Reading MFT
I'm not sure I understand your comment. The DeviceIoControl() with FSCTL_READ_USN_JOURNAL reads the raw bytes of the journal.bool bRtn = Win32Api.DeviceIoControl(...
View ArticleReading MFT
Me too i'm following this ...highly interesting what i'm wondering is why not read the raw mft sectors of the volume and convert those bits and bytes... i guess that's even the fastest possible?i want...
View ArticleReading MFT
Also, I have another interest. I've written code to use the Volume Shadowcopy Service (VSS) to create shadowcopies of volumes to enable backup up open files and applications like Exchange. I would...
View ArticleReading MFT
I found 'OpenFileById' and 'GetFileInformationByHandleEx' in Kernel32.dll and it says "WinBase.h (include Windows.h), FileExtd.h on Windows Server 2003 and Windows XP".So it appears we could get it to...
View ArticleReading MFT
Here is a very small example of using the PathFromFrn() to enumerate the MFT with path information. What I did was use ParentFileReference and append the filename.BTW: It will be slow if you output to...
View ArticleReading MFT
Your friend is absolutely on the right track and correct however they are basically doing the same thing as the above snippet I posted. The only difference is that the example I posted shouldn't be...
View ArticleReading MFT
This is a suggestion from a friend of mine, Rick Winter. Check out this link: http://msdn.microsoft.com/en-us/library/aa364953(v=VS.85).aspx You need to open the file by ID...
View ArticleReading MFT
I don't have much background with the VSS services. I wouldn't be able to help with this feature. I do have background with basic backup routines such as BackupRead() BackupWrite() allowing reading and...
View ArticleReading MFT
The Base class is completley fine. The only thing I would change is to remove things that can already be done with the .NET framework and keep the focus directly on the Change Journal. The class should...
View ArticleReading MFT
Also, I have another interest. I've written code to use the Volume Shadowcopy Service (VSS) to create shadowcopies of volumes to enable backup up open files and applications like Exchange. I would...
View ArticleReading MFT
Erik,No problem converting your code to C#. I should have known it was an Nt-funtion.With that out of the way, what do you think about the interface so far? I could implement this quickly and we'd at...
View ArticleReading MFT
Hi StCroixSkipper,I have posted about your issue with obtaining the filename from the filereference number. Did you see the post or do you have an issue with converting it to c# code?What I meant by...
View ArticleReading MFT
Since the data is stored in the USN Journal and the user simply provides the state of the USN Journal when he last requested information from it, I don't think there is a thread safety issue. This...
View ArticleReading MFT
Well it looks like my editing removed what I had replied. In any case CodePlex would be a good start but one first need to have a basis project that works before publishing it on CodePlex. You can...
View ArticleReading MFT
Private Const FILE_FLAG_BACKUP_SEMANTICS = &H2000000 Private Const FileNameInformationClass = 9 Private Const FILE_OPEN_FOR_BACKUP_INTENT = &H4000 Private Const FILE_OPEN_BY_FILE_ID =...
View ArticleReading MFT
Private Function PathFromFrn(ByVal Id As Long) As String Dim fOk As Integer Dim FileName As String = String.Empty Dim UnicodeString As UNICODE_STRING Dim ObjAttributes As OBJECT_ATTRIBUTES Dim...
View ArticleReading MFT
Also, I know there is an api to get a filename given a 64-bit file reference number. I've used it in C++ before. But for the life of me, I can't find it today. I really want to get rid of the memory...
View ArticleReading MFT
Here are my ideas for the public interface for a UsnJournal object.I want to hide the complexity of dealing with the Usn Journal as much as possible without hiding too much.I can write the code so that...
View ArticleReading MFT
That 4 bytes of padding drove me crazy for a week until I found your post.I would welcome any and all input! The more input and review the better. What is the consensus? Should we create a new thread?...
View ArticleReading MFT
Good Work StCroixSkipper... When you mentioned the padding of the 4bytes for the DELETE_USN_JOURNAL_DATA Structure. I think you may have found my post on the documentation here...
View Article