Understanding the Windows Filesystem

Microsoft’s Windows OS dominates the landscape when it comes to home computing. Often people come in contact with the Windows Filesystem drive, i.e. C Drive but not many people know about it. This article helps in understanding the Windows Filesystem in much detail.

What is a File System?

In the field of computing, a file system is a method by which relevant data is stored and retrieved from the system. This data is stored in the form of files having various file extensions.


Windows Filesystem

What is a File and File Extension?

A file is a digital object in a file system that stores information about a particular thing (photos, videos, music, etc.) in a relative sequence of bits, bytes, lines or records with its meaning being defined by the user.


The Windows Filesystem:

Microsoft’s Windows uses two types of filesystems which the user comes in contact with viz. NTFS and FAT32. Although Windows itself uses NTFS filesystem to boot from but provides the user with the freedom to store the files in an FAT32 formatted drive as well.


Note: The term “file system” is often used in the context of,

  • The part of the entire hierarchy of directories or that of the directory tree that is located on a single partition or disk. (A partition is a section of a hard disk that contains only a single type of file system)
  • The type of file system actually used to format the storage device in order to store the data, i.e. FAT32NTFSHFS+EXT4 etc.

Windows traditionally assign letter “C” to the boot drive. This is a tradition carried forward from the MS-DOS era where letters “A” and “B” were assigned to two floppy disks respectively.

Windows Filesystem - C Drive

Windows Filesystem Directory Structure:

The Windows Filesystem drive / C-Drive typically consists of a list of directories as evident from the picture below:

Note: A few extra folders are visible since we have installed additional software into our workstation. Additional software sometimes installs themselves directly in the root area of the C: Drive.

Usually, the Windows C: Drive consists of the following directories:

  • Logs: This directory contains all the event logs related to all the different aspects of the user’s system as a whole. For eg. logs related to system malware diagnostics can be used for security purposes.
  • Perflogs: This directory contains the logs related to system performance only. Usually, this drive is empty but if deleted will again be created by Windows if and when needed.
  • Program Files: This is the default installation directory of 64-bit Windows software and contains all the files related to it. Also, this directory is not present if the user is using a 32-bit version of Windows OS.
  • Program Files (x86): This is the default installation directory of 32-bit Windows software and contains all the files related to it. The x86 part is not to be confused with since it is the computing equivalent for 32-bit architecture as a whole.
  • Users: This directory houses the user associated with the usage of the computer system and stores files and directories related to that user. It also contains the public folder with its sub-directories as well having general read / write access to everyone.
  • Windows: This directory contains all the files and directories critical for the working of Windows OS as a whole. This is perhaps the most important directory which is not to be tampered with under any circumstances.



The Windows NTFS Filesystem:

The NTFS Filesystem was introduced from the version Windows NT. Microsoft introduced many new features in this file system such as supporting many file properties, access permissions, and encryption as compared to FAT32 in the earlier Windows versions.

NTFS - Windows Filesystem

The NTFS Filesystem stores each file as a file descriptor in a Master File Table. The Master File Table contains all the details regarding the file. This is achieved with the help of B+ tree indexes.


The first and the last sectors of the NTFS  File System contain the file system settings (boot record/superblock). This file system uses 48 and 64-bit values to reference files. This enables NTFS File System to support disk storages with high capacities.

NTFS Filesystem Features:

  • Scalable Volume Size: NTFS can form both 4 KB and 64 KB cluster sizes and hence can support drive capacities of up to 256 TB and 16 TB respectively.
  • Journaling: NTFS contains the USN (Update Sequence Number) Journal which is used to keep track of all the changes happening to the File System over a period of time. This helps to correct any errors during the remounting of the specific volume/drive.
  • Alternate Data Streams: This is a feature starting from Windows NT to current Windows 10 that stores multiple levels of information about a file. this is helpful when searching for a particular file either by its time, author, name, etc.
  • File Compression: NTFS can compress files using the LZNT1 algorithm, a variant of LZ77 algorithm to save essential disk space.
  • Sparse Files: These are files that contain empty bit spaces in its file structure. One benefit of it is this information is stored in the file metadata and helps during file compression.
  • Volume Shadow Copy Service: This NTFS service keeps the historical and current versions of files and folders by copying it into shadow copy area by using Copy-On-Write Technique.
  • Transactions: NTFS uses Transaction service similar to Databases to group all changes together as a single transaction that occurs with files. This ensures that the file is in a consistent state and also other files or services don’t unnecessarily interfere with it during some important process.
  • Security: NTFS uses ACLs (Access Control Lists) to provide security to individual files and folders, which is basically is a security descriptor. It is further consisting of two other ACLs viz. DACLs (Discretionary Access Control List) that keeps note of what all type of interactions are allowed for a file/folder and SACLs (System Access Control List) that defines what interactions with the file/folder are needed to be audited.
  • Encryption: NTFS supports file encryption with the EFS (Encryption File System) service along with Microsoft’s own Crypto API and EFS Runtime Library. This is done with the help of a Symmetric key which is again encrypted with a public key and is provided to the user. However, this service is only available to the expensive Windows editions only.
  • Disk Quotas: These were introduced with the release version of NTFS 3.0 and helps System Administrators to monitor and limit the amount of disk storage available to each and every user.
  • Reparse Point: Reparse points are objects within the NTFS file system. They provide a way to extend the Windows Filesystem. It contains a reparse tag and other associated data with it that is interpreted by the filesystem filter to identify it.
  • Resizing: Starting from Windows Vista NTFS supports the resizing of File Systems to increase/decrease file system space allocation. However, this does not move the existing large file chunks from its initial location.

Related: The Linux Filesystem