Project Description
This is a project based around StCroixSkipper's USN Journal Explorer to read the NTFS Disk Structures and also shows how the enumerate the MFT.

All work is attributed to StCroixSkipper, I simply brought it together here.

The original site can found here http://www.dreamincode.net/forums/blog/1017-stcroixskippers


Here is a quote from StCroixSkipper that sums it all up

Since WindowsNT when Microsoft first released NTFS, a journaling file system, I've had a fascination with the USN Journal. I worked on the Primos operating system at Prime Computer and have always been interested in file systems and scheduling, virtual memory management, dynamic linking, ring-oriented security, etc. In those days, Multics ran on really big machines. When we implemented Primos, we called it 'Multics in a Matchbox'.

I have been particularly fascinated by the fact that so few commercial products have taken advantage of NTFS's USN Journal. For backup products especially, since typically less than 10% of the content on a volume changes, you can reduce the time to identify new, deleted or changed files to a fraction of the time it takes to enumerate the entire volume.

As for the Master File Table or MFT, you can enumerate all of the files/directories on a volume in about a tenth of the time it takes to enumerate the volume using FindFirst(), FindNext(). I will qualify the previous statement. The times to enumerate the volume are about the same if you reboot the system then enumerate. But if the system has been up and running for some time, then my timing studies show that using the MFT takes one tenth of the time of FindFirst(), FindNext().

I've only run into a couple of folks who have really used the USN Journal in a commercial product. I haven't run into any who have done the work to use the MFT and USN Journal from C#.

Last edited Feb 14, 2011 at 5:23 AM by lojikl, version 3