How can I efficiently detect file changes on an NTFS volume using the FSCTL_ENUM_USN

Home

Backend Development

C++

How can I efficiently detect file changes on an NTFS volume using the FSCTL_ENUM_USN_DATA function?

DDD

Oct 29, 2024 am 08:14 AM

How can I efficiently detect file changes on an NTFS volume using the FSCTL_ENUM_USN_DATA function?

Detecting Changes on a Volume: A Detailed Solution

To effectively detect file deletions, modifications, and creations on an NTFS volume, you can utilize the FSCTL_ENUM_USN_DATA function. This approach offers several advantages:

Fast Enumeration: It efficiently scans the volume, retrieving only existing files with a performance of over 6000 records per second.
Detailed Information: It provides comprehensive data, including file flags and USNs, enabling precise change detection methods.
Hierarchical File Data: By matching parent IDs with file IDs, you can reconstruct the complete file path for each detected file.

Implementation Steps:

Enumerate Files: Use FSCTL_ENUM_USN_DATA to retrieve records for all existing files.
Identify Changes: Analyze the file flags and USNs to determine which files have been modified, created, or deleted.
Reconstruct File Paths: Match parent IDs with file IDs to obtain the full paths of the affected files.

An example C program demonstrating this approach is provided below, searching for files named "test.txt" and displaying information about their changes and parent directories:

<code class="c++">#include <windows.h>
#include <stdio.h>

#define BUFFER_SIZE (1024 * 1024)

int main() {
  HANDLE drive = CreateFileW(L"\\?\c:", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_FLAG_NO_BUFFERING, NULL);

  MFT_ENUM_DATA mft_enum_data;
  USN maxusn;
  USN_RECORD *record;

  // Query USN journal for information
  if (DeviceIoControl(drive, FSCTL_QUERY_USN_JOURNAL, NULL, 0, &maxusn, sizeof(USN), NULL, NULL)) {
    mft_enum_data.StartFileReferenceNumber = 0;
    mft_enum_data.LowUsn = 0;
    mft_enum_data.HighUsn = maxusn;
    
    DWORDLONG nextid, filecount = 0;

    for (;;) {
      void *buffer = VirtualAlloc(NULL, BUFFER_SIZE, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

      if (DeviceIoControl(drive, FSCTL_ENUM_USN_DATA, &mft_enum_data, sizeof(mft_enum_data), buffer, BUFFER_SIZE, NULL, NULL)) {
        nextid = *((DWORDLONG *)buffer);

        record = (USN_RECORD *)((USN *)buffer + 1);
        while (record FileNameOffset);
          if (wcsncmp(filename, L"test.txt", 8) == 0) {
            printf("=================================================================\n");
            printf("RecordLength: %u\n", record->RecordLength);
            printf("MajorVersion: %u\n", (DWORD)record->MajorVersion);
            printf("MinorVersion: %u\n", (DWORD)record->MinorVersion);
            printf("FileReferenceNumber: %lu\n", record->FileReferenceNumber);
            printf("ParentFRN: %lu\n", record->ParentFileReferenceNumber);
            printf("USN: %lu\n", record->Usn);
            printf("Timestamp: %lu\n", record->TimeStamp);
            printf("Reason: %u\n", record->Reason);
            printf("SourceInfo: %u\n", record->SourceInfo);
            printf("SecurityId: %u\n", record->SecurityId);
            printf("FileAttributes: %x\n", record->FileAttributes);
            printf("FileNameLength: %u\n", (DWORD)record->FileNameLength);
            printf("FileName: %.*ls\n", record->FileNameLength, filename);
            
            // Reconstruct file path by matching parent file reference numbers
            DWORD bytecount;
            if (DeviceIoControl(drive, FSCTL_ENUM_USN_DATA, &mft_enum_data, sizeof(mft_enum_data), buffer, BUFFER_SIZE, &bytecount, NULL)) {
              USN_RECORD *parent_record = (USN_RECORD *)((USN *)buffer + 1);
              if (parent_record->FileReferenceNumber == record->ParentFileReferenceNumber) {
                printf("Parent File:\n");
                printf("=================================================================\n");
                printf("FileName: %.*ls\n", parent_record->FileNameLength, (WCHAR *)(((BYTE *)parent_record) + parent_record->FileNameOffset));
              }
            }
          }
          record = (USN_RECORD *)(((BYTE *)record) + record->RecordLength);
        }
        mft_enum_data.StartFileReferenceNumber = nextid;
      } else {
        printf("FSCTL_ENUM_USN_DATA failed\n");
        break;
      }
      if (nextid == 0) break;
    }
    printf("Total Files: %lu\n", filecount);
  } else {
    printf("FSCTL_QUERY_USN_JOURNAL failed\n");
  }

  if (drive != INVALID_HANDLE_VALUE)
    CloseHandle(drive);

  return 0;
}</stdio.h></windows.h></code>

The above is the detailed content of How can I efficiently detect file changes on an NTFS volume using the FSCTL_ENUM_USN_DATA function?. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

C# vs. C : History, Evolution, and Future ProspectsApr 19, 2025 am 12:07 AM

The history and evolution of C# and C are unique, and the future prospects are also different. 1.C was invented by BjarneStroustrup in 1983 to introduce object-oriented programming into the C language. Its evolution process includes multiple standardizations, such as C 11 introducing auto keywords and lambda expressions, C 20 introducing concepts and coroutines, and will focus on performance and system-level programming in the future. 2.C# was released by Microsoft in 2000. Combining the advantages of C and Java, its evolution focuses on simplicity and productivity. For example, C#2.0 introduced generics and C#5.0 introduced asynchronous programming, which will focus on developers' productivity and cloud computing in the future.

C# vs. C : Learning Curves and Developer ExperienceApr 18, 2025 am 12:13 AM

There are significant differences in the learning curves of C# and C and developer experience. 1) The learning curve of C# is relatively flat and is suitable for rapid development and enterprise-level applications. 2) The learning curve of C is steep and is suitable for high-performance and low-level control scenarios.

C# vs. C : Object-Oriented Programming and FeaturesApr 17, 2025 am 12:02 AM

There are significant differences in how C# and C implement and features in object-oriented programming (OOP). 1) The class definition and syntax of C# are more concise and support advanced features such as LINQ. 2) C provides finer granular control, suitable for system programming and high performance needs. Both have their own advantages, and the choice should be based on the specific application scenario.

From XML to C : Data Transformation and ManipulationApr 16, 2025 am 12:08 AM

Converting from XML to C and performing data operations can be achieved through the following steps: 1) parsing XML files using tinyxml2 library, 2) mapping data into C's data structure, 3) using C standard library such as std::vector for data operations. Through these steps, data converted from XML can be processed and manipulated efficiently.

C# vs. C : Memory Management and Garbage CollectionApr 15, 2025 am 12:16 AM

C# uses automatic garbage collection mechanism, while C uses manual memory management. 1. C#'s garbage collector automatically manages memory to reduce the risk of memory leakage, but may lead to performance degradation. 2.C provides flexible memory control, suitable for applications that require fine management, but should be handled with caution to avoid memory leakage.

Beyond the Hype: Assessing the Relevance of C TodayApr 14, 2025 am 12:01 AM

C still has important relevance in modern programming. 1) High performance and direct hardware operation capabilities make it the first choice in the fields of game development, embedded systems and high-performance computing. 2) Rich programming paradigms and modern features such as smart pointers and template programming enhance its flexibility and efficiency. Although the learning curve is steep, its powerful capabilities make it still important in today's programming ecosystem.

The C Community: Resources, Support, and DevelopmentApr 13, 2025 am 12:01 AM

C Learners and developers can get resources and support from StackOverflow, Reddit's r/cpp community, Coursera and edX courses, open source projects on GitHub, professional consulting services, and CppCon. 1. StackOverflow provides answers to technical questions; 2. Reddit's r/cpp community shares the latest news; 3. Coursera and edX provide formal C courses; 4. Open source projects on GitHub such as LLVM and Boost improve skills; 5. Professional consulting services such as JetBrains and Perforce provide technical support; 6. CppCon and other conferences help careers

C# vs. C : Where Each Language ExcelsApr 12, 2025 am 12:08 AM

C# is suitable for projects that require high development efficiency and cross-platform support, while C is suitable for applications that require high performance and underlying control. 1) C# simplifies development, provides garbage collection and rich class libraries, suitable for enterprise-level applications. 2)C allows direct memory operation, suitable for game development and high-performance computing.

See all articles