USN Journal of the NTFS文件系统能否大于声明的大小?
[英]Can the USN Journal of the NTFS file system be bigger than it's declared size?
问题描述
Hello fellow programmers. 
程序员大家好。
I'm trying to dump the contents of the USN Journal of a NTFS partition using WinIoCtl functions. 我正在尝试使用WinIoCtl函数转储USN Journal of NTFS分区的内容。 I have the *USN_JOURNAL_DATA* structure that tells me that it has a maximum size of 512 MB. 我有* USN_JOURNAL_DATA *结构,告诉我它的最大大小为512 MB。 I have compared that to what fsutil has to say about it and it's the same value. 我把它与fsutil对它的说法进行了比较,它的价值是相同的。
Now I have to read each entry into a *USN_RECORD* structure. 现在我必须将每个条目读入* USN_RECORD *结构。 I do this in a for loop that starts at 0 and goes to the journal's maximum size in increments of 4096 (the cluster size). 我在一个从0开始的for循环中执行此操作,并以4096(簇大小)的增量转到日志的最大大小。 I read each 4096 bytes in a buffer of the same size and read all the USN_RECORD structures from it. 我在相同大小的缓冲区中读取每个4096字节,并从中读取所有USN_RECORD结构。
Everything is going great, file names are correct, timestamps as well, reasons, everything, except I seem to be missing some recent records. 一切都很好,文件名正确,时间戳,原因,一切, 除了我似乎缺少一些最近的记录。 I create a new file on the partition, I write something in it and then I delete the file. 我在分区上创建了一个新文件,我在其中写了一些内容,然后删除了该文件。 I run the app again and the record doesn't appear. 我再次运行应用程序并且没有出现记录。 I find that the record appears only if I keep reading beyond the journal's maximum size. 我发现只有当我继续阅读期刊的最大尺寸时才会出现该记录。 How can that be? 怎么可能?
At the moment I'm reading from the start of the Journal's data to the maximum size + the allocation delta (both are values stored in the *USN_JOURNAL_DATA* structure) which I don't believe it's correct and I'm having trouble finding thorough information related to this. 目前我正在从Journal的数据开始读到最大大小 + 分配delta (两者都是存储在* USN_JOURNAL_DATA *结构中的值),我不相信它是正确的,我很难找到彻底的与此相关的信息。
Can someone please explain this? 有人可以解释一下吗? Is there a buffer around the USN Journal that's similar to how the MFT works (meaning it's size halves when disk space is needed for other files)? USN Journal周围是否有缓冲区,类似于MFT的工作方式(意味着当其他文件需要磁盘空间时,它的大小减半)?
What am I doing wrong? 我究竟做错了什么?
1 个解决方案
解决方案1
3 已采纳 2013-02-26 21:47:08
That's the expected behaviour, as documented : 这是预期的行为, 如记录 :
MaximumSize
The target maximum size for the change journal, in bytes.
Instead of trying to predetermine the size, loop until you reach the end of the data. 而不是尝试预先确定大小,循环直到您到达数据的末尾。
If you are using the FSCTL_ENUM_USN_DATA control code, you have reached the end of the data when the error code from DeviceIoControl is ERROR_HANDLE_EOF . 如果使用FSCTL_ENUM_USN_DATA控制代码,则当DeviceIoControl的错误代码为ERROR_HANDLE_EOF时,您已到达数据的末尾。
If you are using the FSCTL_READ_USN_JOURNAL control code, you have reached the end of the data when the next USN returned by the driver (the DWORDLONG at the beginning of the output buffer) is the USN you requested (the value of StartUsn in the input buffer). 如果您正在使用FSCTL_READ_USN_JOURNAL控制代码,当驱动程序返回的下一个USN(输出缓冲区开头的DWORDLONG)是您请求的USN(输入缓冲区中的StartUsn值)时,您已到达数据的末尾)。 You will need to set the input parameter BytesToWaitFor to zero, otherwise the driver will wait for the specified amount of new data to be added to the journal. 您需要将输入参数BytesToWaitFor设置为零,否则驱动程序将等待将指定数量的新数据添加到日志中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.