| Author | Message | ||
     U. Jaenicke-Rößler Username: ujr Registered: 3-2005 |
Hi, I have two question regarding editing files on NTFS. 1) From the directory browser I cannot open a file for editing (double click gives read only mode that cannot be changed, because the menu is disabled) - the file can be edited however, if it is opened by Winhex without the directory browser from Winhex's main menu. Have I overlooked some option? 2) When I edit the file on HD directly it appears changed in Winhex, but it is not if I open it later on in Notepad, for example. Is this related to some NTFS file cache? Or what's wrong? Thanks! | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
1) No, you haven't. File | Open opens the file via the operating system. That means at least the last access date of the file is altered. Allows you to edit the file, depending on the edit mode. The directory browser on the other hand allows to open files in a forensically sound way, circumventing the operating system, without altering any timestamp, in read-only mode only. 2) I assume by "editing a file on HD directly" you mean you edit the contents of some sectors on a disk that belong to a cluster that is allocated to a particular file. Multiple factors could lead to what you observe. E.g. you could have mistakenly edited the wrong sector, where a previous copy of that file was stored. To exclude the effects of buffers and caches and find an answer you could restart your computer and then look at the file again in Notepad and at the disk sectors in WinHex. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
1) That these are totally different operations is obvious when you consider that File | Open can only be applied to partitions on hard disks that are mounted as drive letters in Windows and whose file system is supported by Windows, whereas the directory browser is available even for partitions that are not mounted as drive letters, that reside on hard disks or on interpreted image files (optionally compressed, segmented, or encrypted), whose file system is from the Linux, MacOS, or Unix world, depending on the license type in use. WinHex is not meant to offer file editing capabilities for all these file systems, as that would involve having to adjust file system data structures. That task is left to the operating system. If you wish to bypass the operating system, then you would have to edit sectors, not files, which I think is what you describe in your second question. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
1) Where applicable, you can open files for editing even via the directory browser if Options | Security | "[x] Open files thru operating system" is checked. | ||
| U. Jaenicke-Rößler Username: ujr Registered: 3-2005 |
Hi, thank you very much for your detailed answers - very helpful! Especially the second question bothered me a lot for some time. I think I can exlude, that I edited the wrong sector (because Winhex lead me to the right one, I didn't search for it). So it is most probably a caching issue - but normally only academic anyway. Thanks! |