What is NTFS?
NTFS (New Technology File System) is Microsoft's primary filesystem, introduced with Windows NT in 1993 and still the default for all Windows installations today. Understanding NTFS matters beyond Windows: external drives, dual-boot systems, and cross-platform data sharing all involve NTFS.
The key innovation in NTFS is treating everything as a file record in a database-like structure. This design enables features like journaling, access control lists, and alternate data streams that simpler filesystems lack.
The Core Problem
How do you efficiently organize millions of files on a multi-terabyte drive? Traditional approaches like FAT's File Allocation Table become unwieldy at scale. NTFS solves this with a relational approach: the Master File Table (MFT).
The Master File Table
The MFT is a special file containing one record for every file and directory on the volume. Think of it as a database where each row describes a file through a set of attributes.
MFT Record Structure:
- Fixed size: Typically 1KB per record (configurable at format time)
- Attribute-based: Files aren't raw data - they're collections of typed attributes
- Self-referential: The MFT itself is the first record ($MFT, record #0)
Key attributes stored in each MFT record:
$STANDARD_INFORMATION- timestamps, DOS attributes, security ID$FILE_NAME- the filename and parent directory reference$DATA- the actual file content (or pointers to it)$SECURITY_DESCRIPTOR- access control lists (ACLs)
Resident vs Non-Resident: The Key Insight
NTFS makes a clever optimization based on file size. Toggle below to see how storage differs:
Resident: Small files fit entirely within the MFT record. No separate cluster allocation needed. Single disk read retrieves both metadata and content.
Why this matters:
- Small files (configs, shortcuts, tiny scripts) get single-read performance
- No wasted cluster space for files under ~700 bytes
- Metadata and data retrieved together for resident files
This is why NTFS handles millions of small files more efficiently than you might expect from a Windows filesystem.
System Metadata Files
The first 16 MFT records are reserved for critical system files. The most important:
| Record | Name | Purpose |
|---|---|---|
| 0 | $MFT | The Master File Table itself |
| 1 | $MFTMirr | Backup of first 4 MFT records |
| 2 | $LogFile | Transaction journal for crash recovery |
| 5 | . (root) | Root directory of the filesystem |
| 6 | $Bitmap | Cluster allocation bitmap |
These files are hidden from normal directory listings but essential for filesystem integrity. Corruption here typically means an unrecoverable filesystem.
NTFS Features Enabled by MFT
The attribute-based design enables several advanced features:
Journaling: The $LogFile records all metadata changes before they're applied. After a crash, NTFS replays or rolls back incomplete transactions - no fsck required.
Alternate Data Streams (ADS): A file can have multiple $DATA attributes. The default stream is what you normally see; additional streams are hidden but accessible via filename:streamname syntax.
Compression & Encryption: The $DATA attribute can be transparently compressed (LZNT1) or encrypted (EFS). This happens at the attribute level, not the whole file.
Hard Links: Multiple $FILE_NAME attributes can point to the same MFT record, enabling Unix-style hard links on Windows.
When to Use NTFS
Good for:
- Windows system drives (required for Windows installation)
- External drives shared between Windows machines
- Drives needing permissions, encryption, or compression
- Large files (supports up to 16TB per file)
Consider alternatives for:
- Linux-only systems (ext4 or Btrfs offer better performance)
- Cross-platform removable media (exFAT has fewer compatibility issues)
- Simple USB drives (FAT32 works everywhere for files under 4GB)
Related Concepts
- Filesystem Journaling - How $LogFile enables crash recovery
- FAT Filesystems - The simpler predecessor to NTFS
- ext4 - Linux's native filesystem alternative
- Btrfs - Modern copy-on-write filesystem