Failure to modify File Records in Master File Table(MFT) of NTFS

I am writing a program to remove a file and all attributes related(including the 0x30 $FILE_NAME, 0x80 $DATA, 0x90 $INDEX_ROOT, and 0xA0 $INDEX_ALLOCATION, and etc.) in a NTFS volume in Windows.

I could now find the position of the File Record to any file. I would overwrite the File Record for several times to prevent recovery, and then I put back the basic information that a File Record would have(that is the Standard Attribute Header of the first attribute "0x10 $STANDARD_INFORMATION").

I used WriteFile() to write the File Record, and the returned value indicates the function succeeded. After that, open disk to see raw data by WinHex I can see the File Record actuall开发者_开发技巧y IS modified.

But the problem is, after I deleted another two or three files, the previous file's File Record reappeared as if I had never done anything to it.

I think this could be some recovery mechanism of Windows file management. I wonder if there is any method to modify the File Record successfully without Windows recovering it.

P.S. I used DeleteFile() to take care of the B+ tree and other stuff before I modify the File Record manually.

Are you sure the MFT record got deleted ? Because if it was, then the file won't reappear.

Check your MFT record position calculations (from VCN to actual CN and sector number). Also, there's a $MFTMirror, you should check if a duplicate copy of the MFT record (for the file in question) exists in $MFTMirror ...if yes, then you should be erasing even that record.

If you could share your code for MFT record locator (most probably that's were the problem is) for the file ... I could help you more.