Opening $MFT file causes Access denied even if run as administrator

Question

I am trying to delete a file record from MFT which I am doing successfully if I open the raw partition and reaching to required file record by parsing MFT file. Problem with this approach is that I have to lock the volume first so that I can write zeros on any MFT file record and if some other process is holding the volume lock (which is very very probable), write to raw volume fails due Windows OS restrictions.

The other approach that I think of is opening "$MFT" as file and then read and write to it. By this way I THINK I wont have to lock the volume. But when I try to open $MFT file through createfile winapi function, "Access denied" error is raised even if I run my program as an Administrator?

My question is that how can I open $MFT system file to write and read? Does windows OS allows system files to read and write in normal way? If not, what else can I do?

Any help would be appreciated.

Answer 1

$MFT isn't accessible from user-mode programs. (Thank god.) It's maintained by the NTFS driver, and the NTFS driver alone knows how to keep it up to date.

For your planned implementation, I'd suggest either using the file system directly, or implement a file system filter driver. There's a tutorial on writing a file system filter driver, and some pointers on detecting deletions. (As always, there are some tricky bits...)

Answer 2

Just in case someone comes here looking to open $MFT for the one legitimate purpose, the FSCTL_MOVE_FILE and FSCTL_GET_RETRIEVAL_POINTERS DeviceIoControl, you need to specify FILE_READ_ATTRIBUTES in the second parameter to CreateFile when opening special streams like C:\$MFT::$DATA

Opening $MFT only lets you refer to the special file when performing DeviceIoControl requests, it does not open it for reading and writing like a normal file.

If you really want to read the MFT contents, when you need to get a list of every file on a volume very quickly, see FSCTL_ENUM_USN_DATA, it returns structures like USN_RECORD_V2, which are essentially MFT records.