You can use the Usndump.exe command-line program from Winsider Seminars & Solutions (www.winsiderss.com/tools/usndump/usndump.htm) to dump the contents of the change journal if the current volume has one. You can also create, delete, or query journal information with the built-in Fsutil.exe utility, as shown here:C:\>fsutil usn queryjournal c: Usn Journal ID : 0x01c89ddaec1b9648 First Usn : 0x0000000038140000 Next Usn : 0x000000003a22fa50 Lowest Valid Usn : 0x0000000000000000 Max Usn : 0x00000fffffff0000 Maximum Size : 0x0000000002000000 Allocation Delta : 0x0000000000400000
The output indicates the maximum size of the change journal on the volume and its current state. As a simple experiment to see how NTFS records changes in the journal, create a file called Usn.txt in the current directory, rename it to UsnNew.txt, and then dump the journal with Usndump, as shown here:C:\>echo hello > Usn.txt C:\>ren Usn.txt UsnNew.txt C:\>Usndump.exe ... File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc54d8 SecurityId : 0x00000000 Reason : 0x00000100 (USN_REASON_FILE_CREATE) Name (014) : Usn.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc5528 SecurityId : 0x00000000 Reason : 0x00000102 (USN_REASON_DATA_EXTEND USN_REASON_FILE_CREATE) Name (014) : Usn.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc5578 SecurityId : 0x00000000 Reason : 0x80000102 (USN_REASON_DATA_EXTEND USN_REASON_FILE_CREATE) Name (014) : Usn.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc55c8 SecurityId : 0x00000000 Reason : 0x00001000 (USN_REASON_RENAME_OLD_NAME) Name (014) : Usn.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc5618 SecurityId : 0x00000000 Reason : 0x00002000 (USN_REASON_RENAME_NEW_NAME) Name (020) : UsnNew.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc5668 SecurityId : 0x00000000 Reason : 0x80002000 (USN_REASON_RENAME_NEW_NAME) Name (020) : UsnNew.txt
The entries reflect the individual modification operations involved in the operations underlying the command-line operations.
The journal is sparse so that it never overflows; when the journal’s on-disk size exceeds the maximum defined for the file, NTFS simply begins zeroing the file data that precedes the window of change information having a size equal to the maximum journal size, as shown in Figure 12-44. To prevent constant resizing when an application is continuously exceeding the journal’s size, NTFS shrinks the journal only when its size is twice an application-defined value over the maximum configured size.
Indexing
In NTFS, a file directory is simply an index of file names—that is, a collection of file names (along with their file record numbers) organized as a B-tree. To create a directory, NTFS indexes the filename attributes of the files in the directory. The MFT record for the root directory of a volume is shown in Figure 12-45.
Conceptually, an MFT entry for a directory contains in its index root attribute a sorted list of the files in the directory. For large directories, however, the file names are actually stored in 4-KB, fixed-size index buffers (which are the nonresident value of the
Figure 12-45 shows only file names in the index root attribute and the index buffers (