Reading MFT
Since WindowsNT when Microsoft first released NTFS, a journaling file system, I've had a fascination with the USN Journal. I worked on the Primos operating system at Prime Computer and have always...
View ArticleReading MFT
Thanks Erik,This is highly interesting.I am trying to read and manipulate the MFT and thus what i understand from what you wrote, the journal and the logs, from direct raw read/write with use of the...
View ArticleReading MFT
The change journal works on all NTFS volumes 3.1 and above this means any NTFS volume on Windows 2000 and above. Enumerating the MFT is good but reading the changes is even better because it makes for...
View ArticleReading MFT
this is so coooooooooooland it worksthanks a lot StCroixSkipperyou really make my daynow i need to get deeper into the MFT in conjunction with the codeon what OS is this compatible i wonder actuallythe...
View ArticleReading MFT
The API seems to be stable with MFT_ENUM_DATA & FSCTL_ENUM_USN_DATA because these entries exists so it can always map the FileReference. However the problem I had when using the API is with...
View ArticleReading MFT
I've actually done it both ways. Given a File Reference Number you can to full path. I used Dictionary in this case because it has the advantage of being faster but it certainly takes up more memory....
View ArticleReading MFT
USN_RECORDS return only FileNames this is to reserve as much space possible in the change log. You can map (fileReference) or (ParentFileReference) to complete paths using API. This approach is so much...
View ArticleReading MFT
I think I've figured out how to use it reliably. Have found solution for .NET?
View ArticleReading MFT
Hi StCroixSkipper . First of all i would like to thank you for this post. It helped me a lot in my project. And I'm really interested in using USN from c#! I'm currently investigating this question to,...
View ArticleReading MFT
Hey guys, great thread and especially great snippets!Currently I am working on an application that basically has to be able to undelete data from both NTFS and FAT32 drives.I've started working on the...
View ArticleReading MFT
StCroixSkipper said:Is anyone interested in using the USN Journal from C#?Sure I am. What do you have in your sleeve?AlexB
View ArticleReading MFT
Thanks Skipper. It's an embarrassing oversight. It was correct at one point but then I refactored it manually and apparently goofed up. Anyhow, now it seems to be working but I am getting an error:...
View ArticleReading MFT
Just looking at your code ...private Dictionary<UInt64, FileNameAndFrn> directories_ = newDictionary<ulong, FileNameAndFrn> ( );publicDictionary<UInt64, FileNameAndFrn> directories{...
View ArticleReading MFT
Skipper, I finally got it compiled. Your last comment opened my eyes on the relationships. Now I am getting a runtime stack overflow error on this statement:privateDictionary<UInt64,...
View ArticleReading MFT
Glad it works for you. I like your name change mft. It makes sense. Then next challenge is to use the change journal to identify changes to the volume without doing a findfirst/findnext for the...
View ArticleReading MFT
Garethbradley, welcome to the fray. I feel you've resolved the last remaining issue I've struggled with but you also introduced a new mystery. What is MFT.cs file with MFT class in it? Is it something...
View ArticleReading MFT
StCroixSkipper, Can I say a big thank you! It took a bit of work, but I came up with the following:PInvokeWin32.cs - as described on Page 1 of this thread.Log.cs - A quick Log class that writes out a...
View Article