Structure of $Secure File

The table below describes the MFT record structure of the file named $Secure.

$Secure file MFT record structure

Attribute Type Name Description
$FILE_NAME $Secure
$DATA $SDS Security Descriptor Stream. Named data stream that contains a list of all the Security Descriptors on the volume.
$INDEX_ROOT $SDH Security Descriptor Hash index root
$INDEX_ROOT $SII Security ID index root
$INDEX_ALLOCATION $SDH Security Descriptor Hash index storage allocation table
$INDEX_ALLOCATION $SII Security ID Index storage allocation table
$BITMAP $SDH Security Descriptor Hash index bitmap
$BITMAP $SII Security ID Index bitmap

The figure below shows the $SDS and two indexes that provide access to the data stream: $SDH (Security Descriptor Hash) and $SII (Security ID Index).

$SDS Data Stream

SDS Data Stream

The picture illustrates that each entry in the file is accompanied by two indexes:

  • a Security Descriptor Hash for indexing purposes
  • a Security ID, related to the MFT file record; this ID is unique for the NTFS volume and is used as a reference to the $SII index

The $SII index is sorted in ascending order by Security ID and maps each Security ID to the security descriptor's storage location in the $SDS data attribute.