Support for IO_REPARSE_TAG_WOF (0x80000017) in NTFS filesystem parsing #41
Description
*Description:*
I encountered an issue when attempting to load a Windows Server 2025 QCOW2 disk that uses NTFS. When reading files from the system32 directory, the reported file sizes are correct, but all the data appears to be zeroed out. Upon further investigation using guestmount and qemu-nbd, I discovered that the files have an unsupported reparse tag: 0x80000017, which corresponds to IO_REPARSE_TAG_WOF.
Background:
IO_REPARSE_TAG_WOF is used by the Windows Overlay Filter (WOF) for system compression, such as WIMBoot or single-file compression. This reparse tag is not natively supported by NTFS but is handled by the wof.sys driver in Windows. Internally, the compressed data is stored in an alternate data stream named WofCompressedData, and the file is marked as sparse with no actual data in the primary stream.
References:
- Microsoft Documentation on Reparse Point Tags
- Microsoft Documentation on Reparse Tags
- Wikipedia on CompactOS and WOF
- WOF Tool by wbenny
Key Characteristics of WOF Compression:
- Files are sparse with no data in the primary stream.
- File size reflects the uncompressed size.
- Compressed data is stored in the
:WofCompressedDataalternate data stream. - The
IO_REPARSE_TAG_WOFreparse point is set. - Decompression is handled transparently by the
wof.sysdriver in Windows.
Issue:
Currently, dissect.ntfs does not appear to handle the IO_REPARSE_TAG_WOF reparse tag or the associated :WofCompressedData alternate data stream. As a result, files compressed using WOF are reported with the correct size but contain only zeroed data.
Request:
Could support for IO_REPARSE_TAG_WOF and WOF-compressed files be added to dissect.ntfs? This would involve:
- Detecting the
IO_REPARSE_TAG_WOFreparse tag. - Locating and parsing the
:WofCompressedDataalternate data stream. - Decompressing the data using the appropriate algorithm (e.g., XPRESS, LZX, or ZLIB, as used by WOF).
This feature would greatly enhance compatibility with modern Windows systems, especially those using CompactOS or WIMBoot.
Additional Context:
The woftool project by wbenny (linked above) provides some insight into how WOF compression works and could serve as a reference for implementing this functionality.
Thank you for your work on this project! Let me know if you need additional details or test cases.