:       Quickly find all MFT records that are continuations for others

 Parameters:    none

 Output:        Standard find-progress, and one line per hit

 Remarks:       Continuation MFT records link back to the base-MFT. This link
                will be recorded in the 'up' shortcut. (command 'u')
                From the base MFT-record, the first external continuation MFT
                will be recorded in the 'eXtra' shortcut (command 'x')

                Existence of a continuation record is a sure sign for very
                heavy fragmentation of the file in question.
_______________________________________________________________________________

 PATH    [n][~] = Show all path components for MFT, up to root [use 8.3] name

 Purpose:       Show the directory branch that contains current file/dir

 Parameters:    n           optional   Start LSN for the search

                ~           optional   Use the short 8.3 name when available

 Output:        One line for each found 'parent' directory, up to the root

 Remarks:


 NTFS remarks:

 Date and time information in the NTFS filesystem is stored as a time offset
 in units of 100ns starting on 1st of January 1601. It is  a 64-bit number.
 The date and time is stored as a Universal Coordinated Time (UTC/GMT) and
 displayed as such by DFSee. If you want timestamps to correspond to your
 local timezone, you can set the 'TZDFSEE' environment variable to a signed
 number of minutes, being the offset to GMT.

_______________________________________________________________________________
