Enum USN Journal Data RRS feed

  • Question

  • I was looking for a way to keep a relationship of files on an NTFS volume to entries in a database using the USN Journal. FileReferenceNumber was not reliable, understandably, but setting and ObjectId on a file is not either. It is for most files, but in looking at the change journal, some applications, like Microsoft Word/Excel, do multiple file creates, extends, delete original files, rename an existing working file to the old name. When this happens, I would have to track many things in memory at once to correlate which events went to which original file. Is there a better way to correlate USN journal entries and keep file references intact?

    This may be the wrong forum to ask this, but what I am doing is closer to the WDK than it is to desktop or server development so I thought I would give it a shot. The minfilter driver works for this, but it becomes quite complex to, USN journal APIs for NTFS are fast and a bit simpler, even if I have to do a lot of context tracking and correlation of entries to original files.

    If you know of a guide for tracking and correlating journal entries, passing that along is welcome as well.


    Thursday, July 10, 2014 2:45 AM