On Sun, Dec 18, 2005 at 11:57:13AM +0000, Wayne Stallwood wrote:
Do remember though that as far as I know NTFS writing is still experimental, as should any reverse engineered writing operations be to an undocumented file system. If the data on those drives is at all valuable then I would consider other methods ( NTFSDOS Professional perhaps, but that has it's own limitations )
I think the method used by the Offline password and registry editor doesn't actually allow access to the filesystem. From what I read they use read only support to locate the sam database and then work out where the offset in that file is for the password and just overwrite those few bytes you can't add, remove or change the size of files already on the filesystem, but you can change a few bytes if you know where they are.
This is in contrast to the system Insert recovery CD uses which is the so called "captive ntfs" driver which allows full read/write etc. to the filesystem because it (AIUI) uses the actual files ntkrnl.exe and ntfs.sys from a copy of Windows XP and then accesses them through the same way that they are used in Windows (through magick and hackery) read more at http://www.jankratochvil.net/project/captive/
Thanks Adam