If the data in a run has been compressed, NTFS decompresses the data into a scratch buffer and then copies it to the caller’s buffer. NTFS also loads the decompressed data into the cache, which makes subsequent reads from the same run as fast as any other cached read. NTFS writes any updates to the file to the cache, leaving the lazy writer to compress and write the modified data to disk asynchronously. This strategy ensures that writing to a compressed file produces no more significant delay than writing to a noncompressed file would.
NTFS keeps disk allocations for a compressed file contiguous whenever possible. As the LCNs indicate, the first two runs of the compressed file shown in Figure 12-42 are physically contiguous, as are the last two. When two or more runs are contiguous, NTFS performs disk read-ahead, as it does with the data in other files. Because the reading and decompression of contiguous file data take place asynchronously before the program requests the data, subsequent read operations obtain the data directly from the cache, which greatly enhances read performance.
Sparse Files
Sparse files (the NTFS file type, as opposed to files that consist of sparse data, described earlier) are essentially compressed files for which NTFS doesn’t apply compression to the file’s nonsparse data. However, NTFS manages the run data of a sparse file’s MFT record the same way it does for compressed files that consist of sparse and nonsparse data.
The Change Journal File
The change journal file, \$Extend\$UsnJrnl, is a sparse file in which NTFS stores records of changes to files and directories. Applications like the Windows File Replication Service (FRS) and the Windows Search service make use of the journal to respond to file and directory changes as they occur.
The journal stores change entries in the $J data stream and the maximum size of the journal in the $Max data stream. Entries are versioned and include the following information about a file or directory change:
The time of the change
The reason for the change (see Table 12-8)
The file or directory’s attributes
The file or directory’s name
The file or directory’s MFT file record number
The file record number of the file’s parent directory
The security ID
The
Additional information about the source of the change (a user, the FRS, and so on)
Identifier
Reason
USN_REASON_DATA_OVERWRITE
The data in the file or directory was overwritten
USN_REASON_DATA_EXTEND
Data was added to the file or directory
USN_REASON_DATA_TRUNCATION
The data in the file or directory was truncated
USN_REASON_NAMED_DATA_OVERWRITE
The data in a file’s data stream was overwritten
USN_REASON_NAMED_DATA_EXTEND
The data in a file’s data stream was extended
USN_REASON_NAMED_DATA_TRUNCATION
The data in a file’s data stream was truncated
USN_REASON_FILE_CREATE
A new file or directory was created
USN_REASON_FILE_DELETE
A file or directory was deleted
USN_REASON_EA_CHANGE
The extended attributes for a file or directory changed
USN_REASON_SECURITY_CHANGE
The security descriptor for a file or directory was changed
USN_REASON_RENAME_OLD_NAME
A file or directory was renamed; this is the old name
USN_REASON_RENAME_NEW_NAME
A file or directory was renamed; this is the new name
USN_REASON_INDEXABLE_CHANGE
The indexing state for the file or directory was changed (whether or not the Indexing service will process this file or directory)
USN_REASON_BASIC_INFO_CHANGE
The file or directory attributes and/or the time stamps were changed
USN_REASON_HARD_LINK_CHANGE
A hard link was added or removed from the file or directory
USN_REASON_COMPRESSION_CHANGE
The compression state for the file or directory was changed
USN_REASON_ENCRYPTION_CHANGE
The encryption state (EFS) was enabled or disabled for this file or directory
USN_REASON_OBJECT_ID_CHANGE
The object ID for this file or directory was changed
USN_REASON_REPARSE_POINT_CHANGE
The reparse point for a file or directory was changed, or a new reparse point (such as a symbolic link) was added or deleted from a file or directory
USN_REASON_STREAM_CHANGE
A new data stream was added to or removed from a file or renamed
USN_REASON_TRANSACTED_CHANGE
This value is added (ORed) to the change reason to indicate that the change was the result of a recent commit of a TxF transaction
USN_REASON_CLOSE
The handle to a file or directory was closed, indicating that this is the final modification made to the file in this series of operations
EXPERIMENT: Reading the Change Journal