private Dictionary <int, Win32Api.UsnEntry> GetUsnRecordsDictionary() { PrivilegesManager pm = new PrivilegesManager(); pm.Grant(); Dictionary <int, Win32Api.UsnEntry> uEntries = new Dictionary <int, Win32Api.UsnEntry>(); using (usnJ = new NtfsUsnJournal(/*brd.SystemDrive.MountPoint*/ brd /*.Snapshot.MountPoint*/)){ Logger.Append(Severity.DEBUG, "Reading USN journal " + journalId + " for '" + brd.SystemDrive.MountPoint + "' from seq " + prevTransactionId + " to seq " + transactionId + " (changed entries from " + Utilities.Utils.GetLocalDateTimeFromUnixTime(refTimeStamp).ToString() + " to " + Utilities.Utils.GetLocalDateTimeFromUnixTime(brd.Snapshot.TimeStamp).ToLocalTime().ToString() + ")"); Win32Api.USN_JOURNAL_DATA stateJd = new Win32Api.USN_JOURNAL_DATA(); stateJd.UsnJournalID = journalId; stateJd.NextUsn = prevTransactionId; Win32Api.USN_JOURNAL_DATA newState = new Win32Api.USN_JOURNAL_DATA(); // unused, as we maintain our own state List <Win32Api.UsnEntry> changedUsnEntries = new List <Win32Api.UsnEntry>(); usnJ.GetUsnJournalState(ref newState); NtfsUsnJournal.UsnJournalReturnCode retCode = usnJ.GetUsnJournalEntries(stateJd, refTimeStamp, 0xFFFFFFFF, out changedUsnEntries, out newState); if (retCode != NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { throw new Exception(retCode.ToString()); } int entryId = 0; foreach (Win32Api.UsnEntry ue in changedUsnEntries) { if (ue != null && ue.Reason > 0) { entryId = (int)(ue.FileReferenceNumber); //if(ue.Name.StartsWith("grut")) //Console.WriteLine ("|--------| USN seq="+ue.USN+", item "+entryId+" ("+ue.Name+") "+((NtfsUsnJournal.UsnReasonCode)ue.Reason).ToString()); if (!uEntries.ContainsKey(entryId)) { uEntries[entryId] = ue; } else // cumulate reason flags // ignore created+deleted (temporary or short-lived (between 2 backups) items { if ( ((Win32Api.UsnReasonCode)ue.Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_DELETE) && ((Win32Api.UsnReasonCode)uEntries[entryId].Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_CREATE) ) { Console.WriteLine("*** item " + ue.Name + " CREATED+DELETED"); continue; } // file ID reused (file delete + new create) : totally replace previous entry else if ( ((Win32Api.UsnReasonCode)ue.Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_CREATE) && ((Win32Api.UsnReasonCode)uEntries[entryId].Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_DELETE) ) { uEntries[entryId] = ue; } // cumulate flags else if (!((Win32Api.UsnReasonCode)uEntries[entryId].Reason).HasFlag(((Win32Api.UsnReasonCode)ue.Reason))) { Win32Api.UsnReasonCode newReason = ((Win32Api.UsnReasonCode)uEntries[entryId].Reason) | ((Win32Api.UsnReasonCode)ue.Reason); uEntries[entryId] = ue; uEntries[entryId].Reason = (uint)newReason; } // only keep the last rename operation /*if(((NtfsUsnJournal.UsnReasonCode)ue.Reason).HasFlag(NtfsUsnJournal.UsnReasonCode.USN_REASON_RENAME_NEW_NAME) ){ * Console.WriteLine ("*** item "+ue.Name+" RENAMED (reasons="+((NtfsUsnJournal.UsnReasonCode)ue.Reason).ToString()); * NtfsUsnJournal.UsnReasonCode newReason = ((NtfsUsnJournal.UsnReasonCode)entries[entryId].Reason) ; * if(!((NtfsUsnJournal.UsnReasonCode)entries[entryId].Reason).HasFlag(NtfsUsnJournal.UsnReasonCode.USN_REASON_RENAME_NEW_NAME) ) * newReason |= NtfsUsnJournal.UsnReasonCode.USN_REASON_RENAME_NEW_NAME; * entries[entryId] = ue; * entries[entryId].Reason = (uint)newReason; * }*/ } } } Logger.Append(Severity.TRIVIA, "Done reading USN journal " + journalId + " for '" + brd.SystemDrive.MountPoint); } //end using return(uEntries); }
private void FillListBoxWithFolders(NtfsUsnJournal.UsnJournalReturnCode rtnCode, List <Win32Api.UsnEntry> folders) { FunctionElapsedTime.Content = string.Format("'List Folders'->{0} elapsed time {1}(ms) {2} folders", "GetNtfsVolumeFolders()", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString(), folders.Count); if (rtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { if (folders.Count > 0) { _entryDetail = UsnEntryDetail.EntryDetail.File; resultsLb.ItemsSource = folders; } } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("'List Folders'->{0} returned error code: {1}", "GetNtfsVolumeFolders()", rtnCode.ToString()); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } Cursor = Cursors.Arrow; }
private void FillListBoxWithUsnEntries(NtfsUsnJournal.UsnJournalReturnCode rtnCode, List <Win32Api.UsnEntry> usnEntries, Win32Api.USN_JOURNAL_DATA newUsnState) { FunctionElapsedTime.Content = string.Format("'View Changes'->{0} elapsed time {1}(ms)", "GetUsnJournalEntries()", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString()); if (rtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { if (usnEntries.Count > 0) { _entryDetail = UsnEntryDetail.EntryDetail.UsnEntry; resultsLb.ItemsSource = usnEntries; UpdateUsnStateDialog updateUsnStateDlg = new UpdateUsnStateDialog(this); updateUsnStateDlg.Owner = this; bool?bRtn = updateUsnStateDlg.ShowDialog(); if (bRtn != null && bRtn.Value) { _usnCurrentJournalState = newUsnState; } } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("'View Changes'-> No Journal entries found"); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("'View Changes'->{0} returned error code: {1}", "GetUsnJournalEntries()", rtnCode.ToString()); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } Cursor = Cursors.Arrow; }
private void SaveUsnState_Click(object sender, RoutedEventArgs e) { _usnEntryDetail.Visibility = Visibility.Hidden; resultsLb.ItemsSource = null; resultsLb.Items.Clear(); Win32Api.USN_JOURNAL_DATA journalState = new Win32Api.USN_JOURNAL_DATA(); NtfsUsnJournal.UsnJournalReturnCode rtn = _usnJournal.GetUsnJournalState(ref journalState); FunctionElapsedTime.Content = string.Format("Save State->{0} elapsed time {1}(ms)", "GetUsnJournalState()", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString()); if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { _usnCurrentJournalState = journalState; ListBoxItem lbItem = new ListBoxItem(); lbItem.Foreground = Brushes.Black; lbItem.Content = FormatUsnJournalState(journalState); resultsLb.Items.Add(lbItem); } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("Save State->{0} returned error code: {1}", "GetUsnJournalState()", rtn.ToString()); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } }
private void CreateUsnJournal_Click(object sender, RoutedEventArgs e) { _usnEntryDetail.Visibility = Visibility.Hidden; resultsLb.ItemsSource = null; resultsLb.Items.Clear(); NtfsUsnJournal.UsnJournalReturnCode rtn = _usnJournal.CreateUsnJournal(1000 * 1024, 16 * 1024); FunctionElapsedTime.Content = string.Format("Create->{0} elapsed time {1}(ms)", "CreateUsnJournal()", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString()); if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { ListBoxItem lbItem = new ListBoxItem(); lbItem.Foreground = Brushes.Black; lbItem.Content = string.Format("USN Journal Successfully created, CreateUsnJournal() returned: {0}", rtn.ToString()); resultsLb.Items.Add(lbItem); } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("Create->{0} returned error code: {1}", "GetUsnJournalState()", rtn.ToString()); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } }
private void btnQueryUsnJournal_Click(object sender, EventArgs e) { lbResults.DataSource = null; lbResults.Items.Clear(); USN_JOURNAL_DATA journalState = new USN_JOURNAL_DATA(); NtfsUsnJournal.UsnJournalReturnCode rtn = _usnJournal.GetUsnJournalState(ref journalState); lblElapsedTime.Visible = true; lblElapsedTime.Text = string.Format("执行用时:{0}ms", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString()); lblListCount.Text = string.Empty; if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { lbResults.Items.AddRange(FormatUsnJournalState(journalState)); } else { lbResults.Items.Add(string.Format("{0} 执行失败!错误码: {1}。", "GetUsnJournalState()", rtn.ToString())); } }