Читаем Windows® Internals, Sixth Edition, Part 2 полностью

You can use the Usndump.exe command-line program from Winsider Seminars & Solutions (www.winsiderss.com/tools/usndump/usndump.htm) to dump the contents of the change journal if the current volume has one. You can also create, delete, or query journal information with the built-in Fsutil.exe utility, as shown here:C:\>fsutil usn queryjournal c: Usn Journal ID : 0x01c89ddaec1b9648 First Usn : 0x0000000038140000 Next Usn : 0x000000003a22fa50 Lowest Valid Usn : 0x0000000000000000 Max Usn : 0x00000fffffff0000 Maximum Size : 0x0000000002000000 Allocation Delta : 0x0000000000400000

The output indicates the maximum size of the change journal on the volume and its current state. As a simple experiment to see how NTFS records changes in the journal, create a file called Usn.txt in the current directory, rename it to UsnNew.txt, and then dump the journal with Usndump, as shown here:C:\>echo hello > Usn.txt C:\>ren Usn.txt UsnNew.txt C:\>Usndump.exe ... File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc54d8 SecurityId : 0x00000000 Reason : 0x00000100 (USN_REASON_FILE_CREATE) Name (014) : Usn.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc5528 SecurityId : 0x00000000 Reason : 0x00000102 (USN_REASON_DATA_EXTEND USN_REASON_FILE_CREATE) Name (014) : Usn.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc5578 SecurityId : 0x00000000 Reason : 0x80000102 (USN_REASON_DATA_EXTEND USN_REASON_FILE_CREATE) Name (014) : Usn.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc55c8 SecurityId : 0x00000000 Reason : 0x00001000 (USN_REASON_RENAME_OLD_NAME) Name (014) : Usn.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc5618 SecurityId : 0x00000000 Reason : 0x00002000 (USN_REASON_RENAME_NEW_NAME) Name (020) : UsnNew.txt File Ref# : 0x4000000001be9 ParentFile Ref# : 0x300000000a962 USN : 0xfc5668 SecurityId : 0x00000000 Reason : 0x80002000 (USN_REASON_RENAME_NEW_NAME) Name (020) : UsnNew.txt

The entries reflect the individual modification operations involved in the operations underlying the command-line operations.

The journal is sparse so that it never overflows; when the journal’s on-disk size exceeds the maximum defined for the file, NTFS simply begins zeroing the file data that precedes the window of change information having a size equal to the maximum journal size, as shown in Figure 12-44. To prevent constant resizing when an application is continuously exceeding the journal’s size, NTFS shrinks the journal only when its size is twice an application-defined value over the maximum configured size.

Figure 12-44. Change journal ($UsnJrnl) space allocation

Indexing

In NTFS, a file directory is simply an index of file names—that is, a collection of file names (along with their file record numbers) organized as a B-tree. To create a directory, NTFS indexes the filename attributes of the files in the directory. The MFT record for the root directory of a volume is shown in Figure 12-45.

Figure 12-45. File name index for a volume’s root directory

Conceptually, an MFT entry for a directory contains in its index root attribute a sorted list of the files in the directory. For large directories, however, the file names are actually stored in 4-KB, fixed-size index buffers (which are the nonresident value of the index allocation attribute) that contain and organize the file names. Index buffers implement a B-tree data structure, which minimizes the number of disk accesses needed to find a particular file, especially for large directories. The index root attribute contains the first level of the B-tree (root subdirectories) and points to index buffers containing the next level (more subdirectories, perhaps, or files).

Figure 12-45 shows only file names in the index root attribute and the index buffers (file6, for example), but each entry in an index also contains the record number in the MFT where the file is described and time stamp and file size information for the file. NTFS duplicates the time stamps and file size information from the file’s MFT record. This technique, which is used by FAT and NTFS, requires updated information to be written in two places. Even so, it’s a significant speed optimization for directory browsing because it enables the file system to display each file’s time stamps and size without opening every file in the directory.