private static IEnumerable <UsnJournalRecord> ReadJournal(NtFile volume, ulong start_usn, ulong end_usn, UsnJournalReasonFlags reason_mask, bool unprivileged)
{
if (volume is null)
{
throw new ArgumentNullException(nameof(volume));
}
NtIoControlCode ioctl = unprivileged ? NtWellKnownIoControlCodes.FSCTL_READ_UNPRIVILEGED_USN_JOURNAL : NtWellKnownIoControlCodes.FSCTL_READ_USN_JOURNAL;
Dictionary <long, Tuple <string, string> > ref_paths = new Dictionary <long, Tuple <string, string> >();
var data = QueryUsnJournalData(volume);
end_usn = Math.Min(end_usn, data.NextUsn);
using (var buffer = new SafeHGlobalBuffer(64 * 1024))
{
while (start_usn < end_usn)
{
READ_USN_JOURNAL_DATA_V0 read_journal = new READ_USN_JOURNAL_DATA_V0
{
ReasonMask = reason_mask,
StartUsn = start_usn,
UsnJournalID = data.UsnJournalID
};
using (var in_buffer = read_journal.ToBuffer())
{
int length = volume.FsControl(ioctl, in_buffer, buffer);
int offset = 8;
if (length < 8)
{
yield break;
}
start_usn = buffer.Read <ulong>(0);
while (offset < length)
{
var header = buffer.Read <USN_RECORD_COMMON_HEADER>((ulong)offset);
if (header.MajorVersion == 2 && header.MinorVersion == 0)
{
var entry = new UsnJournalRecord(buffer.GetStructAtOffset <USN_RECORD_V2>(offset), volume, ref_paths);
if (entry.Usn >= end_usn)
{
break;
}
yield return(entry);
}
offset += header.RecordLength;
}
}
}
}
}
private static void CheckForFault(SafeHGlobalBuffer buffer, LRPC_MESSAGE_TYPE message_type)
{
var header = buffer.Read <LRPC_HEADER>(0);
if (header.MessageType != LRPC_MESSAGE_TYPE.lmtFault && header.MessageType != message_type)
{
throw new ArgumentException($"Invalid response message type {header.MessageType}");
}
if (header.MessageType == LRPC_MESSAGE_TYPE.lmtFault)
{
var fault = buffer.GetStructAtOffset <LRPC_FAULT_MESSAGE>(0);
throw new RpcFaultException(fault);
}
}
