How to Efficiently Detect File Changes on NTFS Volumes with FSCTL_ENUM_USN_DATA?

Detecting File Changes on NTFS Volumes

Q: How can I efficiently detect only the deleted, changed, and created files on an NTFS volume?

A: You can use the FSCTL_ENUM_USN_DATA function to enumerate all files on a volume. This function provides a list of file records that includes the file's flags and USNs, allowing you to quickly identify changes.

Implementation Details:

The code sample provided utilizes FSCTL_ENUM_USN_DATA to retrieve the file records, filtering for changes and displaying relevant information.

<code class="c++">#include <Windows.h>
#include <stdio.h>

// ...

void check_record(USN_RECORD *record)
{
    // Check for specific file name or criteria
    // ...

    show_record(record);
}

int main(int argc, char ** argv)
{
    // Initialize variables
    // ...

    for (;;)
    {
        // Call FSCTL_ENUM_USN_DATA to get file records
        // ...

        record = (USN_RECORD *)((USN *)buffer + 1);
        recordend = (USN_RECORD *)(((BYTE *)buffer) + bytecount);

        while (record < recordend)
        {
            filecount++;

            check_record(record);

            record = (USN_RECORD *)(((BYTE *)record) + record->RecordLength);
        }

        mft_enum_data.StartFileReferenceNumber = nextid;
    }

    // ...
}</code>

Additional Notes:

• FSCTL_ENUM_USN_DATA is a fast method that only returns information about existing files.
• To obtain complete file paths, you can match parent IDs with file IDs of directories.
• Consider caching data returned by FSCTL_ENUM_USN_DATA for improved performance.
• FSCTL_ENUM_USN_DATA should be called regularly to capture changes made since the last scan.

The above is the detailed content of How to Efficiently Detect File Changes on NTFS Volumes with FSCTL_ENUM_USN_DATA?. For more information, please follow other related articles on the PHP Chinese website!