I need to open "//?/D:/$MFT" in binary read mode to parse its contents, I need the raw binary data from Master File Table to resolve File Record Segments from "D:/System Volume Information/Chkdsk/Chkdsk%y%m%d%H%M%S.log".
Long story short there was a power outage and this caused filesystem corruption and I ran chkdsk /f D: right away and I think some files may be corrupted because of said command. It said 107855 data files were processed, I want to know which files were affected and check if they are corrupt and if they are delete them.
I am extremely well versed in computers and programming if my reputation points don't tell you that.
Trying to open it using the usual syntax will result in... You guessed it:
In [142]: mft = open("//?/D:/$MFT", 'rb')---------------------------------------------------------------------------PermissionError Traceback (most recent call last)Cell In[142], line 1----> 1 mft = open("//?/D:/$MFT", 'rb')File C:\Python310\lib\site-packages\IPython\core\interactiveshell.py:284, in _modified_open(file, *args, **kwargs) 277 if file in {0, 1, 2}: 278 raise ValueError( 279 f"IPython won't let you open fd={file} by default " 280 "as it is likely to crash IPython. If you know what you are doing, " 281 "you can use builtins' open." 282 )--> 284 return io_open(file, *args, **kwargs)PermissionError: [Errno 13] Permission denied: '//?/D:/$MFT'Before you ask, of course I ran with Administrator privileges, in fact I have disabled LUAC via registry hack. I still get PermissionDenied. I know exactly what I am doing.
Googling python open mft gives me only a handful of relevant results, like Trying to get MFT table from Python 3 and Get hex-values / raw data from $MFT on NTFS Filesystem, none are useful.
Libraries like analyzeMFT are ancient and written for Python 2, I have looked at the source code and found it to be very poorly written, and I have already known the raw binary structure of the 1024B records, I have done extensive research enough to write a good parser, but I just can't get access to the file.
analyzeMFT when installed via PyPI (pip install analyzeMFT) will install the Python 2 version which cannot even be imported in Python 3:
In [144]: import analyzemft---------------------------------------------------------------------------ModuleNotFoundError Traceback (most recent call last)Cell In[144], line 1----> 1 import analyzemftFile C:\Python310\lib\site-packages\analyzemft\__init__.py:2 1 __all__ = ["mftutils", "mft", "mftsession", "bitparse"]----> 2 import bitparse 3 import mft 4 import mftsessionModuleNotFoundError: No module named 'bitparse'I know it should be from . import bitparse, but the script files in GitHub are already patched to Python 3 and so I have copy-pasted all script files to "%pythondir%/Lib/site-packages/analyzeMFT".
And nope, it doesn't work, utilities like it only work on a dumped copy of the Master File Table and not the "hot" one:
PS C:\Users\Xeni> analyzeMFT -f '//?/D:/$MFT'Unable to open file: //?/D:/$MFTAnd they only generate human readable text serializations, I need the raw data in memory which they don't expose.
How can I open "//?/D:/$MFT""hot"?
