Originally published in INSIGHT on Windows NT/2000 eLetter the Diskeeper
newsletter.
Which version of NTFS am I running?
by John Joseph
Diskeeper Development Section
Recently, one of our Tech Support representatives came to me with an
interesting problem. A user who had recently installed Diskeeper called in to
Tech Support claiming that Diskeeper had done something to his Windows NT4
system that rendered CHKDSK unusable on his NTFS drives.
The rep had reviewed with this user that installing Windows 2000 would have
just this effect: Windows 2000 does a “conversion” of NT4-type NTFS volumes to
Windows 2000-type NTFS volumes.
The user remained unconvinced, however. He’d never installed Windows 2000 on
this machine, or even brought Windows 2000 near the machine. He was insistent on
this and basically refused to believe the rep. Now baffled, the rep wanted a way
to find out what version of NTFS was running on this system, and came to me for
help.
So I dragged out the Windows NT4 Resource Kit, and found the tool DSKPROBE.
Here’s the procedure we came up with to examine a volume’s NTFS version:
- Drag out your Resource Kit and put DSKPROBE somewhere you can run it. A
diskette is fine if it’ll fit. There’s no “installation procedure”. All you need
is the .exe.
- Make sure you’re logged on as an Administrator and that the drive you want
to examine is local (not networked).
- Make sure you know what volume you’re going to examine. (X:)
- Run DSKPROBE.EXE.
- Select DRIVE->LOGICAL VOLUME
- Double-click on the volume you’re examining. This will open handle zero to
that drive.
- Click on SET ACTIVE in the HANDLE 0 area. LEAVE THE READ-ONLY BOX CHECKED.
- Click “OK”.
- Select SECTORS->READ and read in sector 0 for length 1.
- Select VIEW->NTFS BOOT SECTOR
- Click the “GO” button next to “Clusters to MFT”
- Select VIEW->BYTES.
- Select SECTORS->READ
- Leave the “STARTING SECTOR” value alone.
- Make “Number of Sectors” be 8, and click on READ.
- You have just read in the first 4 MFT records. We’re looking for MFT record
number 3, so we must click on the right arrow in the tool bar six times.
- You will end up looking at the first half of MFT record 3, the MFT record
for $Volume. You will see the text “$Volume” in the display.
- There are 16 columns of hex digits. Looking down column 0 or 8, you will
find a hex “70”. Here’s where I found it on my machine:1B0 70 00 00 00 28 00 00 00 00 00 18 00 00 00 05 00
1C0 0C 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00
1D0 03 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00(You may have to go to the next sector to see the “70”.)
- At the line starting with 1D0 is a “03 00”. This value is 32 bytes past the
“70”. “03 00” means this volume is running NTFS version 3.0.
- If you’re running NT4 you’ll usually see “01 02”. This is NTFS version 1.2.
- If, perchance, you’re running an XP beta, you’ll most likely see the value
“03 01”, meaning this volume is running NTFS version 3.1.
turned out when we gave the user the procedure, the value he saw was “03 00”.
Somehow, Windows 2000 *had* seen the machine, but we had no explanation for how
it got that way. Neither did the user, but he swore he’d get to the bottom of
it.
A few days later, the user called back in and, embarrassed, told us that his
kid had tried to install Windows 2000 on the machine one Saturday morning when
he was in bed fast asleep. The kid apparently didn’t finish the installation but
did leave the evidence behind….
Sorry, kid. You’ve been busted
(C) 2001 Executive Software International, Inc. All Rights
Reserved. Executive Software and Diskeeper are trademarks owned by Executive
Software International, Inc.
