2012年10月7日星期日
FSCTL_QUERY_USN_JOURNAL.Cpp
//ntfs的冰山一角:Change Journal Records,更多的功能有待发掘和理解。
//本文稍微修改自:http://msdn.microsoft.com/en-us/library/aa365736%28v=VS.85%29.aspx
#include <Windows.h>
#include <WinIoCtl.h>
#include <stdio.h>
void main()
{
HANDLE hVol = CreateFile( TEXT("\\\\.\\c:"), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if( hVol == INVALID_HANDLE_VALUE ) {
return;
}
//获取JournalData结构及dwBytes个数。
DWORD dwBytes;
USN_JOURNAL_DATA JournalData;
if( !DeviceIoControl( hVol, FSCTL_QUERY_USN_JOURNAL, NULL, 0, &JournalData, sizeof(JournalData), &dwBytes, NULL) ) {
return;
}
READ_USN_JOURNAL_DATA ReadData = {0, 0xFFFFFFFF, FALSE, 0, 0};
ReadData.UsnJournalID = JournalData.UsnJournalID;
printf( "Journal ID: %I64x\n", JournalData.UsnJournalID );
printf( "FirstUsn: %I64x\n\n", JournalData.FirstUsn );
for(int I=0; I<=10; I++)
{
CHAR Buffer[4096] = {0};
//dwBytes有返回值。
if( !DeviceIoControl( hVol, FSCTL_READ_USN_JOURNAL, &ReadData, sizeof(ReadData), &Buffer, sizeof (Buffer), &dwBytes, NULL) ) {
return;
}
DWORD dwRetBytes = dwBytes - sizeof(USN);
PUSN_RECORD UsnRecord = (PUSN_RECORD)(((PUCHAR)Buffer) + sizeof(USN)); // Find the first record
printf( "****************************************\n");
while( dwRetBytes > 0 )// This loop could go on for a long time, given the current buffer size.
{
printf( "USN: %I64x\n", UsnRecord->Usn );
printf("File name: %.*S\n", UsnRecord->FileNameLength/2, UsnRecord->FileName );
printf( "Reason: %x\n", UsnRecord->Reason );
printf( "\n" );
dwRetBytes -= UsnRecord->RecordLength;
UsnRecord = (PUSN_RECORD)(((PCHAR)UsnRecord) + UsnRecord->RecordLength); // Find the next record
}
ReadData.StartUsn = *(USN *)&Buffer; // Update starting USN for next call
}
CloseHandle(hVol);
}
订阅:
博文评论 (Atom)
没有评论:
发表评论