$Quota File
The \$Extend\$Quota file is used by the user quota NTFS file system feature. It is not located in a reserved MFT entry. It contains two indexes that both use the standard $INDEX_ROOT and $INDEX_ALLOCATION attributes to store their index entries. The $O index correlates a SID to an owner ID, and the $Q index correlates an owner ID to quota information. The index entry for the $O index has the fields given in table.
The flag values for this index entry are the same as we saw for file names. 0x01 is set when there is a child node, and 0x02 is set when it is the last entry in the list. If a child exists, the last 8 bytes will be used for the VCN of the child. The $Q index maps an owner ID to the owner's quota information. Its index entry has the values shown in table.
The index entry flags are the standard flags of 0x01, if there is a child node and 0x02 if this is the last entry in the list. The quota flags have the values shown in table.
Data structure for the $O index entries in $Quota
| Byte Range | Description | Essential |
| 0-1 | Offset to owner ID (OFF) | Yes |
| 2-3 | Length of owner ID | Yes |
| 4-7 | Unused | No |
| 8-9 | Size of index entry | Yes |
| 10-11 | Size of SID (L) | Yes |
| 12-15 | Flags | Yes |
| 16-(16+L-1) | SID | Yes |
| OFF+ | Owner ID | Yes |
The flag values for this index entry are the same as we saw for file names. 0x01 is set when there is a child node, and 0x02 is set when it is the last entry in the list. If a child exists, the last 8 bytes will be used for the VCN of the child. The $Q index maps an owner ID to the owner's quota information. Its index entry has the values shown in table.
Data structure for the $Q index entries in $Quota
| Byte Range | Description | Essential |
| 0-1 | Offset to quota information | Yes |
| 2-3 | Size of quota information | Yes |
| 4-7 | Unused | No |
| 8-9 | Size of index entry | Yes |
| 10-11 | Size of owner ID (4 bytes) | Yes |
| 12-15 | Flags | Yes |
| 16-19 | Owner ID | Yes |
| 20-23 | Version | No |
| 24-27 | Quota flags | Yes |
| 28-35 | Bytes charged to user | Yes |
| 36-43 | Time of last charge | No |
| 44-51 | Threshold value (a soft limit) | Yes |
| 52-59 | Hard limit value | Yes |
| 60-67 | Exceeded time | Yes |
| 68-79 | SID | Yes |
The index entry flags are the standard flags of 0x01, if there is a child node and 0x02 if this is the last entry in the list. The quota flags have the values shown in table.
Flag values for the $Q index entry flags field
| Flag | Description |
| 0x00000001 | Default limits being used |
| 0x00000002 | Limit reached |
| 0x00000004 | ID deleted |
| 0x00000010 | Tracking data usage |
| 0x00000020 | Enforcing data usage |
| 0x00000040 | Usage tracking requested |
| 0x00000080 | Create log when threshold is met |
| 0x00000100 | Create log when limit is met |
| 0x00000200 | Out of date |
| 0x00000400 | Corrupted data |
| 0x00000800 | Pending deletes |
Data recovery content
Articles
Data recovery software for anyone
Recovering digital photos and raw files
The easy way of recovering digital photos
Photo recovery made easy: now with raw support
The importance of photo recovery software
How to recover digital pictures and raw photos: an easy way
Digital photo recovery revisited: when the impossible becomes a reality
A truly universal data recovery tool
Undelete software made simple
Truly universal data recovery
Data recovery made easy with Hetman Uneraser
Hetman Uneraser restore every single bit you lost
Recovering digital photos and raw files
The easy way of recovering digital photos
Photo recovery made easy: now with raw support
The importance of photo recovery software
How to recover digital pictures and raw photos: an easy way
Digital photo recovery revisited: when the impossible becomes a reality
A truly universal data recovery tool
Undelete software made simple
Truly universal data recovery
Data recovery made easy with Hetman Uneraser
Hetman Uneraser restore every single bit you lost