Design a site like this with WordPress.com
Get started

fsutil – a useful tool

Posted on by debbielesterjones

While studying for my GIAC Certified Forensic Examiner (GCFE) certification, I came across a paragraph in my study material that is explaining unallocated vs. allocated diskspace and what can be recovered.  The material says:

“Windows writes file information in sector-sized chunks.  If the file is 1280 bytes in length and the cluster size is 2048, then Windows will write to the first three sectors… Windows will use the null byte \x00 as a filler until the end of the sector, not the cluster.”

After reading this, I thought, how big is a sector on a partition and how can I see the sector size in Windows?  There are a few ways to do this (like PowerShell and System Information), but there is also a tool called fsutil that can show disk, partition, and volume details and much more. 

A few notes about fsutil:  this tool requires administrative elevation and you should have a good understanding of the tool and your filesystem before you use it.  Also, fsutil requires the Windows Subsystem for Linux.

Some things you can do with fsutil

You can view the sector size (which will likely be 512 bytes) with the following command:

fsutil fsinfo sectorinfo <drive letter>:

Want to encrypt your pagefile?  (The default value of 0 does not encrypt your pagefile).  Try this:

fsutil behavior set encryptpagingfile 1

How about disabling the creation of 8dot3 filenames?

fsutil behavior set disable8dot3 1

Seeing too many or two few quota notifications in the event log?  Change how often NTFS quota violations are reported to the event log:

fsutil behavior set quotanotify <number of seconds>(default is 3600)

You can view the current setting for these behaviors with:

fsutil behavior query <encryptpagingfile, disable8dot3, quotanotify>

Here are some other things you can do with fsutil:

  • Manage your NTFS quotas and search for violations in logs
  • Disable/enable encryption and compression
  • Check or set the dirty bit on a file system (causing a chkdsk to run at the next reboot)
  • Optimize metadata
  • List drives along with details like cluster, sector, and partition sizes

For more details along with syntax visit Microsoft’s website:

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: