Jump to content

"update sequence number" (USN) journal query

argumentum
 Share

Recommended Posts

argumentum Universalist

argumentum

Posted
Posted 
REM needs to be at admin level

C:\Windows\System32>fsutil usn queryJournal C:
Usn Journal ID   : 0x01dae33ae0040fbb
First Usn        : 0x000000000b000000
Next Usn         : 0x000000000d114440
Lowest Valid Usn : 0x0000000000000000
Max Usn          : 0x00000fffffff0000
Maximum Size     : 0x0000000002000000 (32.0 MB)
Allocation Delta : 0x0000000000800000 ( 8.0 MB)
Minimum record version supported : 2
Maximum record version supported : 4
Write range tracking: Disabled

...and that is how you get the "marker" for a point in time from "Next Usn" ( 0x000000000d114440 )
Then you can start reading events from there on forward: 

C:\Windows\System32>fsutil usn readJournal C: startUsn=0x000000000d114440 csv
USN Journal ID    : 0x01dae33ae0040fbb
First USN         : 184549376
Next USN          : 219260800
Start USN         : 219235392
Min major version : Supported=2, requested=2
Max major version : Supported=4, requested=4

Usn,File name,File name length,Reason #,Reason,Time stamp,File attributes #,File attributes,File ID,Parent file ID,Source info #,Source info,Security ID,Major version,Minor version,Record length,Number of extents,Remaining extents,Extent,Offset,Length
219235392,"SRU.chk",14,0x00000001,"Data overwrite","8/18/2024 10:00:19",0x00000020,"Archive",0000000000000000000100000001d287,000000000000000000010000000014f0,0x00000000,"*NONE*",0,3,0,96
219235472,"SRU.chk",14,0x80000001,"Data overwrite | Close","8/18/2024 10:00:19",0x00000020,"Archive",0000000000000000000100000001d287,000000000000000000010000000014f0,0x00000000,"*NONE*",0,3,0,96
219235552,"SRUDB.dat",18,0x00000001,"Data overwrite","8/18/2024 10:00:19",0x00000020,"Archive",0000000000000000000100000001d289,000000000000000000010000000014f0,0x00000000,"*NONE*",0,3,0,96

reading the journal from that point in time until now ( the time of execution ). Excellent idea to backup files between last time ( "Next Usn" we got in a prior time ) and now.

It gives you a bunch of information about every file action, but to get the full path you'll have to add the "Parent file ID" file name. 

C:\Windows\System32>fsutil file queryFileNameById C: 0x000000000000000000010000000014f0
A random link name to this file is \\?\C:\Windows\System32\sru

..and I say get the parent file ID, to get the folder where the file name is at, as is cheaper ( process wise ) to keep a list/array of prior "parent file ID" than to queryFileNameById of the file itself that would give you a full path.

The above is my brainstorming for a way to backup daily. Now, let's get* the info we need from WinAPI using OpenFileById and GetFileInformationByHandleEx .

*In have no clue of how. Or even if my trend of thought is good.
Any and all help is deeply appreciated.

Follow the link to my code contribution ( and other things too ).
FAQ - Please Read Before Posting.
autoit_scripter_blue_userbar.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...