private void QueryUsnJournal_Click(object sender, RoutedEventArgs e)
{
_usnEntryDetail.Visibility = Visibility.Hidden;
resultsLb.ItemsSource = null;
resultsLb.Items.Clear();
Win32Api.USN_JOURNAL_DATA journalState = new Win32Api.USN_JOURNAL_DATA();
NtfsUsnJournal.UsnJournalReturnCode rtn = _usnJournal.GetUsnJournalState(ref journalState);
FunctionElapsedTime.Content = string.Format("Query->{0} elapsed time {1}(ms)",
"GetUsnJournalState()", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString());
if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
ListBoxItem lbItem = new ListBoxItem();
lbItem.Foreground = Brushes.Black;
lbItem.Content = FormatUsnJournalState(journalState);
resultsLb.Items.Add(lbItem);
}
else
{
ListBoxItem lbItem = new ListBoxItem();
lbItem.Content = string.Format("Query->{0} returned error code: {1}", "GetUsnJournalState()", rtn.ToString());
lbItem.Foreground = Brushes.Red;
resultsLb.Items.Add(lbItem);
}
}
public void Position(string Path)
{
NtfsUsnJournal journal = new NtfsUsnJournal(Path);
Win32Api.USN_JOURNAL_DATA journalData = new Win32Api.USN_JOURNAL_DATA();
var usnJournalReturnCode = journal.GetUsnJournalState(ref journalData);
if (usnJournalReturnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
Console.WriteLine("Next USN: " + journalData.NextUsn);
}
}
public void SignalBackup() // to be called when full is performed
//Console.WriteLine ("brd snapshot type="+brd.Snapshot.);
{
using (usnJ = new NtfsUsnJournal(brd /*.Snapshot.MountPoint*/)){
Win32Api.USN_JOURNAL_DATA journal = new Win32Api.USN_JOURNAL_DATA();
usnJ.GetUsnJournalState(ref journal);
Logger.Append(Severity.DEBUG, "Current USN journal for '" + brd.Snapshot.MountPoint + "' " + journal.UsnJournalID + ", USN no: " + journal.NextUsn + ", maxSize=" + journal.MaximumSize / 1024 + "k, FirstEntry=" + journal.FirstUsn);
journalId = (ulong)journal.UsnJournalID;
transactionId = journal.NextUsn;
journalMinUsn = journal.FirstUsn;
}
}
public static Win32Api.USN_JOURNAL_DATA GetCurrentUSNJournalData(string DriveLetter)
{
NtfsUsnJournal journal = new NtfsUsnJournal(DriveLetter);
Win32Api.USN_JOURNAL_DATA journalState = new Win32Api.USN_JOURNAL_DATA();
NtfsUsnJournal.UsnJournalReturnCode rtn = journal.GetUsnJournalState(ref journalState);
if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
return(journalState);
}
else
{
throw new UsnJournalException(rtn);
}
}
public static Win32Api.USN_JOURNAL_DATA GetCurrentUSNJournalData(string DriveLetter)
{
NtfsUsnJournal journal = new NtfsUsnJournal(DriveLetter);
Win32Api.USN_JOURNAL_DATA journalState = new Win32Api.USN_JOURNAL_DATA();
NtfsUsnJournal.UsnJournalReturnCode rtn = journal.GetUsnJournalState(ref journalState);
if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
return journalState;
}
else
{
throw new UsnJournalException(rtn);
}
}
public void GetUSNDetails(string Mountpoint)
{
using (var journal = new NtfsUsnJournal(Mountpoint))
{
Win32Api.USN_JOURNAL_DATA data = new Win32Api.USN_JOURNAL_DATA();
var usnJournalReturnCode = journal.GetUsnJournalState(ref data);
if (usnJournalReturnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
Console.WriteLine("Journal ID: " + data.UsnJournalID);
Console.WriteLine("Allocation Delta: " + data.AllocationDelta);
Console.WriteLine("First USN: " + data.FirstUsn);
Console.WriteLine("Lowest Valid USN: " + data.LowestValidUsn);
Console.WriteLine("Max USN: " + data.MaxUsn);
Console.WriteLine("Maximum Size: " + data.MaximumSize);
Console.WriteLine("Next Usn: " + data.NextUsn);
}
else
{
Console.WriteLine("ERROR: " + usnJournalReturnCode.ToString());
}
}
}
private void btnQueryUsnJournal_Click(object sender, EventArgs e)
{
lbResults.DataSource = null;
lbResults.Items.Clear();
USN_JOURNAL_DATA journalState = new USN_JOURNAL_DATA();
NtfsUsnJournal.UsnJournalReturnCode rtn = _usnJournal.GetUsnJournalState(ref journalState);
lblElapsedTime.Visible = true;
lblElapsedTime.Text = string.Format("执行用时:{0}ms", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString());
lblListCount.Text = string.Empty;
if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
lbResults.Items.AddRange(FormatUsnJournalState(journalState));
}
else
{
lbResults.Items.Add(string.Format("{0} 执行失败!错误码: {1}。", "GetUsnJournalState()", rtn.ToString()));
}
}
private Dictionary <int, Win32Api.UsnEntry> GetUsnRecordsDictionary()
{
PrivilegesManager pm = new PrivilegesManager();
pm.Grant();
Dictionary <int, Win32Api.UsnEntry> uEntries = new Dictionary <int, Win32Api.UsnEntry>();
using (usnJ = new NtfsUsnJournal(/*brd.SystemDrive.MountPoint*/ brd /*.Snapshot.MountPoint*/)){
Logger.Append(Severity.DEBUG, "Reading USN journal " + journalId + " for '" + brd.SystemDrive.MountPoint
+ "' from seq " + prevTransactionId + " to seq " + transactionId
+ " (changed entries from " + Utilities.Utils.GetLocalDateTimeFromUnixTime(refTimeStamp).ToString()
+ " to " + Utilities.Utils.GetLocalDateTimeFromUnixTime(brd.Snapshot.TimeStamp).ToLocalTime().ToString() + ")");
Win32Api.USN_JOURNAL_DATA stateJd = new Win32Api.USN_JOURNAL_DATA();
stateJd.UsnJournalID = journalId;
stateJd.NextUsn = prevTransactionId;
Win32Api.USN_JOURNAL_DATA newState = new Win32Api.USN_JOURNAL_DATA(); // unused, as we maintain our own state
List <Win32Api.UsnEntry> changedUsnEntries = new List <Win32Api.UsnEntry>();
usnJ.GetUsnJournalState(ref newState);
NtfsUsnJournal.UsnJournalReturnCode retCode = usnJ.GetUsnJournalEntries(stateJd, refTimeStamp, 0xFFFFFFFF, out changedUsnEntries, out newState);
if (retCode != NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
throw new Exception(retCode.ToString());
}
int entryId = 0;
foreach (Win32Api.UsnEntry ue in changedUsnEntries)
{
if (ue != null && ue.Reason > 0)
{
entryId = (int)(ue.FileReferenceNumber);
//if(ue.Name.StartsWith("grut"))
//Console.WriteLine ("|--------| USN seq="+ue.USN+", item "+entryId+" ("+ue.Name+") "+((NtfsUsnJournal.UsnReasonCode)ue.Reason).ToString());
if (!uEntries.ContainsKey(entryId))
{
uEntries[entryId] = ue;
}
else // cumulate reason flags
// ignore created+deleted (temporary or short-lived (between 2 backups) items
{
if (
((Win32Api.UsnReasonCode)ue.Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_DELETE) &&
((Win32Api.UsnReasonCode)uEntries[entryId].Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_CREATE)
)
{
Console.WriteLine("*** item " + ue.Name + " CREATED+DELETED");
continue;
}
// file ID reused (file delete + new create) : totally replace previous entry
else if (
((Win32Api.UsnReasonCode)ue.Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_CREATE) &&
((Win32Api.UsnReasonCode)uEntries[entryId].Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_DELETE)
)
{
uEntries[entryId] = ue;
}
// cumulate flags
else if (!((Win32Api.UsnReasonCode)uEntries[entryId].Reason).HasFlag(((Win32Api.UsnReasonCode)ue.Reason)))
{
Win32Api.UsnReasonCode newReason = ((Win32Api.UsnReasonCode)uEntries[entryId].Reason) | ((Win32Api.UsnReasonCode)ue.Reason);
uEntries[entryId] = ue;
uEntries[entryId].Reason = (uint)newReason;
}
// only keep the last rename operation
/*if(((NtfsUsnJournal.UsnReasonCode)ue.Reason).HasFlag(NtfsUsnJournal.UsnReasonCode.USN_REASON_RENAME_NEW_NAME) ){
* Console.WriteLine ("*** item "+ue.Name+" RENAMED (reasons="+((NtfsUsnJournal.UsnReasonCode)ue.Reason).ToString());
* NtfsUsnJournal.UsnReasonCode newReason = ((NtfsUsnJournal.UsnReasonCode)entries[entryId].Reason) ;
* if(!((NtfsUsnJournal.UsnReasonCode)entries[entryId].Reason).HasFlag(NtfsUsnJournal.UsnReasonCode.USN_REASON_RENAME_NEW_NAME) )
* newReason |= NtfsUsnJournal.UsnReasonCode.USN_REASON_RENAME_NEW_NAME;
* entries[entryId] = ue;
* entries[entryId].Reason = (uint)newReason;
* }*/
}
}
}
Logger.Append(Severity.TRIVIA, "Done reading USN journal " + journalId + " for '" + brd.SystemDrive.MountPoint);
} //end using
return(uEntries);
}
public void BeginScan()
{
//clear
parentFileReferenceIdentifiers.Clear();
USNEntries.Clear();
USNDirectories.Clear();
usnCurrentJournalState = new Win32Api.USN_JOURNAL_DATA();
//1 phase; handle
try
{
usnJournal = new NtfsUsnJournal(selectedVolume);
OnEntryAmountUpdate(true);
}
catch (Exception)
{
OnEntryAmountUpdate(false);
return;
}
//2 phase; current state
Win32Api.USN_JOURNAL_DATA journalState = new Win32Api.USN_JOURNAL_DATA();
NtfsUsnJournal.UsnJournalReturnCode rtn = usnJournal.GetUsnJournalState(ref journalState);
if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
usnCurrentJournalState = journalState;
OnEntryAmountUpdate(true);
}
else
{
OnEntryAmountUpdate(false);
return;
}
//3 phase; query
uint reasonMask = Win32Api.USN_REASON_DATA_OVERWRITE |
Win32Api.USN_REASON_DATA_EXTEND |
Win32Api.USN_REASON_NAMED_DATA_OVERWRITE |
Win32Api.USN_REASON_NAMED_DATA_TRUNCATION |
Win32Api.USN_REASON_FILE_CREATE |
Win32Api.USN_REASON_FILE_DELETE |
Win32Api.USN_REASON_EA_CHANGE |
Win32Api.USN_REASON_SECURITY_CHANGE |
Win32Api.USN_REASON_RENAME_OLD_NAME |
Win32Api.USN_REASON_RENAME_NEW_NAME |
Win32Api.USN_REASON_INDEXABLE_CHANGE |
Win32Api.USN_REASON_BASIC_INFO_CHANGE |
Win32Api.USN_REASON_HARD_LINK_CHANGE |
Win32Api.USN_REASON_COMPRESSION_CHANGE |
Win32Api.USN_REASON_ENCRYPTION_CHANGE |
Win32Api.USN_REASON_OBJECT_ID_CHANGE |
Win32Api.USN_REASON_REPARSE_POINT_CHANGE |
Win32Api.USN_REASON_STREAM_CHANGE |
Win32Api.USN_REASON_CLOSE;
OldestUSN = usnCurrentJournalState.FirstUsn;
NtfsUsnJournal.UsnJournalReturnCode rtnCode = usnJournal.GetUsnJournalEntries(usnCurrentJournalState, reasonMask, out List <Win32Api.UsnEntry> usnEntries, out usnCurrentJournalState);
if (rtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS)
{
OnEntryAmountUpdate(true);
//4 phase
ResolveIdentifiers(usnEntries);
OnEntryAmountUpdate(true);
//5 phase
AddEntries(usnEntries);
OnEntryAmountUpdate(true);
OnWorkEnded();
}
else
{
OnEntryAmountUpdate(false);
return;
}
}
