The API seems to be stable with MFT_ENUM_DATA & FSCTL_ENUM_USN_DATA because these entries exists so it can always map the FileReference. However the problem I had when using the API is with FSCTL_READ_USN_JOURNAL it works great for almost every reason but there is some problems using this approach for deleted items because while it returns the FileRef the actual file doesn't exists on disk. I tried to use the ParentRef instead and append the filename from the USN_RECORD. This also doesn't appear to work correctly if deleting an entire directory tree etc.... I am using the NtCreateFile w/ UNICODE_BUFFER so this approach fails horribly because there is no way to map the id to the file because it doesn't exist anymore.
Did you experience similiar troubles while using the API approach or are you using a different API approach? It appears that even if you use the API approach you will still need a dictionary object anyway to handle such cases. It appears the dictionary approach you have implemented might be the best approach overall.
I didn't expect any response but I am grateful that you have responded. Thanks
Did you experience similiar troubles while using the API approach or are you using a different API approach? It appears that even if you use the API approach you will still need a dictionary object anyway to handle such cases. It appears the dictionary approach you have implemented might be the best approach overall.
I didn't expect any response but I am grateful that you have responded. Thanks