- Forum
- Windows Programming
- NTFS Change Journals
NTFS Change Journals
Hi,
I am new to Windows related Code in C++.
Currently, I wish to monitor my system for the modified files using NTFS Change Journals. I tried to query the Journal data (using DeviceIOControl) and get the modified file details. I need some clarifications regarding the below things.
1. Is there a way to search notifications for particular folder (say only My Documents and My Pictures) or particular fileTypes (say jpg, doc, etc).
2. Is there a way to search only recent modifications (say for the past 1 day or 5 hrs, etc)
3. If my application create journal for a volume and stopped means, then in the next time when it restarted can I monitor the changes during the period when my application was not running. (I tried it , seems I can't do it).
4. If I modify a file present under 'D:/Testing/Test.txt', it seems the usn_record 'ParentFileReferenceNumber' is for D: and the 'FileReferenceNumber' is for the particular file 'Test.txt'. But what I think is the 'ParentFileReferenceNumber' should be for 'D:/Testing' and the 'FileReferenceNumber' should be for 'Test.txt'. For this, I have made CreateFile() for the '\\.\D:' location. Am I do anything wrong.
5. Shall I use fsutil for my purpose.
Could any one please clarify my queries and point me in a correct direction. Also, if possible, please poing me a releveant help document or URL to further proceed.
Thanks in Advance.
Regards,
Rahul.
I am new to Windows related Code in C++.
Currently, I wish to monitor my system for the modified files using NTFS Change Journals. I tried to query the Journal data (using DeviceIOControl) and get the modified file details. I need some clarifications regarding the below things.
1. Is there a way to search notifications for particular folder (say only My Documents and My Pictures) or particular fileTypes (say jpg, doc, etc).
2. Is there a way to search only recent modifications (say for the past 1 day or 5 hrs, etc)
3. If my application create journal for a volume and stopped means, then in the next time when it restarted can I monitor the changes during the period when my application was not running. (I tried it , seems I can't do it).
4. If I modify a file present under 'D:/Testing/Test.txt', it seems the usn_record 'ParentFileReferenceNumber' is for D: and the 'FileReferenceNumber' is for the particular file 'Test.txt'. But what I think is the 'ParentFileReferenceNumber' should be for 'D:/Testing' and the 'FileReferenceNumber' should be for 'Test.txt'. For this, I have made CreateFile() for the '\\.\D:' location. Am I do anything wrong.
5. Shall I use fsutil for my purpose.
Could any one please clarify my queries and point me in a correct direction. Also, if possible, please poing me a releveant help document or URL to further proceed.
Thanks in Advance.
Regards,
Rahul.
i think you can find something useful in directory management functions like:
it has notifications like:
and some more. have a look.
| FindFirstChangeNotification |
it has notifications like:
| FILE_NOTIFY_CHANGE_FILE_NAME FILE_NOTIFY_CHANGE_ATTRIBUTES FILE_NOTIFY_CHANGE_SIZE |
and some more. have a look.
Hi,
Thanks for your reply.
I believe the FindFirstChangeNotification will send notifications, once a file is added/modified immediately. If lot of files are modified continuously our code will also run continuously to note down the modifications.
When considering NTFS Change Journals, we dont need to monitor continuously. Say we can read Journals in a interwal of 5 minutes and get the modifications during the 5 minutes.
I hope for reading NTFS Change Journals , we dont need FindFirstChangeNotification function.
Please correct me, if I am wrong.
Using FSCTL_READ_USN_JOURNAL I have got all the modified Journal Details for a volume. But I need to use the same for particular directories..
Appreciate your replies.
Thanks. Any comments on this.
Regards,
Rahul.
Thanks for your reply.
I believe the FindFirstChangeNotification will send notifications, once a file is added/modified immediately. If lot of files are modified continuously our code will also run continuously to note down the modifications.
When considering NTFS Change Journals, we dont need to monitor continuously. Say we can read Journals in a interwal of 5 minutes and get the modifications during the 5 minutes.
I hope for reading NTFS Change Journals , we dont need FindFirstChangeNotification function.
Please correct me, if I am wrong.
Using FSCTL_READ_USN_JOURNAL I have got all the modified Journal Details for a volume. But I need to use the same for particular directories..
Appreciate your replies.
Thanks. Any comments on this.
Regards,
Rahul.
I have not used these functions, but i knew there is something like that.
I think when you get the handle for the device, is it possible that you get a handle for the directory you are trying to get the journal details?
the process is this:
call createfile(); //here can we get the handle of directory instead of the device/drive
call DeviceIoControl
keep getting details.
These are just my ideas and i have never tried these.
I think when you get the handle for the device, is it possible that you get a handle for the directory you are trying to get the journal details?
the process is this:
call createfile(); //here can we get the handle of directory instead of the device/drive
call DeviceIoControl
keep getting details.
These are just my ideas and i have never tried these.
Thanks for your reply.
I can only create handle for the Volume and I could not create handle for the particular folder. Anyway, I will try some other directory monitoring techniques.
Regards,
Rahul.
I can only create handle for the Volume and I could not create handle for the particular folder. Anyway, I will try some other directory monitoring techniques.
Regards,
Rahul.
Topic archived. No new replies allowed.