Which version of NTFS am I running?

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Originally published in INSIGHT on Windows NT/2000 eLetter the Diskeeper newsletter.

Which version of NTFS am I running?
by John Joseph
Diskeeper Development Section

Recently, one of our Tech Support representatives came to me with an interesting problem. A user who had recently installed Diskeeper called in to Tech Support claiming that Diskeeper had done something to his Windows NT4 system that rendered CHKDSK unusable on his NTFS drives.

The rep had reviewed with this user that installing Windows 2000 would have just this effect: Windows 2000 does a "conversion" of NT4-type NTFS volumes to Windows 2000-type NTFS volumes.

The user remained unconvinced, however. He'd never installed Windows 2000 on this machine, or even brought Windows 2000 near the machine. He was insistent on this and basically refused to believe the rep. Now baffled, the rep wanted a way to find out what version of NTFS was running on this system, and came to me for help.

So I dragged out the Windows NT4 Resource Kit, and found the tool DSKPROBE. Here's the procedure we came up with to examine a volume's NTFS version:

  1. Drag out your Resource Kit and put DSKPROBE somewhere you can run it. A diskette is fine if it'll fit. There's no "installation procedure". All you need is the .exe.
  2. Make sure you're logged on as an Administrator and that the drive you want to examine is local (not networked).
  3. Make sure you know what volume you're going to examine. (X:)
  4. Run DSKPROBE.EXE.
  5. Select DRIVE->LOGICAL VOLUME
  6. Double-click on the volume you're examining. This will open handle zero to that drive.
  7. Click on SET ACTIVE in the HANDLE 0 area. LEAVE THE READ-ONLY BOX CHECKED.
  8. Click "OK".
  9. Select SECTORS->READ and read in sector 0 for length 1.
  10. Select VIEW->NTFS BOOT SECTOR
  11. Click the "GO" button next to "Clusters to MFT"
  12. Select VIEW->BYTES.
  13. Select SECTORS->READ
  14. Leave the "STARTING SECTOR" value alone.
  15. Make "Number of Sectors" be 8, and click on READ.
  16. You have just read in the first 4 MFT records. We're looking for MFT record number 3, so we must click on the right arrow in the tool bar six times.
  17. You will end up looking at the first half of MFT record 3, the MFT record for $Volume. You will see the text "$Volume" in the display.
  18. There are 16 columns of hex digits. Looking down column 0 or 8, you will find a hex "70". Here's where I found it on my machine:
        1B0 70 00 00 00 28 00 00 00 00 00 18 00 00 00 05 00
        1C0 0C 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00
        1D0 03 00 00 00 00 00 00 00 00 00 00 00 18 00 00 00
    
        (You may have to go to the next sector to see the "70".)
    
  19. At the line starting with 1D0 is a "03 00". This value is 32 bytes past the "70". "03 00" means this volume is running NTFS version 3.0.
  20. If you're running NT4 you'll usually see "01 02". This is NTFS version 1.2.
  21. If, perchance, you're running an XP beta, you'll most likely see the value "03 01", meaning this volume is running NTFS version 3.1.
Anyway, it turned out when we gave the user the procedure, the value he saw was "03 00". Somehow, Windows 2000 *had* seen the machine, but we had no explanation for how it got that way. Neither did the user, but he swore he'd get to the bottom of it.

A few days later, the user called back in and, embarrassed, told us that his kid had tried to install Windows 2000 on the machine one Saturday morning when he was in bed fast asleep. The kid apparently didn't finish the installation but did leave the evidence behind....

Sorry, kid. You've been busted

(C) 2001 Executive Software International, Inc. All Rights Reserved. Executive Software and Diskeeper are trademarks owned by Executive Software International, Inc.

Featured Links