ChangeJournal Publisher's description
from Jason Q Zhang
Allows you to operate NTFS's Change Journal
The ChangeJournal application was developed to be a small tool that will allow you to operate NTFS's Change Journal.
The Change Journal is a database that contains a list of every change made to the files or directories on an NTFS 5.0 volume, that is, the Change Journal is a log file.
The structure of Change Journal's record includes USN, Reason, Filename, ParentFileReferenceNumber and TimeStamp, etc.
Let me explain them to you:
- USN is ID
- Reason is why the record is written, say, 'create'
- Filename is merely name without path
- ParentFileReferenceNumber is a foreign key to file's path
- TimeStamp is the time when event happens
With this information, we can know what happened to a file, the only problem is where to find the path of the file. There is no simple/easy way to get there as far as I know. Let's face it, NTFS is not a RDBMS, we can't use one 'select' sentence from relevant tables to get all we need.
Although, in concept, ParentFileReferenceNumber is a foreign key. Well, what Window2000 provides us to get a FileReferenceNumber is using an opened handle to the file, the API is GetFileInformationByHandle. We have to search the whole directory tree to find what we want! -- That's why I feel tired for hard drive every time I push the 'Path detail' button.
The other thing we should know is that the Change Journal is not available automatically. Somebody should activate/create it before using it.
To archive functions on Change Journal, the key API is DeviceIoControl. To fulfill a retrieval of the Change Journal records, the basic steps are:
- Open the Change Journal file handle using API CreateFile
- Call DeviceIoControl using FSCTL_QUERY_USN_JOURNAL as the second parameter
- Call DeviceIoControl using FSCTL_READ_USN_JOURNAL as the second parameter
System Requirements:No special requirements.
Program Release Status: Minor Update
Program Install Support: Install and Uninstall