Learn How to Use Sysinternals Ntfsinfo Cmd in PowerShell

Learn How to Use Sysinternals Ntfsinfo Cmd in PowerShell

  • Comments 6
  • Likes

Summary: Learn how to use Sysinternals ntfsinfo command in Windows PowerShell.

 

Weekend Scripter: Windows PowerShell and the Legacy--Hero Worship

Microsoft Scripting Guy Ed Wilson here. Sean Kearney writes today more about legacy and Windows PowerShell. See his first blog posts on the topic, as well as yesterday’s blog post.

 

The door to the Scripting Room opens to an unusual sight. The student is bowing and paying homage to a square blue object. “I am not worthy! I am not worthy! Please be kind upon thy little servant! Oh, mighty digital one! Oh, King of Security! I am not worthy! I am not worthy! I am not…”

The Scripting Guy quietly peers about to find his student kneeling and bowing before a copy of Zero Day by Mark Russinovich. “Good choice,” he thinks to himself “but we need to break this hero worship. If he ever sees Mark, he’ll fall down the stairs running away.” He taps the student on the shoulder, which causes arms flailing in the air. “Aihaihgiahgihaighiaghghighaghih!!”

The Scripting Guy shakes his head in wonder. “You do know that no program is perfect, don’t you? Even things written by the Great One can be improved.” Again, the clunking of the jaw against the ground in disbelief is heard and a shaking of the head is witnessed.

“You know of a great utility called NTFSINFO.EXE that Sysinternals wrote to display details about NTFS volumes, don’t you?” The student nods vigorously and is about to begin bowing to his newly acquired copy of Zero Day when the Scripting Guy gently moves the book away with one phrase. “We can improve NTFSINFO.EXE with Windows PowerShell, you know." Knowing The Scripting Guy would never lie, the young one sits down for this lesson. “Oooooooo” is all that can be heard from his lips.

“We know that if you run NTFSINFO.EXE with a drive letter like this…”

NTFSINFO.EXE C:\

“…it will return details like this.”

NTFS Information Dump V1.01
Copyright (C) 1997 Mark Russinovich
http://www.sysinternals.com

Volume Size
-----------
Volume size : 304931 MB
Total sectors : 624500735
Total clusters : 78062591
Free clusters : 6429565
Free space : 25115 MB (8% of drive)

Allocation Size
----------------
Bytes per sector : 512
Bytes per cluster : 4096
Bytes per MFT record : 1024
Clusters per MFT record: 0

MFT Information
---------------
MFT size : 327 MB (0% of drive)
MFT start cluster : 786432
MFT zone clusters : 16593056 - 16593088
MFT zone size : 0 MB (0% of drive)
MFT mirror start : 2

Meta-Data files
---------------

“So! Let’s just say we would like to have all of this data broken out so that we could access it in an easier-to-use fashion, or perhaps bring it to something like Out-Gridview. This program won’t do that.”

The student nods. “It is just text on the screen.”

“No, remember. It’s an object. So we just need to figure out how to manipulate it. So looking at this object it appears there is a pattern in the output. Each line we want has a blank space, a colon, and another blank space following. So our first task is to search out the data with a SELECT-STRING statement and store it away”:

$RESULTS=(NTFSINFO.EXE C:\) | SELECT-STRING “ : “

If we examine $RESULTS, we will find we have nothing but lines with the needed data. We can now step through the list and grab the header and data from each line with a quick FOREACH and a bit of splitting and trimming. But we need to switch the output to a string first. If we run a GET-MEMBER, we’ll note that the output of SELECT-STRING isn’t actually a string but a MatchInfo object. But we have a tostring() method available with this object, so we can leverage that

So we’ll build a small advanced function to parse the data with New-Object. This way we can leverage the power of the pipeline and send the data to other Windows PowerShell cmdlets, such as OUT-GRIDVIEW:

function global:Split-Result()
{
param
(
[parameter(ValueFromPipeline=$true,
Mandatory=$true)]
[Array]$MATCHRESULT
)

process
{
$ReturnData=NEW-OBJECT PSOBJECT –property @{Title=’’;Value=’’}
$DATA=$Matchresult[0].tostring().split(":")
$ReturnData.Title=$Data[0].trim()
$ReturnData.Value=$Data[1].trim()
Return $ReturnData
}
}

Now that we can work through the data results in the pipeline, we can do something fun like this:

$Results | Split-Result | Out-Gridview

“This will output the results from Mr. Russinovich’s program into a GUI. So what do you think of that?”

His only answer was to quickly replace his copy of Zero Day with Windows PowerShell Step by Step and began prostrating anew.

“I am not worthy! Please be kind to this meek one! Oh, mighty scripter! Oh, King of the Shell! I am humbled! I am your servant. I am….”

The Scripting Guy walked out of the room quietly shaking his head with a smile. “Hero worship, I remember it well.”

 

Thanks again, Sean!

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy

 

 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hello,

    on my laptop, select-string " : " make one line disapear:

    Clusters per MFT record: 0

    no space before the ":"

    select-string ": " is ok

  • Thank you Sean,an excellent post.

    As another variant: =)

    (NTFSINFO.EXE C:\) -match " :" -replace ":","="| ConvertFrom-StringData

  • Kazun - great call.  That is how to leverage PowerShell.  Use a declarative approach and co-opt syntax operators to coax PowerShell into doing all of the work for you.  

    You eyeballed that one in a very impressive way.

    Thanks to both of you Sean and Kazun (Ed too)

  • Hello Sean,

    nice to read through your article.

    If we want objects in PS ... we can have them ... somehow!

    The function does obviously what it is supposed to do.

    But I really love Kazun's solution!

    I haven't thought of the ConvertFrom-StringData Cmdlet much ... up to now ...

    But this is really an excellent example of how to use it!!! Thanks for sharing it!

    Klaus

  • Klaus and Kazun

    LOVE the Alternate solution!  This is one of the things I love about posting a solution to Scripting Guys.  It's not that it's the RIGHT or the BEST solution but that it get's people thinking "Hey, cool but if I do it this way..."

    Beautiful job Kazun!

    Keep on Scripting!

    Sean

    "The Energized Tech"

  • I getting access is denied problem.