morecode

[Back to Main Page]

NTFSjournal

Version

NTFSjournal   Author: Dennis Lang
Version: NTFSjournal v2.9
Updated: Jun-2013
http://landenlabs.com//

Download

Intro

NTFSjournal is a simple program to list the contents of the Windows NTFS Journal. As of Windows 2000, NTFS version 3.0 included a journal which tracks a rolling history of file changes. The Journal can be disabled and its length can be changed using Microsoft's program fsutil.

Here is part of the documentation on fsutil (search web for full documentation):

Syntax

Parameters

createjournal Creates a USN change journal.
m=MaximumSize Specifies the maximum size, in bytes, that NTFS allocates for the change journal.
a=AllocationDelta Specifies the size, in bytes, of memory allocation that is added to the end and removed from the beginning of the change journal.
VolumePathname Specifies the drive letter (followed by a colon), mount point, or volume name.
deletejournal Deletes or disables an active USN change journal.
flags /D: Disables an active USN change journal, and returns I/O control while the change journal is being disabled.
VolumePathname Specifies the drive letter (followed by a colon), mount point, or volume name.
enumdata Enumerates and lists the change journal entries between two specified boundaries.
FileRef Ordinal position within the files on the volume at which the enumeration is to begin.
LowUsn Lower boundary of the range of USN values used to filter which records are returned. Only records whose last change journal USN is between or equal to the LowUsn and HighUsn member values are returned.
HighUsn Upper boundary of the range of USN values used to filter which files are returned.
PathName Specifies the drive letter (followed by a colon), mount point, or volume name.
queryjournal Queries a volume's USN data to gather information about the current change journal, its records, and its capacity.
volume pathname Specifies the drive letter (followed by a colon), mount point, or volume name.
readdata Read the USN data for a file.
PathName Specifies the drive letter (followed by a colon), mount point, or volume name.

NTFSjournal is similar to the directory list command dir and needs a disk drive and optional file pattern.

Examples:

Sample output, note the dash lines are sent to standard error, so if you redirect the output you only get the file names.

> NtfsJournal.exe -f \Windows\* c:*.log
--- Journal for c:*.log
\Windows\WindowsUpdate.log
\Windows\debug\PASSWD.LOG
\Windows\debug\WIA\wiatrace.log
\Windows\inf\setupapi.app.log
\Windows\security\database\edb.log
\Windows\security\logs\winlogon.log
\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun.log
\Windows\System32\catroot2\edb.log
\Windows\Temp\MpCmdRun.log
\Windows\SoftwareDistribution\ReportingEvents.log
\Windows\SoftwareDistribution\DataStore\Logs\edb.log
\Windows\System32\LogFiles\HTTPERR\httperr1.log
--- 0.749 seconds


>  NTFSjournal -t -1 -D -F "%30t,%p"  c:*.log
--- Journal for c:*.log
05-Aug-2011 20:30             ,\Program Files (x86)\Symantec\Symantec Endpoint Protection\syslog.log
06-Aug-2011 11:05             ,\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log
05-Aug-2011 20:30             ,\ProgramData\Symantec\SRTSP\SrtTxFEvt.log
05-Aug-2011 21:53             ,\ProgramData\Symantec\Symantec Endpoint Protection\Logs\07222011.Log
05-Aug-2011 23:48             ,\Windows\WindowsUpdate.log
05-Aug-2011 20:30             ,\Windows\debug\PASSWD.LOG
06-Aug-2011 10:34             ,\Windows\inf\setupapi.app.log
05-Aug-2011 23:48             ,\Windows\security\logs\winlogon.log
06-Aug-2011 11:08             ,\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun.log
05-Aug-2011 20:30             ,\Windows\System32\catroot2\edb.log
06-Aug-2011 11:05             ,\Windows\Temp\MpCmdRun.log
06-Aug-2011 11:10             ,\Windows\SoftwareDistribution\DataStore\Logs\edb.log
05-Aug-2011 23:48             ,\Users\dlang\AppData\Local\Temp\wmsetup.log
05-Aug-2011 23:48             ,\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log
05-Aug-2011 19:48             ,\Users\dlang\Downloads\pscan_src\Debug\pscan.log
05-Aug-2011 23:48             ,\Program Files (x86)\Steam\steam.log
05-Aug-2011 20:30             ,\Program Files (x86)\TeamViewer\Version6\TeamViewer6_Logfile.log
05-Aug-2011 23:48             ,\Windows\System32\LogFiles\HTTPERR\httperr1.log
--- 0.78 seconds

>  NTFSjournal -u - -F "copy %p \\remote\d$\%p"  c:*.log  > syncIt.bat
--- Journal for c:*.log
--- 0 seconds

> more syncIt.bat
copy \Windows\WindowsUpdate.log \\remote\d$\\Windows\WindowsUpdate.log
copy \Windows\debug\PASSWD.LOG \\remote\d$\\Windows\debug\PASSWD.LOG
copy \Windows\debug\WIA\wiatrace.log \\remote\d$\\Windows\debug\WIA\wiatrace.log
copy \Windows\inf\setupapi.app.log \\remote\d$\\Windows\inf\setupapi.app.log
copy \Windows\security\database\edb.log \\remote\d$\\Windows\security\database\edb.log
copy \Windows\security\logs\winlogon.log \\remote\d$\\Windows\security\logs\winlogon.log

The wildcard engine only support ? and *, but allows the wildcard characters to appear multiple times, in the both the filename and directories.
Examples:
Pattern Results
* All files
??? File with 3 characters
*.txt Files ending with .txt
c:\*\log\*.txt Files ending with .txt in a subdirectory \log
c:\Windows\System*\*.log Files ending with .log and in subdirectory starting with \Windows\System

NTFSjournal includes several optional arguments to control the filtering and presentation.

Filtering

When you use multile filters, only files which match ALL the rules will be reported. So, if you filter on file name and time both have to be true for the file to be reported. One example is to filter on directory path and file name.

NTFSjournal -f \windows\* -f *.log c:

Note - the following will always fail because they both filter on the file extension:
NTFSjournal -f *.log -f *.txt c:

Command Description
-d Show details. By default duplicate file entries are merged. Use -d to see all the gory details.
-f <fileFilter> Use -f to define file filters using wildcards.
Identical file filter commands:
   NTFSjournal -f *.log c:
   NTFSjournal c:*.log
Example with file filter applied to multiple drives.
   NTFSjournal -f *.log c: d:
-g <fileFilter> -g is an alternate form of -f which uses the grep regular expression engine. The first big change is backslash and dot are reserved characters so they must be escaped to match a directory slash and file extensions. The second big change is the pattern is anchored and must match every character.

Basic Regular expression characers:

Character Matches
. Any single character
* Zero or more of previous character
+ One or more of previous character
\ Use to escape special pattern characters
[] Group, ex: [a-z0-9] or [139]
^ If first char in group, make it a not group
Ex: [^a-z] or [^\\]

** Search web for std::regex (basic) for full regular expression engine.
Basic Regular Expression Syntax


Examples:
   NTFSjournal -g \\tmp\\log\\.*\.log c: d:
   NTFSjournal -g \\tmp\\log\\[a-z]+\.(log|txt) c: d:

-r <changeReasonFilter> Filter by change reason.
Reasons Keywords:
   overwrite, extend, truncate, create, delete, rename, security, basic, link
Examples:
   NTFSjournal -r overwrite+extend+truncate c:
   NTFSjournal -r create+delete+rename c:*.log
Defaults is: overwrite+extend+truncate+create+delete
-s <size> Filter by file size
Show files greater than 1000 bytes on d drive.
   NTFSjournal -s 1000 d:
Show files less than 2000 bytes on c drive.
   NTFSjournal -s -2000 c:
NOTE: Currently the size is rarely populated because it is expensive to acquire (disk fetch per file).
-t <relativeModifyDate> Filter by Modify Time, value is relative days.
Modified in the last 2.5 days and ending in .log on c drive.
   NTFSjournal -t -2.5 -f *.log
Modified more than 7 days ago on e drive.
   NTFSjournal -t +7 e:
-u <usn> Start scan with usn number, see -U
-u - Start with previously stored USN in registry.
On exit, last USN is automatically stored in registry. By using this option you can run NTFSjournal multiple times and limit the output to just what has chanaged since the last time it was run.
NTFSjournal -f *.log -s 1000 -u - c: d:

Presentation

Command Description
-A Include attributes. R=readonly, H=hidden, S=system, D=directory.
-D Disable directory part of file path.
-F <fmt> Format output, %t=time, %s=size, %r=reason,
%p=path(dir+file), %d=directory, %f=file(name+ext)
%n=name, %e=extension
Examples:
   NTFSjournal -F "copy %p \\remote\d$\%p" c:*.log > sync.bat
   NTFSjournal -F "File:%f Time:%t Size:%s" c:
   NTFSjournal -D -F "%30t %f" c:
-R Include Reason.
-S Include size.
NOTE: Currently the size is rarely populated because it is expensive to acquire (disk fetch per file).
-T Include modify time.
-U Include USN number.

Warning - no guaranties on reliability and completeness of NTFSjournal.

Help Banner:

Ntfs Journal  v2.9 - Jun  6 2013
By: Dennis Lang
https://landenlabs.com//

Description:
  List NTFS Journal which tracks recent file/folder changes.
  Use 'fsutil usn ...' to create and configure NTFS journal.
Use:
   NtfsJournal [options] <localNTFSdrive>...
 Filter (see examples below):
   -a [d|f]                  ; Just Directories or Files, default is both
   -d                        ; Show detail, by default remove duplicates
   -f <findFilter>           ; Filter by file path, use * or ? patterns
   -g <findFilter>           ; Filter by file path, using grep reqular Expression ^[]+*.$
   -r <changeReasonFilter>   ; Filter by change flags
   -s <size>                 ; Filter by file size
   -t <relativeModifyDate>   ; Filter by Modify Time, value is relative days
   -u <usn>                  ; Start scan with usn number, see -U
   -u -                      ; Start with previously stored USN in registry
                             ; On exit, last USN is automatically stored in registry
 Report (what appears in output):
   -A                        ; Include attributes
   -B <dirAttr>              ; Change directory attribute 'D' to some other string
   -C <fmtChar>              ; Change format character '%' to some other character
   -D                        ; Disable directory
   -F <fmt>                  ; Format output, %t=time, %s=size, %r=reason,%a=attribute
                             ; %p=path(dir+filename), %c=drive, %d=directory,
                             ; %f=filename (name+ext), %n=name, %e=extension
                             ; Field can be padded, as in %10s %15t %20f
   -R [a|l]                  ; Include Reasons, All or just Last, default is just Last
   -S                        ; Include size
   -T                        ; Include modify time
   -U                        ; Include USN number

 Registry:
   HKEY_LOCAL_MACHINE\SOFTWARE\NtfsJournal
       TimeFormat  string   HH:mm          ; google 'msdn GetTimeFormat'
       DateFormat  string   dd-MMM-yyyy    ; google 'msdn GetDateFormat'

 Examples:
  No filtering:
    c:                 ; scan c drive, display filenames.
    -TSA c:            ; scan c drive, display  time, size, attributes.
  Filter examples (precede 'f' command letter with ! to invert rule):
    -f *.txt d:        ; files ending in .txt on d: drive
    -!f *.txt d:       ; files NOT ending in .txt on d: drive
    -f *.txt -!f \$RECY* d:  ; files ending in .txt but not in recyle.bin on d: drive
    -f F* c: d:        ; limit scan to files starting with F on either C or D

  Alternate using grep regular expression, note double backslash for every directory slash
  Also recommended you place the pattern inside quotations
    -g "\\tmp\\sub\\[^\\]+"   d:  ; files inside \tmp\sub\ but nothing deeper
  The above is similar to -f \tmp\sub\* except the -g version is anchored on the left
  and must match starting with its first character.

  Time and size options:
    -t 2.5 -f *.log    ; modified more than 2.5 days ago and ending in .log on c drive
    -t -7 e:           ; modified less than 7 days ago on e drive
    -s 1000 d:         ; size more than 1000 bytes on d drive
    -s -1000 d: e:     ; size less than 1000 bytes on d and e drive
                       ; *** NOTE: Size is rarely populated due to performance
    -F "%20t %20s %40p"  c: ; Format output
    -C # -F "#t,#s,#p"  c:  ; Change format character, and format output
    -F "copy %p \\remote\d$\data\%f" d:\data\* > sync.bat

  Filter Reasons Keywords:
       all,
       overwrite, extend, truncate
       create, delete, rename
       security, basic, link
  Examples:
     -r overwrite+extend+truncate  ; File content changes
     -r create+delete+rename       ; File life changes
   Defaults is:  overwrite+extend+truncate+create+delete+rename
Top

Blog about NTFS Journal

myblog

 

To Top

morecode