USN_RECORDS return only FileNames this is to reserve as much space possible in the change log. You can map (fileReference) or (ParentFileReference) to complete paths using API. This approach is so much easier to use than keeping a database or enumerating the directories and walking the chain to get the full path.
Just briefly overlooking the code are you allocating all the directories,fileRef,ParentRef information on the system into a dictionary and then maintaining the dictionary object as an alternative to using a database? This seems like a really great approach but if you use the API you never need to enumerate or maintain this dictionary.
How effecient would this be for storing such information in a Dictionary object considering a volume can have alot of files/directories present?
There is some special consideration that needs to be handled when working with (Deleted) items specifically.
It would be great to see some performance in routines to see which is the better approach to use. That is use the API approach or using the Dictionary approach to walk the chain. It would be great to get some real performance numbers.
Let me know if interested.
↧
Reading MFT
↧