NTFS Change Journals - Programmers Heaven

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


NTFS Change Journals


I am new to Windows related Code in C++.

Currently, I wish to monitor my system for the modified files using NTFS Change Journals. I tried to query the Journal data (using DeviceIOControl) and get the modified file details. I need some clarifications regarding the below things.

1. Is there a way to search notifications for particular folder (say only My Documents and My Pictures) or particular fileTypes (say jpg, doc, etc).
2. Is there a way to search only recent modifications (say for the past 1 day or 5 hrs, etc)
3. If my application create journal for a volume and stopped means, then in the next time when it restarted can I monitor the changes during the period when my application was not running. (I tried it , seems I can't do it).
4. If I modify a file present under 'D:/Testing/Test.txt', it seems the usn_record 'ParentFileReferenceNumber' is for D: and the 'FileReferenceNumber' is for the particular file 'Test.txt'. But what I think is the 'ParentFileReferenceNumber' should be for 'D:/Testing' and the 'FileReferenceNumber' should be for 'Test.txt'. For this, I have made CreateFile() for the '\.D:' location. Am I do anything wrong.
5. Shall I use fsutil for my purpose.

Could any one please clarify my queries and point me in a correct direction. Also, if possible, please poing me a releveant help document or URL to further proceed.

Thanks in Advance.

Sign In or Register to comment.