NTFSInfo Quick Reference: Interpretations for Administrators

Troubleshooting NTFS with NTFSInfo — Step‑by‑Step

Overview

NTFSInfo is a command-line utility (part of Sysinternals) that reports detailed NTFS volume and file metadata — useful for diagnosing allocation, MFT, and metadata corruption or configuration issues on Windows volumes.

1) Prepare and gather context

• Run as Administrator.
• Identify target volume (drive letter or mount point).
• Note symptoms: slow I/O, access errors, unexpected free space, USN/replication problems.

2) Basic NTFSInfo commands

• Run against a drive (example):

  Code
  Copy CodeCopied
  ntfsinfo C: 

• For specific files or paths:

  Code
  Copy CodeCopied
  ntfsinfo -f C:\path\to\file 

3) Key output fields to inspect and what they mean

• Volume serial number: verifies correct volume.
• Bytes per sector / cluster: cluster size affects slack and allocation.
• Total clusters / free clusters: confirms reported free space.
• MFT start cluster / MFT record size / MFT zone size: MFT size/placement issues can cause fragmentation or allocation failures.
• MFT mirror location: presence/validity helps recover from MFT corruption.
• Bitmap start/size: allocation bitmap controls free/used cluster tracking.
• Dirty/dirty bit status: indicates whether chkdsk is needed.
• File record segment (when using -f): shows resident vs non‑resident attributes, extents, and runs.

4) Common problems and NTFSInfo indicators

• Discrepancy in free space: bitmap or allocation metadata inconsistency — check bitmap start/size and free cluster counts.
• MFT fragmentation/oversize: large MFT record size or many MFT zones — consider defragmenting or moving files.
• Corrupt MFT/MFT mirror mismatch: missing/incorrect MFT mirror location or damaged file record segments — prepare chkdsk and backups.
• Incorrect cluster size: unexpected cluster size may cause wasted space; verify bytes per cluster.
• Dirty volume flag set: run chkdsk /f on next reboot.

5) Remediation steps (safe, ordered)

1. Backup important data immediately.
2. Run CHKDSK:
   • Non‑destructive first: chkdsk C: /scan (online scan)
   • If issues found or offline needed: chkdsk C: /f /r (schedule reboot if required)
3. If MFT issues persist: boot WinPE and run chkdsk there; restore from backup; consider specialized recovery tools.
4. Repair filesystem metadata only after backups: use sysinternals and vendor tools cautiously.
5. Defragment/optimize only after integrity is verified and backups complete.

6) When to escalate

• Repeated chkdsk failures, hardware SMART errors, or suspected hardware faults — escalate to storage vendor or data recovery specialists.

7) Quick checklist before finishing

• Backups taken?
• CHKDSK run and results logged?
• Hardware SMART/logs checked?
• MFT and bitmap parameters reviewed?

If you want, I can produce a sample ntfsinfo output annotated with how to read each field.