{"id":13291,"date":"2011-07-17T00:01:00","date_gmt":"2011-07-17T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2011\/07\/17\/learn-how-to-use-sysinternals-ntfsinfo-cmd-in-powershell\/"},"modified":"2011-07-17T00:01:00","modified_gmt":"2011-07-17T00:01:00","slug":"learn-how-to-use-sysinternals-ntfsinfo-cmd-in-powershell","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/learn-how-to-use-sysinternals-ntfsinfo-cmd-in-powershell\/","title":{"rendered":"Learn How to Use Sysinternals Ntfsinfo Cmd in PowerShell"},"content":{"rendered":"

Summary<\/strong>: Learn how to use Sysinternals ntfsinfo command in Windows PowerShell.\n \nWeekend Scripter: Windows PowerShell and the Legacy–Hero Worship<\/strong><\/span>\nMicrosoft Scripting Guy Ed Wilson here. Sean Kearney writes today more about legacy and Windows PowerShell. See his first blog posts on the topic<\/a>, as well as yesterday’s blog post<\/a>.\n<\/span><\/b> \nThe door to the Scripting Room opens to an unusual sight. The student is bowing and paying homage to a square blue object. “I am not worthy! I am not worthy! Please be kind upon thy little servant! Oh, mighty digital one! Oh, King of Security! I am not worthy! I am not worthy! I am not…”\nThe Scripting Guy quietly peers about to find his student kneeling and bowing before a copy of Zero Day<\/i> by Mark Russinovich. “Good choice,” he thinks to himself “but we need to break this hero worship. If he ever sees Mark, he’ll fall down the stairs running away.” He taps the student on the shoulder, which causes arms flailing in the air. “Aihaihgiahgihaighiaghghighaghih!!”\nThe Scripting Guy shakes his head in wonder. “You do know that no program is perfect, don’t you? Even things written by the Great One can be improved.” Again, the clunking of the jaw against the ground in disbelief is heard and a shaking of the head is witnessed.\n“You know of a great utility called NTFSINFO.EXE that Sysinternals<\/a> wrote to display details about NTFS volumes, don’t you?” The student nods vigorously and is about to begin bowing to his newly acquired copy of Zero Day<\/i> when the Scripting Guy gently moves the book away with one phrase. “We can improve NTFSINFO.EXE with Windows PowerShell, you know.” Knowing The Scripting Guy would never lie, the young one sits down for this lesson. “Oooooooo” is all that can be heard from his lips.\n“We know that if you run NTFSINFO.EXE with a drive letter like this…”<\/p>\n

NTFSINFO.EXE C:<\/i>\n“…it will return details like this.”<\/p>\n

NTFS Information Dump V1.01
Copyright (C) 1997 Mark Russinovich
http:\/\/www.sysinternals.com<\/p>\n

Volume Size
———–
Volume size : 304931 MB
Total sectors : 624500735
Total clusters : 78062591
Free clusters : 6429565
Free space : 25115 MB (8% of drive)<\/p>\n

Allocation Size
—————-
Bytes per sector : 512
Bytes per cluster : 4096
Bytes per MFT record : 1024
Clusters per MFT record: 0<\/p>\n

MFT Information
—————
MFT size : 327 MB (0% of drive)
MFT start cluster : 786432
MFT zone clusters : 16593056 – 16593088
MFT zone size : 0 MB (0% of drive)
MFT mirror start : 2<\/p>\n

Meta-Data files
—————<\/i>\n“So! Let’s just say we would like to have all of this data broken out so that we could access it in an easier-to-use fashion, or perhaps bring it to something like Out-Gridview. This program won’t do that.”\nThe student nods. “It is just text on the screen.”\n“No, remember. It’s an object. So we just need to figure out how to manipulate it. So looking at this object it appears there is a pattern in the output. Each line we want has a blank space, a colon, and another blank space following. So our first task is to search out the data with a SELECT-STRING statement and store it away”:<\/p>\n

$RESULTS=(NTFSINFO.EXE C:) | SELECT-STRING “ : “<\/i>\nIf we examine $RESULTS, we will find we have nothing but lines with the needed data. We can now step through the list and grab the header and data from each line with a quick FOREACH and a bit of splitting and trimming. But we need to switch the output to a string first. If we run a GET-MEMBER, we’ll note that the output of SELECT-STRING isn’t actually a string but a MatchInfo<\/b> object. But we have a tostring()<\/b> method available with this object, so we can leverage that\nSo we’ll build a small advanced function to parse the data with New-Object. This way we can leverage the power of the pipeline and send the data to other Windows PowerShell cmdlets, such as OUT-GRIDVIEW:<\/p>\n

function global:Split-Result()
{
param
(
[parameter(ValueFromPipeline=$true,
Mandatory=$true)]
[Array]$MATCHRESULT
)<\/p>\n

process
{
$ReturnData=NEW-OBJECT PSOBJECT –property @{Title=’’;Value=’’}
$DATA=$Matchresult[0].tostring().split(“:”)
$ReturnData.Title=$Data[0].trim()
$ReturnData.Value=$Data[1].trim()
Return $ReturnData
}
}<\/p>\n

Now that we can work through the data results in the pipeline, we can do something fun like this:<\/p>\n

$Results | Split-Result | Out-Gridview<\/i>\n“This will output the results from Mr. Russinovich’s program into a GUI. So what do you think of that?”\nHis only answer was to quickly replace his copy of Zero Day<\/i> with Windows<\/i> PowerShell Step by Step<\/i> and began prostrating anew.\n“I am not worthy! Please be kind to this meek one! Oh, mighty scripter! Oh, King of the Shell! I am humbled! I am your servant. I am….”\nThe Scripting Guy walked out of the room quietly shaking his head with a smile. “Hero worship, I remember it well.”<\/b><\/em>\n \nThanks again, Sean!\nI invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.\nEd Wilson, Microsoft Scripting Guy<\/b>\n \n <\/p>\n","protected":false},"excerpt":{"rendered":"

Summary: Learn how to use Sysinternals ntfsinfo command in Windows PowerShell.   Weekend Scripter: Windows PowerShell and the Legacy–Hero Worship Microsoft Scripting Guy Ed Wilson here. Sean Kearney writes today more about legacy and Windows PowerShell. See his first blog posts on the topic, as well as yesterday’s blog post.   The door to the […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[51,56,2,3,4,154,45],"class_list":["post-13291","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-getting-started","tag-guest-blogger","tag-running","tag-scripting-guy","tag-scripting-techniques","tag-sean-kearney","tag-windows-powershell"],"acf":[],"blog_post_summary":"

Summary: Learn how to use Sysinternals ntfsinfo command in Windows PowerShell.   Weekend Scripter: Windows PowerShell and the Legacy–Hero Worship Microsoft Scripting Guy Ed Wilson here. Sean Kearney writes today more about legacy and Windows PowerShell. See his first blog posts on the topic, as well as yesterday’s blog post.   The door to the […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/13291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=13291"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/13291\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=13291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=13291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=13291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}