NTFS volume GUID

Question

I'm currently experimenting with my own backup software, and just wondered where the NTFS volume GUID (i.e. the one that appears as \?\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}) is actually stored, offset wise, on the partition? Is it always at a calculatable offset, or is it part of the $MFT or $Volume record or something like that?

Answer 1

I spent some time trying to answer that.

Eventually I found this for MBR disks:

Step 1
GUID is formed as {UUUUUUUU-0000-0000-PPPP-PPPPPPPPPPPP}, where

• UUUUUUUU is disk's UNIQUEID (can be seen/changed in diskpart's uniqueid disk command)
• 0000-0000 are always zeroes
• PPPP-PPPPPPPPPPPP is partition's byte offset (can be seen in diskpart's detail partition command), hex-encoded with inverse byte order.

Step 2

• If driver supports IOCTL_MOUNTDEV_QUERY_STABLE_GUID, then whatever GUID is returned will be used as volume GUID. Otherwise, ExUuidCreate() is used to create a new GUID.
• Before Win10, IOCTL_MOUNTDEV_QUERY_STABLE_GUID is not supported for MBR disks.
• Starting with Win10, for MBR disks, if it's not removable + some other unknown conditions, GUID from step 1 is used as volume GUID. As a result, it will have a lot of zeroes.

Step 3
The resulting GUID is stored in HKLM\SYSTEM\MountedDevices. It maps Volume GUID (value name) to volume's identifier (returned by IOCTL_MOUNTDEV_QUERY_UNIQUE_ID). For MBR disks, identifier matches GUID from step 1.

If disk's UNIQEID is changed, Windows will fail to boot (because it can no longer find boot volume). If boot configuration is fixed by running bootrec /rebuildbcd from recovery, windows boots and volume will have a new GUID, where only the first 4 bytes will change to match the new disk's UNIQUEID.

Some relevant locations in Windows code:

• mountmgr!CreateNewVolumeName
• mountmgr!QueryDeviceInformation
• volmgr!VmpQueryStableGuid

Answer 2

I spent hours in front of a partition with my hex editor and discovered that the $VOLUME_NAME attribute of the $Volume metafile is actually just that - the textual volume name seen in 'Computer' and the likes - i.e. "My Disk"

It turns out that the GUID style I asked about above is stored only in the mount manager database within the registry at MountedDevices. What finally led me to this is that the same disk (with the same serial number on its NTFS partition) will get a different GUID if you plug it into a different machine.