Size is larger than "size on disk" in NTFS

Question

I have many files on my NTFS partition whose sizes are larger than the corresponding size on disk.

• In hex view the file's end (often more then half of the file) is filled up with 0x00.
• When I copy the file, the copied one's size on disk is larger than its size. However the file is still largely filled with unnecessary 0x00.
• chkdsk found no errors.
• NTFS compression is turned off.

How can I fix these files?

Answer 1

However the file is still large filled with unnecessary 0x00.

How do you know that it's unnecessary? An image likely doesn't have zero data at the end like that, but many files like disk images or pre-allocated format do have big sections of zeros. Are your images still displayed properly?

A filesystem doesn't store random or blank data into your files. So unless the disk was corrupted, the data were definitely written by some human or applications. You don't fix the filesystem since there's no problem with it. You also don't fix the files if those are their real data. Rather you need to check if there are some malicious programs on your PC

Back to the main "problem", size on disk can be smaller in various situations like resident files or symlinks. However such a large file obviously doesn't fit in an MFT entry, thus in your case it's highly likely a sparse file where the file system just stores the meaningful data, saving space by leaving out the empty parts.

However by default a file won't be created sparsed, therefore some programs have set the sparse flag on your files. It can also be enabled manually with fsutil sparse

PS D:\> fsutil file createnew zeros 0x100000      # create a blank file 0x100000 bytes long
File D:\zeros is created
PS D:\> fsutil sparse setflag .\zeros
PS D:\> fsutil sparse setrange .\zeros 0 0x100000 # set the range of zero bytes
PS D:\> fsutil file layout .\zeros
********* File 0x0015000000000e3d *********
File reference number   : 0x0015000000000e3d
File attributes         : 0x00000220: Archive | Sparse
File entry flags        : 0x00000000
Link (ParentID: Name)   : 0x0005000000000005: HLINK Name   : \zeros
Creation Time           : 13-12-2018 17:44:25
Last Access Time        : 13-12-2018 17:45:48
Last Write Time         : 13-12-2018 17:45:48
Change Time             : 13-12-2018 17:45:48
... irrelevant data
Stream                  : 0x080  ::$DATA
    Attributes          : 0x00000200: Sparse
    Flags               : 0x00000008: No clusters allocated
    Size                : 1,048,576
    Allocated Size      : 0
    Extents             : 1 Extents
                        : 1: VCN: 0 Clusters: 256 LCN: -1

As you can see above, after setting the zero range, the allocated size in the stream ::$DATA becomes zero

To remove the sparse flag you just need to copy the file to a new one, because as said above it's not ON by default

Further reading

• Removing `sparse` file attribute
• Sparse Files in Windows
• Resident files