Each I/O operation that modifies a file on the NTFS volume is viewed by the file system as a transaction and can be managed as an atomic unit.
Figure 5.7 Interaction Between NTFS and Other Windows NT Components
When a user updates a file, the Log File Service logs all redo and undo information for the transaction. For recoverability, redo is the information that tells NTFS how to repeat the transaction, and undo tells how to roll back the transaction that was incomplete or that had an error.
If a transaction completes successfully, the file update is committed. If the transaction is incomplete, NTFS ends or rolls back the transaction by following instructions in the undo information. If NTFS detects an error in the transaction, the transaction is also rolled back.
File system recovery is straightforward with NTFS. If the system crashes, NTFS performs three passes — an analysis pass, a redo pass, and an undo pass. During the analysis pass, NTFS appraises the damage and determines exactly which clusters must now be updated, per the information in the log file. The redo pass performs all transaction steps logged from the last checkpoint. The undo pass backs out any incomplete (uncommitted) transactions.