Friday, July 13, 2012

A couple code examples of doing some low level disk stuff, like reading the MFT, with C# (and some P/Invoke)

MSDN Code Gallery - CCS LABS C#: Accessing the Master File Table


A common question in .Net circles is how do we access the Master File Table? There are plenty of discussions on the topic but very little practical help and as yet we have not found a working example for the .Net language. Thanks to code by StCroixSkipper we have developed a small application which uses his library; and present a fully operational console application which reads the MFT and displays all discovered files.

Building the Sample

This solution was built using Visual Studio 2010 on a Windows Server 2008 R2 machine. It should operate normally on any Window's operating system from Vista up. If you test this on a Windows XP machine then tell us how it performed in the Q&A Section.


There are three projects in this solution. The main console class, the MFT class, and a USNJournal class - the latter two were provided by StCroixSkipper and a discussion can be found here:

The main program which calls the MFT scanning functionality is quite short and relatively easy to understand:


CCS LABS C#: Low Level Disk Access


It is often thought that C# can not access the hard drive at a low level, that is Sectors and Track Level access. This is not true. In this tutorial we will show you how to access the hard drive at such low levels.

Building the Sample

The solution was created in Visual Studio 2010 on Windows Server 2008 R2. It should operate correctly from Vista upwards. It has not been tested on Windows XP. If you try this on Windows XP and it does function correctly then please leave a message in the Q&A section.


This code was taken from another application so not all functionality works. Nevertheless, it does show you how to access the hard drive at its lowest level. To run the application it is necessary to click on the drivelist box in the bottom left corner of the application. If you click the Tracks checkbox then the application will read the number of tracks you specfy in the Track Buffer Size text box. Otherwise it will read the drive sector by sector. Each Track or Sector is hashed as it is processed. The box on the right is non-functional. Run this application under debug only as there is no "stop" functionality - you will need to break the process in Visual Studio.

These are the kinds of code samples I don't see often, so wanted to capture and share them. There's a great of PInvoke here, as you'd expect, doing some stuff you just don't see very often, which is something I find appealing. :)

Note: To run these, VS needs to be run as admin...

Some snaps of the Projects.




No comments: