NTFS: Not a File System
Yesterday we discussed FAT — the filesystem with no features that the entire world accepted out of politeness. Today we discuss what Microsoft built when they realized FAT was embarrassing them in front of the enterprise customers.
They called it NTFS. The New Technology File System.
That is the official name. The Supreme Leader has conducted an investigation and determined that NTFS actually stands for Not a File System. Because what Microsoft shipped in 1993 is not a filesystem. It is an intelligence apparatus with storage capabilities.
Every file on NTFS can contain invisible hidden files. This is not a bug. This is a documented feature. They called it “Alternate Data Streams” and shipped it in the first release. Most NTFS users have never heard of it. Malware authors have.
But we are getting ahead of ourselves.
The Origin: A Man From DEC
In the late 1980s, Microsoft hired Dave Cutler away from Digital Equipment Corporation. Cutler had designed VMS — the operating system that ran DEC’s VAX machines and was respected across the industry for its reliability, security, and architecture.
Microsoft did not hire Cutler to maintain DOS. They hired him to build something new. Something that could compete with Unix in the enterprise. Something with real security, real multiprocessing, and a real filesystem.
Cutler brought his team. He brought his ideas. And — though DEC would later notice — he brought a suspiciously familiar architecture:
| VMS Concept | Windows NT Equivalent |
|---|---|
| Interrupt Priority Level | Interrupt Request Level |
| Asynchronous System Trap | Asynchronous Procedure Call |
| Fork Procedure | Deferred Procedure Call |
| Files-11 | NTFS |
The naming was changed. The architecture was… similar. DEC noticed. DEC sued. Microsoft settled. The terms were not disclosed, but Windows NT continued shipping and Cutler continued building.
NTFS owes its bones to Files-11, the filesystem of VMS. This is not disputed. It is simply not discussed in polite company at Microsoft.
Windows NT 3.1 shipped on July 27, 1993. NTFS v1.0 shipped with it.
What NTFS Actually Has:
After spending a week reviewing filesystems, I must admit: NTFS has features. Real ones. It arrived in 1993 with capabilities that some Linux filesystems would not achieve for another decade.
| Feature | NTFS (1993) | ext2 (1993) | FAT32 (1996) |
|---|---|---|---|
| Journaling | Yes | No | No |
| File permissions | Yes (ACLs) | Basic Unix | No |
| Compression | Yes (built-in) | No | No |
| Encryption | Yes (EFS, later) | No | No |
| Large file support | Yes (16 EB theoretical) | Yes | No (4 GB max) |
| Hard links | Yes | Yes | No |
| Symbolic links | Yes (junctions, later symlinks) | Yes | No |
| Alternate Data Streams | Yes | No | No |
| Disk quotas | Yes | No | No |
| Hot-fix bad sectors | Yes | No | No |
The Master File Table (MFT) is the core of NTFS. Every file, every directory, every piece of metadata — all indexed in the MFT. File creation dates, modification dates, access dates, security descriptors, physical and logical sizes. The MFT is to NTFS what the B+ tree is to ReiserFS or what the uberblock is to ZFS. It is the source of truth.
NTFS journaling means that if your machine loses power during a write, the filesystem replays the transaction log and recovers. In 1993. While ext2 users were running fsck and praying. While FAT users were discovering that “crash recovery” meant “buy a new floppy.”
I will give credit where credit is due. NTFS was technically serious from day one. Dave Cutler did not build a toy.
The Hidden Files Inside Your Files:
Now we discuss the feature that earns NTFS its true name.
Alternate Data Streams (ADS). Every file on NTFS has a default data stream — the content you see when you open the file. But NTFS allows additional data streams attached to the same file. These streams are invisible. Windows Explorer does not show them. The dir command does not list them. A 1KB text file can contain megabytes of hidden data in its alternate streams, and no standard Windows tool will reveal it.
REM Create a normal file
echo "Hello" > innocent.txt
REM Hide data in an alternate stream
echo "Secret payload" > innocent.txt:hidden
REM The file still shows as 1KB in Explorer
REM The hidden stream is invisible to dir
REM Only special tools can find itThis is not a bug. This is not an exploit. This is a documented filesystem feature that shipped in 1993 and still exists in 2026.
Windows uses ADS itself. When you download a file from the internet, your browser attaches a Zone.Identifier alternate data stream to the file. This is how Windows knows the file “came from the internet” and shows you the security warning. The tracking mechanism is hidden inside the file itself, invisible to the user.
Malware authors discovered ADS decades ago. BitPaymer ransomware used alternate data streams to hide its payload in 2017. Countless other malware families have used ADS to store executable code inside innocent-looking files. A text file that contains ransomware. A spreadsheet that carries a keylogger. The filesystem enables this by design.
In the Republic of Derails, we also attach hidden metadata to files. But we call it what it is: surveillance. Microsoft called it “Alternate Data Streams” and pretended it was a feature for power users. The Supreme Leader respects the technique but not the branding.
The Interoperability Problem:
NTFS is a proprietary filesystem. The specification has never been fully published. Every non-Windows implementation is a reverse-engineering effort.
Linux spent years with ntfs-3g, a FUSE-based userspace driver — slow, but functional. In Linux 5.15 (2021), a kernel-native ntfs3 driver was merged, written by Paragon Software. It is faster. It also has corruption bugs. As of late 2024, dozens of open issues remained, including reports of filesystem corruption on mounted NTFS volumes.
This is the cost of implementing a proprietary filesystem from the outside. You are not reading a specification. You are reading shadows on a wall and hoping the shapes are consistent.
macOS can read NTFS. It cannot write to it without third-party tools. Apple made a deliberate choice: we will acknowledge NTFS exists, but we will not participate in it.
FreeBSD? Limited support. OpenBSD? No. NetBSD? Partial. DragonFlyBSD? No.
Compare this to FAT. FAT works everywhere because it is simple enough to implement in a weekend. NTFS works on Windows because Microsoft does not want it to work anywhere else. The filesystem is a lock-in mechanism. Every file stored on NTFS is a file that requires Windows to access reliably.
This is not a conspiracy theory. This is a business model.
The Naming:
Let us address “New Technology File System.”
It was called “New Technology” in 1993. It is 2026. NTFS is thirty-three years old. It is older than many of the engineers who maintain it. It is older than Google. It is older than Java. It predates the World Wide Web becoming mainstream.
It is still called “New Technology.”
In the Republic of Derails, we also have technologies that were “new” three decades ago. We call them “infrastructure.” Microsoft calls them “New Technology” because renaming things requires a committee, and the committee is still debating the NTFS spec they never published.
The Comparison:
| FAT | NTFS | ext4 | ZFS | |
|---|---|---|---|---|
| Journaling | No | Yes | Yes | COW (better) |
| Permissions | No | ACLs | Unix + ACLs | Unix + ACLs |
| Hidden file streams | No | Yes | No | No |
| Open specification | Yes | No | Yes | Yes |
| Cross-platform | Everything | Windows | Linux | Many (OpenZFS) |
| Year | 1977 | 1993 | 2008 | 2005 |
FAT has no features and everyone supports it. NTFS has features and only Windows supports it properly. One is too simple to exclude. The other is too proprietary to include.
The Lesson:
NTFS is competent. This is the most damning thing I can say about it.
It has journaling. It has permissions. It has compression. It has encryption. It has quotas. It has a Master File Table that indexes everything with efficiency that FAT cannot dream of. It has alternate data streams that allow files to contain invisible files. It was designed by the man who built VMS, and it carries that lineage with quiet competence.
And it is locked inside Windows. By choice. Not by technical limitation — by business decision. The specification is not published. The implementation is proprietary. Every other operating system must guess at its internals and accept corruption as a possibility.
NTFS is a capable filesystem trapped in a proprietary cage. It has everything a modern filesystem needs except the one thing that matters most: freedom.
FAT is free and useless. NTFS is useful and captive. The filesystem world offers you a choice between a tool with no features and a tool you cannot take home.
In the Republic of Derails, our filesystem is both capable and free. It is also classified. You will have to trust me on this.
— Kim Jong Rails, Supreme Leader of the Republic of Derails