Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
No Starch Press

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 70 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here




       ntfsundelete [ options ] device


       ntfsundelete has three modes of operation: scan,  undelete
       and copy.

       The  default  mode,  scan  simply reads an NTFS Volume and
       looks for files that have  been  deleted.   Then  it  will
       print a list giving the inode number, name and size.

       The  undelete mode takes the inode and recovers as much of
       the data as possible.  It  saves  the  result  to  another
       location.   Partly  for  safety,  but  mostly because NTFS
       write support isn't finished.

       This is a wizard's option.  It will save a portion of  the
       MFT  to  a file.  This probably only be useful when debug­
       ging ntfsundelete

       ntfsundelete only ever reads from the NTFS  Volume.   ntf­
       sundelete will never change the volume.


       ntfsundelete cannot perform the impossible.

       When  a file is deleted the MFT Record is marked as not in
       use and the bitmap representing the disk usage is updated.
       If the power isn't turned off immediately, the free space,
       where the file  used  to  live,  may  become  overwritten.
       Worse,  the MFT Record may be reused for another file.  If
       this happens it is impossible to tell where the  file  was
       on disk.

       Even  if  all the clusters of a file are not in use, there
       is no guarantee that they haven't been overwritten by some
       short-lived file.

       In  NTFS  all  the  filenames are stored as Unicode.  They
       will be converted into the current locale for  display  by
       ntfsundelete.  The utility has successfully displayed some
       Chinese pictogram filenames and then  correctly  recovered

   Extended MFT Records
       In  rare  circumstances,  a  single MFT Record will not be
       metadata.  Unfortunately, this isn't always intact.   When
       a  file  is deleted, the metadata can be left in an incon­
       sistant state. e.g.  the file size may be zero; the  dates
       of the file may be set to the time it was deleted, or ran­
       To be safe ntfsundelete will pick the largest file size it
       finds  and  write  that to disk.  It will also try and set
       the file's date to the last modified date.  This date  may
       be  the  correct  last  modified  date, or something unex­


       Below is a summary of all the  options  that  ntfsundelete
       accepts.   All  options  have  two  equivalent names.  The
       short name is preceded by - and the long name is  preceded
       by  --.   Any  single  letter  options, that don't take an
       argument, can be combined into a single command, e.g.  -fv
       is  equivalent to -f -v.  Long named options can be abbre­
       viated to any unique prefix of their name.

       -b num
       --byte num
              If any clusters of the file  cannot  be  recovered,
              the  missing  parts  will be filled with this byte.
              The default is zeros.

       --case When scanning an NTFS volume, any filename matching
              (using  the  --match  option)  is case-insensitive.
              This option makes the maching case-sensitive.

       -c range
       --copy range
              This wizard's option will write a block of MFT FILE
              records  to  a file.  The default file is mft which
              will be created in  the  current  directory.   This
              option can be combined with the --output and --des­
              tination options.

       -d dir
       --destination dir
              This option controls where to put the  output  file
              of the --undelete and --copy options.

              This  will override some sensible defaults, such as
              not overwriting an existing file.  Use this  option
              with caution.

       --help Show  a list of options with a brief description of
              Use this option to set name  of  output  file  that
              --undelete or --copy will create.

       -p num
       --percentage num
              Filter  the  output  of  the --scan option, by only
              matching files with a certain amount of recoverable
              content.   Please read the caveats section for more

              Reduce the amount of output to  a  minimum.   Natu­
              rally, it doesn't make sense to combine this option
              with --scan.

       --scan Search through an NTFS volume and print a  list  of
              files that could be recovered.  This is the default
              action of ntfsundelete.  This list can be  filtered
              by  filename,  size, percentage recoverable or last
              modification  time,  using  the  --match,   --size,
              --percent and --time options, respectively.

              The output of scan will be:

              Inode  Flags  %age     Date      Size  Filename
               6038  FN..    93%  2002-07-17  26629  thesis.doc
              Flag   Description
              F/D    File/Directory
              N/R    (Non-)Resident data stream
              C/E    Compressed/Encrypted data stream
              !      Missing attributes

              The percentage field shows how much of the file can
              potentially be recovered.

       -S range
       --size range
              Filter the output of the --scan option, by  looking
              for  a  particular  range of file sizes.  The range
              may be specified as two numbers separated by a '-'.
              The  sizes may be abbreviated using the suffixes k,
              m, g, t, for kilobytes,  megabytes,  gigabytes  and
              terabytes respectively.

       -t since
       --time since
              Filter the output of the --scan option.  Only match
              files that have been altered since this time.   The
              time  must  be given as number using a suffix of d,
              w, m, y for days, weeks, months or years ago.
              Show the version number, copyright and license ntf­


       Look for deleted files on /dev/hda1.

              ntfsundelete /dev/hda1

       Look for deleted documents on /dev/hda1.

              ntfsundelete /dev/hda1 -s -m '*.doc'

       Look for deleted files between  5000  and  6000000  bytes,
       with at least 90% of the data recoverable, on /dev/hda1.

              ntfsundelete /dev/hda1 -S 5k-6m -p 90

       Look for deleted files altered in the last two days

              ntfsundelete /dev/hda1 -t 2d

       Undelete  inode  number 3689, call the file 'work.doc' and
       put it in the user's home directory.

              ntfsundelete /dev/hda1 -u 3689 -o work.doc -d ~

       Save MFT Records 3689 to 3690 to a file 'debug'

              ntfsundelete /dev/hda1 -c 3689-3690 -o debug


       There are some small limitations to this program, but cur­
       rently  no  known  bugs.   If you find one, please send an
       email to <linux-ntfs-dev@lists.sf.net>


       ntfsundelete  was  written  by  Richard  Russon  (FlatCap)
       If  you find this tool useful, make FlatCap happy and send
       him an email.


       ntfsundelete is part of  the  linux-ntfs  package  and  is
       available from


       ntfsinfo(8), ntfsprogs(8)


There are several different ways to navigate the tutorial.



Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
The Linux Tutorial can use your help.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.09 Seconds