NTFS File System Tunneling (…is stupid …and wrong)

I will keep this short… I’ve already spent far too much time on this easy to work around peculiarity of NTFS and how it associates file meta information under the hood…

Consider this console app: http://pastebin.com/66QABWS3

If you were to actually read this (don’t feel too bad if you didn’t – the last link will explain it all) and didn’t have knowledge of the magic going on behind the scenes, you may be fooled into thinking that this application would write out “42” at some point in it’s lifetime…

Unfortunately, reasoning such as that would be based in reality – where up is up, down is down and true doesn’t equal false.  I say ‘unfortunately, due to the fact that this is not the reality that your NTFS file system (if you have one) is operating in…

It is actually operating in a place where when one thing dies, another assumes its identity and carries on its life as if it is the original thing – clearly it isn’t, but your NTFS file system assures you that it is…

NTFS is telling you: “This file that you create and then delete every 10 seconds, as you have for the last month and a half… Well, it wasn’t just created 9.9 seconds ago.. No.. It was created a month and half ago… Really it was… I don’t care that you just deleted it and then recreated a COMPLETELY NEW file in it’s place – THIS IS THE FILE CREATED ONE AND A HALF MONTHS AGO. FER-REAL-ZIES!”

Welcome to the nonsensical world of NT File System Tunneling …

-Matt

Leave a Reply