a wee question please

[newbie12345]

Whilst running the excellent recuva program i noticed that certian files could not be overwritten as they were resident in the master file table. Now some of these files were innoculous, ie they were from surfing eg ebay amazon bbc, so the question i'd like to ask you experts is....

 

what is the criteria that windows 7 uses to decide to make any file resident in the master file table?

 

 

thanks.

[Winapp2.ini]

As far as I am aware, all files are pointed to by the MFT. I think that message means that Recuva can't overwrite Master File Table space (CCleaner can!)

 

I am by no means an expert on this though, so take what I say with a rock of salt

[Augeas]

Each record in the MFT is 1k, so NTFS can fit small file data, say 6-700 bytes or fewer, entirely into the record. Larger files have file data held elsewhere, and the MFT record points to the data clusters.

 

Recuva can't change the contents of the MFT, so it can't overwrite files held entirely in the MFT. This is also why Recuva doesn't remove file names.

 

CC can with its Wipe Free Space, as it allocates enough new files to overwrite all the deleted records in the MFT, then deletes them.

[Super Fast]

Each record in the MFT is 1k, so NTFS can fit small file data, say 6-700 bytes or fewer, entirely into the record. Larger files have file data held elsewhere, and the MFT record points to the data clusters.

 

Recuva can't change the contents of the MFT, so it can't overwrite files held entirely in the MFT. This is also why Recuva doesn't remove file names.

 

CC can with its Wipe Free Space, as it allocates enough new files to overwrite all the deleted records in the MFT, then deletes them.

 

Cool. In that case, wonder why Recuva wiper isn't updated to match CCleaner's capabilities?

[Augeas]

Because the process CC uses is not part of Recuva's armoury. Recuva, and CC, only use legitimate Windows API's, to ensure the integrity of the operating system. There isn't an API for zapping the MFT.

 

CC's WFS is as described above, a legitimate process that anyone can emulate. It would, in my opinion, not be suitable to add WFS to Recuva, which is a recovery application: if you want to WFS just use CC.

 

You can of course download a free hex editor and run it against the MFT. Good luck. But this isn't really what the OP was talking about.

[Super Fast]

I would think that CC process is not part of Recuva, which is why I was wondering about the difference.

 

I would imagine that both do use legitimate Windows API processes. Although I realize Recuva is a recovery program, why would they include a partially crippled file wiper mechanism? I would not imagine that CC process is very dangerous, as I have not had any problems on test computers I have used yet.

 

As you have stated above, there may not be a Windows API for zapping MFT, but rather a legitimate CC process that anyone can emulate. Since anyone can emulate, & it is a safe legitimate process, it would seem logical to add it to Recuva...

 

Or is my thinking off a bit here? Bear with me, I am trying to gain understanding of this complexity. LOL!

[Augeas]

It doesn't seem logical to have the same function, WFS, in both programs. Recuva's secure delete wipes individual deleted files. CC's secure delete wipes individual live files, and WFS does WFS.

 

CC's secure delete and WFS both work by editing or manipulating live files. Recuva works on deleted files. They're just different approaches to not quite the same problem.

[Alan_B]

If a 500 Byte file is held in a 1 kByte record in the MFT and has been deleted,

is there a "legitimate Windows API's",

or even a "Piriform Workaround",

that could specifically IDENTIFY and wipe that specific 1 kByte record,

or is the only way to obliterate that 500 Byte deleted file as part of the process of wiping the entire multi-GByte Free Space of a TByte HDD ?

 

Would I be correct in assuming that even if a "Piriform Workaround" could identify a specific 1 kByte MFT record,

without a legal API any erase of that record could happen just after a new and vital record has written to that location. ?

[newbie12345]

thank you all for the courtesy of replying.

[Augeas]

Hi Newbie, I hope you've found your answer in all this, the criterion is purely file size.

 

Alan, I know of no way to clear these MFT entries apart from flooding the MFT with 'dummy' files. This seems to be the way that most non-destructive disk cleaners work. I guess that this is because the MFT is the cornerstone of NTFS, and no responsible application would use a non-Windows way of amending it. So creating and deleting files is done by NTFS on request of the application, and NTFS ensures the integrity of the MFT.

 

Some CC users apparently run a WFS (not Drive Wiper) with Wipe MFT checked, and then cancel the WFS after the MFT has been wiped. This seems effective if clumsy. It would be nice if CC could offer Wipe MFT as a separate function.

 

Alternatively just stop cleaning for a while, and keep an eye on the MFT with Recuva normal scans. Eventually the free records in the MFT will reduce to a few, when a CC clean should be run.

 

I'm not sure what your last sentence means. I think you're saying that if you try to zap (using a hex editor for instance) an MFT record then you could be zapping the details of a live file just that minute created. Yes, I guess so, although the problems with cache etc makes this excercise suicidal.

[Alan_B]

I'm not sure what your last sentence means. I think you're saying that if you try to zap (using a hex editor for instance) an MFT record then you could be zapping the details of a live file just that minute created. Yes, I guess so, although the problems with cache etc makes this excercise suicidal.

Yes, exactly.

Statistically on average no live file will be created and use that record whilst I am zapping it,

but in practice Windows displays an evil intelligence that knows exactly how and when it will do the unexpected to achieve maximum distress

 

Regards

Alan

[Super Fast]

It would be nice if CC could offer Wipe MFT as a separate function.

 

+ 10

 

Agreed.

 

Very much so

 

Been wanting it a while! LOL!