Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

NTFS Change Journals

Hi,

I am new to Windows related Code in C++.

Currently, I wish to monitor my system for the modified files using NTFS Change Journals. I tried to query the Journal data (using DeviceIOControl) and get the modified file details. I need some clarifications regarding the below things.

1. Is there a way to search notifications for particular folder (say only My Documents and My Pictures) or particular fileTypes (say jpg, doc, etc).
2. Is there a way to search only recent modifications (say for the past 1 day or 5 hrs, etc)
3. If my application create journal for a volume and stopped means, then in the next time when it restarted can I monitor the changes during the period when my application was not running. (I tried it , seems I can't do it).
4. If I modify a file present under 'D:/Testing/Test.txt', it seems the usn_record 'ParentFileReferenceNumber' is for D: and the 'FileReferenceNumber' is for the particular file 'Test.txt'. But what I think is the 'ParentFileReferenceNumber' should be for 'D:/Testing' and the 'FileReferenceNumber' should be for 'Test.txt'. For this, I have made CreateFile() for the '\.D:' location. Am I do anything wrong.
5. Shall I use fsutil for my purpose.

Could any one please clarify my queries and point me in a correct direction. Also, if possible, please poing me a releveant help document or URL to further proceed.

Thanks in Advance.

Regards,
Asharudeen.
Sign In or Register to comment.