Читаем Windows® Internals, Sixth Edition, Part 2 полностью

If the data in a run has been compressed, NTFS decompresses the data into a scratch buffer and then copies it to the caller’s buffer. NTFS also loads the decompressed data into the cache, which makes subsequent reads from the same run as fast as any other cached read. NTFS writes any updates to the file to the cache, leaving the lazy writer to compress and write the modified data to disk asynchronously. This strategy ensures that writing to a compressed file produces no more significant delay than writing to a noncompressed file would.

NTFS keeps disk allocations for a compressed file contiguous whenever possible. As the LCNs indicate, the first two runs of the compressed file shown in Figure 12-42 are physically contiguous, as are the last two. When two or more runs are contiguous, NTFS performs disk read-ahead, as it does with the data in other files. Because the reading and decompression of contiguous file data take place asynchronously before the program requests the data, subsequent read operations obtain the data directly from the cache, which greatly enhances read performance.

Sparse Files

Sparse files (the NTFS file type, as opposed to files that consist of sparse data, described earlier) are essentially compressed files for which NTFS doesn’t apply compression to the file’s nonsparse data. However, NTFS manages the run data of a sparse file’s MFT record the same way it does for compressed files that consist of sparse and nonsparse data.

The Change Journal File

The change journal file, \$Extend\$UsnJrnl, is a sparse file in which NTFS stores records of changes to files and directories. Applications like the Windows File Replication Service (FRS) and the Windows Search service make use of the journal to respond to file and directory changes as they occur.

The journal stores change entries in the $J data stream and the maximum size of the journal in the $Max data stream. Entries are versioned and include the following information about a file or directory change:

The time of the change

The reason for the change (see Table 12-8)

The file or directory’s attributes

The file or directory’s name

The file or directory’s MFT file record number

The file record number of the file’s parent directory

The security ID

The update sequence number (USN) of the record

Additional information about the source of the change (a user, the FRS, and so on)

Table 12-8. Change Journal Change Reasons

Identifier

Reason

USN_REASON_DATA_OVERWRITE

The data in the file or directory was overwritten

USN_REASON_DATA_EXTEND

Data was added to the file or directory

USN_REASON_DATA_TRUNCATION

The data in the file or directory was truncated

USN_REASON_NAMED_DATA_OVERWRITE

The data in a file’s data stream was overwritten

USN_REASON_NAMED_DATA_EXTEND

The data in a file’s data stream was extended

USN_REASON_NAMED_DATA_TRUNCATION

The data in a file’s data stream was truncated

USN_REASON_FILE_CREATE

A new file or directory was created

USN_REASON_FILE_DELETE

A file or directory was deleted

USN_REASON_EA_CHANGE

The extended attributes for a file or directory changed

USN_REASON_SECURITY_CHANGE

The security descriptor for a file or directory was changed

USN_REASON_RENAME_OLD_NAME

A file or directory was renamed; this is the old name

USN_REASON_RENAME_NEW_NAME

A file or directory was renamed; this is the new name

USN_REASON_INDEXABLE_CHANGE

The indexing state for the file or directory was changed (whether or not the Indexing service will process this file or directory)

USN_REASON_BASIC_INFO_CHANGE

The file or directory attributes and/or the time stamps were changed

USN_REASON_HARD_LINK_CHANGE

A hard link was added or removed from the file or directory

USN_REASON_COMPRESSION_CHANGE

The compression state for the file or directory was changed

USN_REASON_ENCRYPTION_CHANGE

The encryption state (EFS) was enabled or disabled for this file or directory

USN_REASON_OBJECT_ID_CHANGE

The object ID for this file or directory was changed

USN_REASON_REPARSE_POINT_CHANGE

The reparse point for a file or directory was changed, or a new reparse point (such as a symbolic link) was added or deleted from a file or directory

USN_REASON_STREAM_CHANGE

A new data stream was added to or removed from a file or renamed

USN_REASON_TRANSACTED_CHANGE

This value is added (ORed) to the change reason to indicate that the change was the result of a recent commit of a TxF transaction

USN_REASON_CLOSE

The handle to a file or directory was closed, indicating that this is the final modification made to the file in this series of operations

EXPERIMENT: Reading the Change Journal