NTFSjournal - Display Windows NTFS journal activity, list recently changed files

Version

Author: Dennis Lang
Version: NTFSjournal v2.9
Updated: Jun-2013
https://landenlabs.com//

Download

Download v2.9 source code: NTFSjournal-v2.9-src.zip
Download v2.9 excutable: NTFSjournal.exe (32bit)
Download v2.9 excutable: NTFSjournal.exe (64bit)

Intro

NTFSjournal is a simple program to list the contents of the Windows NTFS Journal. As of Windows 2000, NTFS version 3.0 included a journal which tracks a rolling history of file changes. The Journal can be disabled and its length can be changed using Microsoft's program fsutil.

Here is part of the documentation on fsutil (search web for full documentation):

Syntax

fsutil usn [createjournal] MaximumSize AllocationDelta VolumePathname
fsutil usn [deletejournal] flags VolumePathname
fsutil usn [enumdata] FileRef LowUsn HighUsn PathName
fsutil usn [queryjournal] VolumePathname
fsutil usn [readdata] PathName

Parameters

createjournal	Creates a USN change journal.
m=MaximumSize	Specifies the maximum size, in bytes, that NTFS allocates for the change journal.
a=AllocationDelta	Specifies the size, in bytes, of memory allocation that is added to the end and removed from the beginning of the change journal.
VolumePathname	Specifies the drive letter (followed by a colon), mount point, or volume name.
deletejournal	Deletes or disables an active USN change journal.
flags	/D: Disables an active USN change journal, and returns I/O control while the change journal is being disabled.
VolumePathname	Specifies the drive letter (followed by a colon), mount point, or volume name.
enumdata	Enumerates and lists the change journal entries between two specified boundaries.
FileRef	Ordinal position within the files on the volume at which the enumeration is to begin.
LowUsn	Lower boundary of the range of USN values used to filter which records are returned. Only records whose last change journal USN is between or equal to the LowUsn and HighUsn member values are returned.
HighUsn	Upper boundary of the range of USN values used to filter which files are returned.
PathName	Specifies the drive letter (followed by a colon), mount point, or volume name.
queryjournal	Queries a volume's USN data to gather information about the current change journal, its records, and its capacity.
volume pathname	Specifies the drive letter (followed by a colon), mount point, or volume name.
readdata	Read the USN data for a file.
PathName	Specifies the drive letter (followed by a colon), mount point, or volume name.

NTFSjournal is similar to the directory list command dir and needs a disk drive and optional file pattern.

Examples:

NTFSjournal c:
NTFSjournal d:*.log
NTFSjournal c:Foo*.txt
NTFSjournal c:Events??-Jan-??.txt
NTFSjournal c:\windows\system*\*.log
NTFSjournal -f *.log -s 1000 -t -1.0 c: d: e:
NTFSjournal -F "copy %p \\remote\d$\%f" -f \wxdata\* -f *.dat d: >sync.bat
NTFSjournal

Sample output, note the dash lines are sent to standard error, so if you redirect the output you only get the file names.

> NtfsJournal.exe -f \Windows\* c:*.log
--- Journal for c:*.log
\Windows\WindowsUpdate.log
\Windows\debug\PASSWD.LOG
\Windows\debug\WIA\wiatrace.log
\Windows\inf\setupapi.app.log
\Windows\security\database\edb.log
\Windows\security\logs\winlogon.log
\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun.log
\Windows\System32\catroot2\edb.log
\Windows\Temp\MpCmdRun.log
\Windows\SoftwareDistribution\ReportingEvents.log
\Windows\SoftwareDistribution\DataStore\Logs\edb.log
\Windows\System32\LogFiles\HTTPERR\httperr1.log
--- 0.749 seconds


>  NTFSjournal -t -1 -D -F "%30t,%p"  c:*.log
--- Journal for c:*.log
05-Aug-2011 20:30             ,\Program Files (x86)\Symantec\Symantec Endpoint Protection\syslog.log
06-Aug-2011 11:05             ,\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Unknown.Log
05-Aug-2011 20:30             ,\ProgramData\Symantec\SRTSP\SrtTxFEvt.log
05-Aug-2011 21:53             ,\ProgramData\Symantec\Symantec Endpoint Protection\Logs\07222011.Log
05-Aug-2011 23:48             ,\Windows\WindowsUpdate.log
05-Aug-2011 20:30             ,\Windows\debug\PASSWD.LOG
06-Aug-2011 10:34             ,\Windows\inf\setupapi.app.log
05-Aug-2011 23:48             ,\Windows\security\logs\winlogon.log
06-Aug-2011 11:08             ,\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun.log
05-Aug-2011 20:30             ,\Windows\System32\catroot2\edb.log
06-Aug-2011 11:05             ,\Windows\Temp\MpCmdRun.log
06-Aug-2011 11:10             ,\Windows\SoftwareDistribution\DataStore\Logs\edb.log
05-Aug-2011 23:48             ,\Users\dlang\AppData\Local\Temp\wmsetup.log
05-Aug-2011 23:48             ,\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log
05-Aug-2011 19:48             ,\Users\dlang\Downloads\pscan_src\Debug\pscan.log
05-Aug-2011 23:48             ,\Program Files (x86)\Steam\steam.log
05-Aug-2011 20:30             ,\Program Files (x86)\TeamViewer\Version6\TeamViewer6_Logfile.log
05-Aug-2011 23:48             ,\Windows\System32\LogFiles\HTTPERR\httperr1.log
--- 0.78 seconds

>  NTFSjournal -u - -F "copy %p \\remote\d$\%p"  c:*.log  > syncIt.bat
--- Journal for c:*.log
--- 0 seconds

> more syncIt.bat
copy \Windows\WindowsUpdate.log \\remote\d$\\Windows\WindowsUpdate.log
copy \Windows\debug\PASSWD.LOG \\remote\d$\\Windows\debug\PASSWD.LOG
copy \Windows\debug\WIA\wiatrace.log \\remote\d$\\Windows\debug\WIA\wiatrace.log
copy \Windows\inf\setupapi.app.log \\remote\d$\\Windows\inf\setupapi.app.log
copy \Windows\security\database\edb.log \\remote\d$\\Windows\security\database\edb.log
copy \Windows\security\logs\winlogon.log \\remote\d$\\Windows\security\logs\winlogon.log

The wildcard engine only support ? and *, but allows the wildcard characters to appear multiple times, in the both the filename and directories.

Examples:

Pattern	Results
*	All files
???	File with 3 characters
*.txt	Files ending with .txt
c:\\log\.txt	Files ending with .txt in a subdirectory \log
c:\Windows\System\.log	Files ending with .log and in subdirectory starting with \Windows\System

NTFSjournal includes several optional arguments to control the filtering and presentation.

Filtering

When you use multile filters, only files which match ALL the rules will be reported. So, if you filter on file name and time both have to be true for the file to be reported. One example is to filter on directory path and file name.

NTFSjournal -f \windows\* -f *.log c:

Note - the following will always fail because they both filter on the file extension:
NTFSjournal -f *.log -f *.txt c:

Command

Description

-d

Show details. By default duplicate file entries are merged. Use -d to see all the gory details.

-f <fileFilter>

Use -f to define file filters using wildcards.
Identical file filter commands:
   NTFSjournal -f *.log c:
   NTFSjournal c:*.log
Example with file filter applied to multiple drives.
   NTFSjournal -f *.log c: d:

-g <fileFilter>

-g is an alternate form of -f which uses the grep regular expression engine. The first big change is backslash and dot are reserved characters so they must be escaped to match a directory slash and file extensions. The second big change is the pattern is anchored and must match every character.

Basic Regular expression characers:

Character	Matches
.	Any single character
*	Zero or more of previous character
+	One or more of previous character
\	Use to escape special pattern characters
[]	Group, ex: [a-z0-9] or [139]
^	If first char in group, make it a not group Ex: [^a-z] or [^\\]

** Search web for std::regex (basic) for full regular expression engine.
Basic Regular Expression Syntax

Examples:
NTFSjournal -g \\tmp\\log\\.*\.log c: d:
NTFSjournal -g \\tmp\\log\\[a-z]+\.(log|txt) c: d:

-r <changeReasonFilter>

Filter by change reason.
Reasons Keywords:
   overwrite, extend, truncate, create, delete, rename, security, basic, link
Examples:
   NTFSjournal -r overwrite+extend+truncate c:
   NTFSjournal -r create+delete+rename c:*.log
Defaults is: overwrite+extend+truncate+create+delete

-s <size>

Filter by file size
Show files greater than 1000 bytes on d drive.
NTFSjournal -s 1000 d:
Show files less than 2000 bytes on c drive.
NTFSjournal -s -2000 c:
NOTE: Currently the size is rarely populated because it is expensive to acquire (disk fetch per file).

-t <relativeModifyDate>

Filter by Modify Time, value is relative days.
Modified in the last 2.5 days and ending in .log on c drive.
NTFSjournal -t -2.5 -f *.log
Modified more than 7 days ago on e drive.
NTFSjournal -t +7 e:

-u <usn>

Start scan with usn number, see -U

-u -

Start with previously stored USN in registry.
On exit, last USN is automatically stored in registry. By using this option you can run NTFSjournal multiple times and limit the output to just what has chanaged since the last time it was run.
NTFSjournal -f *.log -s 1000 -u - c: d:

Presentation

Command	Description
-A	Include attributes. R=readonly, H=hidden, S=system, D=directory.
-D	Disable directory part of file path.
-F <fmt>	Format output, %t=time, %s=size, %r=reason, %p=path(dir+file), %d=directory, %f=file(name+ext) %n=name, %e=extension Examples: NTFSjournal -F "copy %p \\remote\d$\%p" c:*.log > sync.bat NTFSjournal -F "File:%f Time:%t Size:%s" c: NTFSjournal -D -F "%30t %f" c:
-R	Include Reason.
-S	Include size. NOTE: Currently the size is rarely populated because it is expensive to acquire (disk fetch per file).
-T	Include modify time.
-U	Include USN number.

Warning - no guaranties on reliability and completeness of NTFSjournal.

Help Banner:

Ntfs Journal  v2.9 - Jun  6 2013
By: Dennis Lang
https://landenlabs.com//

Description:
  List NTFS Journal which tracks recent file/folder changes.
  Use 'fsutil usn ...' to create and configure NTFS journal.
Use:
   NtfsJournal [options] <localNTFSdrive>...
 Filter (see examples below):
   -a [d|f]                  ; Just Directories or Files, default is both
   -d                        ; Show detail, by default remove duplicates
   -f <findFilter>           ; Filter by file path, use * or ? patterns
   -g <findFilter>           ; Filter by file path, using grep reqular Expression ^[]+*.$
   -r <changeReasonFilter>   ; Filter by change flags
   -s <size>                 ; Filter by file size
   -t <relativeModifyDate>   ; Filter by Modify Time, value is relative days
   -u <usn>                  ; Start scan with usn number, see -U
   -u -                      ; Start with previously stored USN in registry
                             ; On exit, last USN is automatically stored in registry
 Report (what appears in output):
   -A                        ; Include attributes
   -B <dirAttr>              ; Change directory attribute 'D' to some other string
   -C <fmtChar>              ; Change format character '%' to some other character
   -D                        ; Disable directory
   -F <fmt>                  ; Format output, %t=time, %s=size, %r=reason,%a=attribute
                             ; %p=path(dir+filename), %c=drive, %d=directory,
                             ; %f=filename (name+ext), %n=name, %e=extension
                             ; Field can be padded, as in %10s %15t %20f
   -R [a|l]                  ; Include Reasons, All or just Last, default is just Last
   -S                        ; Include size
   -T                        ; Include modify time
   -U                        ; Include USN number

 Registry:
   HKEY_LOCAL_MACHINE\SOFTWARE\NtfsJournal
       TimeFormat  string   HH:mm          ; google 'msdn GetTimeFormat'
       DateFormat  string   dd-MMM-yyyy    ; google 'msdn GetDateFormat'

 Examples:
  No filtering:
    c:                 ; scan c drive, display filenames.
    -TSA c:            ; scan c drive, display  time, size, attributes.
  Filter examples (precede 'f' command letter with ! to invert rule):
    -f *.txt d:        ; files ending in .txt on d: drive
    -!f *.txt d:       ; files NOT ending in .txt on d: drive
    -f *.txt -!f \$RECY* d:  ; files ending in .txt but not in recyle.bin on d: drive
    -f F* c: d:        ; limit scan to files starting with F on either C or D

  Alternate using grep regular expression, note double backslash for every directory slash
  Also recommended you place the pattern inside quotations
    -g "\\tmp\\sub\\[^\\]+"   d:  ; files inside \tmp\sub\ but nothing deeper
  The above is similar to -f \tmp\sub\* except the -g version is anchored on the left
  and must match starting with its first character.

  Time and size options:
    -t 2.5 -f *.log    ; modified more than 2.5 days ago and ending in .log on c drive
    -t -7 e:           ; modified less than 7 days ago on e drive
    -s 1000 d:         ; size more than 1000 bytes on d drive
    -s -1000 d: e:     ; size less than 1000 bytes on d and e drive
                       ; *** NOTE: Size is rarely populated due to performance
    -F "%20t %20s %40p"  c: ; Format output
    -C # -F "#t,#s,#p"  c:  ; Change format character, and format output
    -F "copy %p \\remote\d$\data\%f" d:\data\* > sync.bat

  Filter Reasons Keywords:
       all,
       overwrite, extend, truncate
       create, delete, rename
       security, basic, link
  Examples:
     -r overwrite+extend+truncate  ; File content changes
     -r create+delete+rename       ; File life changes
   Defaults is:  overwrite+extend+truncate+create+delete+rename

Top

Blog about NTFS Journal