S
Striebrovlas
Guest
I watch for files with Change Journals. Problem is, when I looking for specific file, it allways give me last USN which have Reason CloseFile, when file is extended. That means if I open text file and write something in to, and save, last USN Reason will be CloseFile. How can I get previous USN for specific file?
this is code how I obtain USN
void NTFS_WatchFiles::GetUSN(std::wstring path, USN & usn)
{
HANDLE ff;
DWORD mcl;
DWORD oBytes;
PUSN_RECORD_V2 pusn_record;
std::wstring ppatch = path.substr(0, 3); // L"\\\\.\\" + path;
usn = 0;
if ((ff = CreateFile(
path.c_str()
, GENERIC_READ
, FILE_SHARE_READ | FILE_SHARE_WRITE
, NULL
, OPEN_EXISTING
, FILE_FLAG_BACKUP_SEMANTICS
, NULL
)) == INVALID_HANDLE_VALUE)
{
std::wcout << L"[ GetUSN ] CreateFile failed "
<< std::to_wstring(GetLastError()) << L"\n";
return;
}
if (!GetVolumeInformation(ppatch.c_str(), NULL, NULL, NULL, &mcl, NULL, NULL, NULL))
{
std::wcout << L"[ GetUSN ] GetVolumeInformation failed "
<< std::to_wstring(GetLastError()) << L"\n";
return;
}
DWORD buffer_size = sizeof(USN_RECORD_V2) + mcl;
char * buffer = (char*)_aligned_malloc(buffer_size, 64);
pusn_record = (PUSN_RECORD_V2)_aligned_malloc(buffer_size, 64);
if (!DeviceIoControl(
ff // handle to device
, FSCTL_READ_FILE_USN_DATA // dwIoControlCode
, NULL // input buffer
, 512 // size of input buffer
, pusn_record // output buffer
, buffer_size // size of output buffer
, &oBytes // number of bytes returned
, NULL // OVERLAPPED structure
))
{
std::wcout << L"[ GetUSN ] FSCTL_READ_FILE_USN_DATA failed "
<< std::to_wstring(GetLastError()) << L"\n";
return;
}
usn = pusn_record->Usn;
CloseHandle(ff);
}
Continue reading...
this is code how I obtain USN
void NTFS_WatchFiles::GetUSN(std::wstring path, USN & usn)
{
HANDLE ff;
DWORD mcl;
DWORD oBytes;
PUSN_RECORD_V2 pusn_record;
std::wstring ppatch = path.substr(0, 3); // L"\\\\.\\" + path;
usn = 0;
if ((ff = CreateFile(
path.c_str()
, GENERIC_READ
, FILE_SHARE_READ | FILE_SHARE_WRITE
, NULL
, OPEN_EXISTING
, FILE_FLAG_BACKUP_SEMANTICS
, NULL
)) == INVALID_HANDLE_VALUE)
{
std::wcout << L"[ GetUSN ] CreateFile failed "
<< std::to_wstring(GetLastError()) << L"\n";
return;
}
if (!GetVolumeInformation(ppatch.c_str(), NULL, NULL, NULL, &mcl, NULL, NULL, NULL))
{
std::wcout << L"[ GetUSN ] GetVolumeInformation failed "
<< std::to_wstring(GetLastError()) << L"\n";
return;
}
DWORD buffer_size = sizeof(USN_RECORD_V2) + mcl;
char * buffer = (char*)_aligned_malloc(buffer_size, 64);
pusn_record = (PUSN_RECORD_V2)_aligned_malloc(buffer_size, 64);
if (!DeviceIoControl(
ff // handle to device
, FSCTL_READ_FILE_USN_DATA // dwIoControlCode
, NULL // input buffer
, 512 // size of input buffer
, pusn_record // output buffer
, buffer_size // size of output buffer
, &oBytes // number of bytes returned
, NULL // OVERLAPPED structure
))
{
std::wcout << L"[ GetUSN ] FSCTL_READ_FILE_USN_DATA failed "
<< std::to_wstring(GetLastError()) << L"\n";
return;
}
usn = pusn_record->Usn;
CloseHandle(ff);
}
Continue reading...