NTFS Transaction Logging and Partition Recovery

( NTFS (New Technology File System) implements transaction logging to ensure Partition Recovery in several cases of system crash due to power failure and other such events. An NTFS formatted partition undergoes three passes of recovery, which are named as ‘analysis pass’, ‘redo pass’, and ‘undo pass’. While its first pass (the ‘analysis pass’), NTFS assesses the corruption in partition. It also examines the clusters required to be updated by using a transaction log file stored in its MFT (Master File Table).


MFT is the data structure that lists all the records of the files stored on an NTFS partition. To ensure recoverability, a duplicate of MFT is also stored as MFT ‘mirror’. The reference of these two records are stored in the boot sector and the boot sector is further stored at a safe location on the disk.

NTFS uses a Log File Service that records all the undo and redo data for a transaction whenever the user updates a file. The first pass involves read of MFT and call to Log File Service to access the log file. Further, the restart area (the status area that gives the data from last checkpoint before crash to recovery) is read and then data since last checkpoint is read by NTFS. The pass ultimately results in those transactions that were alive at the time of crash.

In the second pass i.e. the ‘redo pass’, NTFS rolls all the transactions forward and the final result is the cache that shows the volume state at the time of crash. In the final pass, which is the ‘undo pass’, the corrupted partition is recovered to a consistent state by rolling back all the uncommitted transactions.

If these three passes end successfully with no errors, you get a stable partition or otherwise, it may remain in corrupted state. This renders your data inaccessible.

