Reading MFT
Also, I have another interest. I've written code to use the Volume Shadowcopy Service (VSS) to create shadowcopies of volumes to enable backup up open files and applications like Exchange. I would...
View ArticleReading MFT
Erik,No problem converting your code to C#. I should have known it was an Nt-funtion.With that out of the way, what do you think about the interface so far? I could implement this quickly and we'd at...
View ArticleReading MFT
Hi StCroixSkipper,I have posted about your issue with obtaining the filename from the filereference number. Did you see the post or do you have an issue with converting it to c# code?What I meant by...
View ArticleReading MFT
Since the data is stored in the USN Journal and the user simply provides the state of the USN Journal when he last requested information from it, I don't think there is a thread safety issue. This...
View ArticleReading MFT
Well it looks like my editing removed what I had replied. In any case CodePlex would be a good start but one first need to have a basis project that works before publishing it on CodePlex. You can...
View ArticleReading MFT
Private Const FILE_FLAG_BACKUP_SEMANTICS = &H2000000 Private Const FileNameInformationClass = 9 Private Const FILE_OPEN_FOR_BACKUP_INTENT = &H4000 Private Const FILE_OPEN_BY_FILE_ID =...
View ArticleReading MFT
Private Function PathFromFrn(ByVal Id As Long) As String Dim fOk As Integer Dim FileName As String = String.Empty Dim UnicodeString As UNICODE_STRING Dim ObjAttributes As OBJECT_ATTRIBUTES Dim...
View ArticleReading MFT
Also, I know there is an api to get a filename given a 64-bit file reference number. I've used it in C++ before. But for the life of me, I can't find it today. I really want to get rid of the memory...
View ArticleReading MFT
Here are my ideas for the public interface for a UsnJournal object.I want to hide the complexity of dealing with the Usn Journal as much as possible without hiding too much.I can write the code so that...
View ArticleReading MFT
That 4 bytes of padding drove me crazy for a week until I found your post.I would welcome any and all input! The more input and review the better. What is the consensus? Should we create a new thread?...
View ArticleReading MFT
Good Work StCroixSkipper... When you mentioned the padding of the 4bytes for the DELETE_USN_JOURNAL_DATA Structure. I think you may have found my post on the documentation here...
View ArticleReading MFT
It will be interesting to see who else chimes in... I'd like to get a community of folks who are interested in using the USN Journal an maybe post code and get it reviewed then make it...
View ArticleReading MFT
Skipper, you are a Juggernaut! One day a monument will be installed on St Creux shore. It will read: In memory of the great navigator who while sailing these waters crushed the most daunting problem in...
View ArticleReading MFT
The final post of source code...using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.IO; using PInvoke; using System.Runtime.InteropServices; using...
View ArticleReading MFT
Here is the code I promised. First the Win32Api class that has all the DllImports, the constants, etc to access the USN Journal:using System; using System.Collections.Generic; using System.Text; using...
View ArticleReading MFT
Since WindowsNT when Microsoft first released NTFS, a journaling file system, I've had a fascination with the USN Journal. I worked on the Primos operating system at Prime Computer and have always...
View ArticleReading MFT
Thanks Erik,This is highly interesting.I am trying to read and manipulate the MFT and thus what i understand from what you wrote, the journal and the logs, from direct raw read/write with use of the...
View ArticleReading MFT
The change journal works on all NTFS volumes 3.1 and above this means any NTFS volume on Windows 2000 and above. Enumerating the MFT is good but reading the changes is even better because it makes for...
View ArticleReading MFT
this is so coooooooooooland it worksthanks a lot StCroixSkipperyou really make my daynow i need to get deeper into the MFT in conjunction with the codeon what OS is this compatible i wonder actuallythe...
View ArticleReading MFT
The API seems to be stable with MFT_ENUM_DATA & FSCTL_ENUM_USN_DATA because these entries exists so it can always map the FileReference. However the problem I had when using the API is with...
View Article