private void FillListBoxWithFolders(NtfsUsnJournal.UsnJournalReturnCode rtnCode, List <Win32Api.UsnEntry> folders) { FunctionElapsedTime.Content = string.Format(CultureInfo.InvariantCulture, "Duration: {0} (ms) Folders: {1}", NtfsUsnJournal.ElapsedTime.TotalMilliseconds, folders.Count); if (rtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { if (folders.Count > 0) { _entryDetail = UsnEntryDetail.EntryDetail.File; resultsLb.ItemsSource = folders; } } else { var lbItem = new ListBoxItem { Content = string.Format(CultureInfo.InvariantCulture, "'List Folders'->{0} returned error code: {1}", "GetNtfsVolumeFolders", rtnCode), Foreground = Brushes.Red }; resultsLb.Items.Add(lbItem); } Cursor = Cursors.Arrow; }
private void ListFoldersThreadStart(object fileFilterObj) { List <Win32Api.UsnEntry> folders; NtfsUsnJournal.UsnJournalReturnCode rtnCode = _usnJournal.GetNtfsVolumeFolders(out folders); Dispatcher.Invoke(new FillListBoxWithFoldersDelegate(FillListBoxWithFolders), rtnCode, folders); }
private void ViewChangesThreadStart() { uint reasonMask = Win32Api.USN_REASON_DATA_OVERWRITE | Win32Api.USN_REASON_DATA_EXTEND | Win32Api.USN_REASON_NAMED_DATA_OVERWRITE | Win32Api.USN_REASON_NAMED_DATA_TRUNCATION | Win32Api.USN_REASON_FILE_CREATE | Win32Api.USN_REASON_FILE_DELETE | Win32Api.USN_REASON_EA_CHANGE | Win32Api.USN_REASON_SECURITY_CHANGE | Win32Api.USN_REASON_RENAME_OLD_NAME | Win32Api.USN_REASON_RENAME_NEW_NAME | Win32Api.USN_REASON_INDEXABLE_CHANGE | Win32Api.USN_REASON_BASIC_INFO_CHANGE | Win32Api.USN_REASON_HARD_LINK_CHANGE | Win32Api.USN_REASON_COMPRESSION_CHANGE | Win32Api.USN_REASON_ENCRYPTION_CHANGE | Win32Api.USN_REASON_OBJECT_ID_CHANGE | Win32Api.USN_REASON_REPARSE_POINT_CHANGE | Win32Api.USN_REASON_STREAM_CHANGE | Win32Api.USN_REASON_CLOSE; Win32Api.USN_JOURNAL_DATA newUsnState; List <Win32Api.UsnEntry> usnEntries; NtfsUsnJournal.UsnJournalReturnCode rtnCode = _usnJournal.GetUsnJournalEntries(_usnCurrentJournalState, reasonMask, out usnEntries, out newUsnState); Dispatcher.Invoke(new FillListBoxDelegate(FillListBoxWithUsnEntries), rtnCode, usnEntries, newUsnState); }
private void SaveUsnState_Click(object sender, RoutedEventArgs e) { _usnEntryDetail.Visibility = Visibility.Hidden; resultsLb.ItemsSource = null; resultsLb.Items.Clear(); Win32Api.USN_JOURNAL_DATA journalState = new Win32Api.USN_JOURNAL_DATA(); NtfsUsnJournal.UsnJournalReturnCode rtn = _usnJournal.GetUsnJournalState(ref journalState); FunctionElapsedTime.Content = string.Format("Save State->{0} elapsed time {1}(ms)", "GetUsnJournalState()", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString()); if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { _usnCurrentJournalState = journalState; ListBoxItem lbItem = new ListBoxItem(); lbItem.Foreground = Brushes.Black; lbItem.Content = FormatUsnJournalState(journalState); resultsLb.Items.Add(lbItem); } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("Save State->{0} returned error code: {1}", "GetUsnJournalState()", rtn.ToString()); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } }
private void CreateUsnJournal_Click(object sender, RoutedEventArgs e) { _usnEntryDetail.Visibility = Visibility.Hidden; resultsLb.ItemsSource = null; resultsLb.Items.Clear(); NtfsUsnJournal.UsnJournalReturnCode rtn = _usnJournal.CreateUsnJournal(1000 * 1024, 16 * 1024); FunctionElapsedTime.Content = string.Format("Create->{0} elapsed time {1}(ms)", "CreateUsnJournal()", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString()); if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { ListBoxItem lbItem = new ListBoxItem(); lbItem.Foreground = Brushes.Black; lbItem.Content = string.Format("USN Journal Successfully created, CreateUsnJournal() returned: {0}", rtn.ToString()); resultsLb.Items.Add(lbItem); } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("Create->{0} returned error code: {1}", "GetUsnJournalState()", rtn.ToString()); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } }
private void ListFilesThreadStart(object fileFilterObj) { string fileFilter = (string)fileFilterObj; List <Win32Api.UsnEntry> fileList; NtfsUsnJournal.UsnJournalReturnCode rtnCode = _usnJournal.GetFilesMatchingFilter(fileFilter, out fileList); Dispatcher.Invoke(new FillListBoxWithFilesDelagate(FillListBoxWithFiles), rtnCode, fileList); }
public void ChangeDisplay(double top, double left, Win32Api.UsnEntry usnEntry, UsnEntryDetail.EntryDetail entryDetail) { Top = top; Left = left; MainWindow mainWin = (MainWindow)Application.Current.MainWindow; NtfsUsnJournal usnJournal = mainWin.Journal; StringBuilder sb = new StringBuilder(); if (usnEntry.IsFolder) { sb.AppendFormat("Directory: {0}", usnEntry.Name); } else if (usnEntry.IsFile) { sb.AppendFormat("File: {0}", usnEntry.Name); } _nameLbl.Content = sb.ToString(); sb = new StringBuilder(); string path; NtfsUsnJournal.UsnJournalReturnCode usnRtnCode = usnJournal.GetPathFromFileReference(usnEntry.ParentFileReferenceNumber, out path); if (usnRtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS && 0 != string.Compare(path, "Unavailable", true)) { sb.AppendFormat(" Path: {0}{1}\\", usnJournal.VolumeName.TrimEnd('\\'), path); } else { sb.AppendFormat(" Path: {0}", path); } _pathLbl.Content = sb.ToString(); sb = new StringBuilder(); sb.AppendFormat(" File Ref No: {0}", usnEntry.FileReferenceNumber); sb.AppendFormat("\n Parent FRN {0}", usnEntry.ParentFileReferenceNumber); if (entryDetail == EntryDetail.UsnEntry) { sb.AppendFormat("\n Length: {0}", usnEntry.RecordLength); sb.AppendFormat("\n USN: {0}", usnEntry.USN); AddReasonData(sb, usnEntry); } if (usnEntry.IsFile) { string fullPath = System.IO.Path.Combine(path, usnEntry.Name); if (File.Exists(fullPath)) { FileInfo fi = new FileInfo(fullPath); sb.AppendFormat("\n File Length: {0} (bytes)", fi.Length); sb.AppendFormat("\n Creation Time: {0} - {1}", fi.CreationTime.ToShortDateString(), fi.CreationTime.ToShortTimeString()); sb.AppendFormat("\n Last Modify: {0} - {1}", fi.LastWriteTime.ToShortDateString(), fi.LastWriteTime.ToShortTimeString()); sb.AppendFormat("\n Last Access: {0} - {1}", fi.LastAccessTime.ToShortDateString(), fi.LastAccessTime.ToShortTimeString()); } } _entryDetailLbl.Content = sb.ToString(); Visibility = Visibility.Visible; }
private void FillListBoxWithUsnEntries(NtfsUsnJournal.UsnJournalReturnCode rtnCode, List <Win32Api.UsnEntry> usnEntries, Win32Api.USN_JOURNAL_DATA_V0 newUsnState) { FunctionElapsedTime.Content = string.Format(CultureInfo.InvariantCulture, "'View Changes'->{0} duration: {1} (ms)", "GetUsnJournalEntries", NtfsUsnJournal.ElapsedTime.TotalMilliseconds); if (rtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { if (usnEntries.Count > 0) { _entryDetail = UsnEntryDetail.EntryDetail.UsnEntry; resultsLb.ItemsSource = usnEntries; var updateUsnStateDlg = new UpdateUsnStateDialog(this) { Owner = this }; var bRtn = updateUsnStateDlg.ShowDialog(); if (bRtn != null && bRtn.Value) { _usnCurrentJournalState = newUsnState; } } else { var lbItem = new ListBoxItem { Content = "\'View Changes\'-> No Journal entries found", Foreground = Brushes.Red }; resultsLb.Items.Add(lbItem); } } else { var lbItem = new ListBoxItem { Content = string.Format(CultureInfo.InvariantCulture, "'View Changes'->{0} returned error code: {1}", "GetUsnJournalEntries", rtnCode), Foreground = Brushes.Red }; resultsLb.Items.Add(lbItem); } Cursor = Cursors.Arrow; }
public static Win32Api.USN_JOURNAL_DATA GetCurrentUSNJournalData(string DriveLetter) { NtfsUsnJournal journal = new NtfsUsnJournal(DriveLetter); Win32Api.USN_JOURNAL_DATA journalState = new Win32Api.USN_JOURNAL_DATA(); NtfsUsnJournal.UsnJournalReturnCode rtn = journal.GetUsnJournalState(ref journalState); if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { return(journalState); } else { throw new UsnJournalException(rtn); } }
/// <summary>以线程安全的方式刷新列表等查找结果显示控件。</summary> /// <param name="rtnCode">查找返回码。</param> /// <param name="entryList">显示项列表。</param> private void FreshSearchResultsInvoke(NtfsUsnJournal.UsnJournalReturnCode rtnCode, List <UsnEntry> entryList) { this.Invoke(new TransAnythingDelegate((o) => { Cursor = Cursors.Default; }), new object()); if (rtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { if (entryList.Count > 0) { lbResults.Invoke(new TransUsnEntryDelegate((list) => { var names = list.Select(ent => ent.Name); lbResults.DataSource = names.ToList(); }), entryList); lblListCount.Invoke(new TransUsnEntryDelegate((list) => { lblListCount.Visible = true; lblListCount.Text = string.Format("找到{0}条记录", list.Count); }), entryList); string elapsedTime = NtfsUsnJournal.ElapsedTime.Milliseconds.ToString(); lblElapsedTime.Invoke(new TransAnythingDelegate((time) => { lblElapsedTime.Visible = true; lblElapsedTime.Text = string.Format("执行用时:{0}ms", time); }), elapsedTime); } } else { lblListCount.Invoke(new TransUsnJournalReturnCodeDelegate((code) => { lblListCount.Visible = true; lblListCount.Text = string.Format("查找出现错误,错误码:{0}.", code.ToString()); }), rtnCode); } }
private void FillListBoxWithFolders(NtfsUsnJournal.UsnJournalReturnCode rtnCode, List <Win32Api.UsnEntry> folders) { FunctionElapsedTime.Content = string.Format("'List Folders'->{0} elapsed time {1}(ms) {2} folders", "GetNtfsVolumeFolders()", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString(), folders.Count); if (rtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { if (folders.Count > 0) { _entryDetail = UsnEntryDetail.EntryDetail.File; resultsLb.ItemsSource = folders; } } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("'List Folders'->{0} returned error code: {1}", "GetNtfsVolumeFolders()", rtnCode.ToString()); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } Cursor = Cursors.Arrow; }
private void btnQueryUsnJournal_Click(object sender, EventArgs e) { lbResults.DataSource = null; lbResults.Items.Clear(); USN_JOURNAL_DATA journalState = new USN_JOURNAL_DATA(); NtfsUsnJournal.UsnJournalReturnCode rtn = _usnJournal.GetUsnJournalState(ref journalState); lblElapsedTime.Visible = true; lblElapsedTime.Text = string.Format("执行用时:{0}ms", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString()); lblListCount.Text = string.Empty; if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { lbResults.Items.AddRange(FormatUsnJournalState(journalState)); } else { lbResults.Items.Add(string.Format("{0} 执行失败!错误码: {1}。", "GetUsnJournalState()", rtn.ToString())); } }
private void FillListBoxWithUsnEntries(NtfsUsnJournal.UsnJournalReturnCode rtnCode, List <Win32Api.UsnEntry> usnEntries, Win32Api.USN_JOURNAL_DATA newUsnState) { FunctionElapsedTime.Content = string.Format("'View Changes'->{0} elapsed time {1}(ms)", "GetUsnJournalEntries()", NtfsUsnJournal.ElapsedTime.Milliseconds.ToString()); if (rtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { if (usnEntries.Count > 0) { _entryDetail = UsnEntryDetail.EntryDetail.UsnEntry; resultsLb.ItemsSource = usnEntries; UpdateUsnStateDialog updateUsnStateDlg = new UpdateUsnStateDialog(this); updateUsnStateDlg.Owner = this; bool?bRtn = updateUsnStateDlg.ShowDialog(); if (bRtn != null && bRtn.Value) { _usnCurrentJournalState = newUsnState; } } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("'View Changes'-> No Journal entries found"); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } } else { ListBoxItem lbItem = new ListBoxItem(); lbItem.Content = string.Format("'View Changes'->{0} returned error code: {1}", "GetUsnJournalEntries()", rtnCode.ToString()); lbItem.Foreground = Brushes.Red; resultsLb.Items.Add(lbItem); } Cursor = Cursors.Arrow; }
private void resultsLb_MouseDoubleClick(object sender, MouseButtonEventArgs e) { ListBox lb = sender as ListBox; if (lb.SelectedItem != null) { if (lb.SelectedItem.GetType() == typeof(Win32Api.UsnEntry)) { Win32Api.UsnEntry usnEntry = (Win32Api.UsnEntry)lb.SelectedItem; StringBuilder sb = new StringBuilder(); string path; NtfsUsnJournal.UsnJournalReturnCode usnRtnCode = _usnJournal.GetPathFromFileReference(usnEntry.ParentFileReferenceNumber, out path); if (usnRtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS && 0 != string.Compare(path, "Unavailable", true)) { if (usnEntry.IsFile) { string fullPath = System.IO.Path.Combine(path, usnEntry.Name); if (File.Exists(fullPath)) { try { Process.Start(fullPath); } catch (Exception excptn) { MessageBox.Show(excptn.Message); } } else { MessageBox.Show(string.Format("File '{0}' not found", fullPath)); } } } } } }
public UsnJournalException(NtfsUsnJournal.UsnJournalReturnCode rtn) { ReturnCode = rtn; }
private Dictionary <int, Win32Api.UsnEntry> GetUsnRecordsDictionary() { PrivilegesManager pm = new PrivilegesManager(); pm.Grant(); Dictionary <int, Win32Api.UsnEntry> uEntries = new Dictionary <int, Win32Api.UsnEntry>(); using (usnJ = new NtfsUsnJournal(/*brd.SystemDrive.MountPoint*/ brd /*.Snapshot.MountPoint*/)){ Logger.Append(Severity.DEBUG, "Reading USN journal " + journalId + " for '" + brd.SystemDrive.MountPoint + "' from seq " + prevTransactionId + " to seq " + transactionId + " (changed entries from " + Utilities.Utils.GetLocalDateTimeFromUnixTime(refTimeStamp).ToString() + " to " + Utilities.Utils.GetLocalDateTimeFromUnixTime(brd.Snapshot.TimeStamp).ToLocalTime().ToString() + ")"); Win32Api.USN_JOURNAL_DATA stateJd = new Win32Api.USN_JOURNAL_DATA(); stateJd.UsnJournalID = journalId; stateJd.NextUsn = prevTransactionId; Win32Api.USN_JOURNAL_DATA newState = new Win32Api.USN_JOURNAL_DATA(); // unused, as we maintain our own state List <Win32Api.UsnEntry> changedUsnEntries = new List <Win32Api.UsnEntry>(); usnJ.GetUsnJournalState(ref newState); NtfsUsnJournal.UsnJournalReturnCode retCode = usnJ.GetUsnJournalEntries(stateJd, refTimeStamp, 0xFFFFFFFF, out changedUsnEntries, out newState); if (retCode != NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { throw new Exception(retCode.ToString()); } int entryId = 0; foreach (Win32Api.UsnEntry ue in changedUsnEntries) { if (ue != null && ue.Reason > 0) { entryId = (int)(ue.FileReferenceNumber); //if(ue.Name.StartsWith("grut")) //Console.WriteLine ("|--------| USN seq="+ue.USN+", item "+entryId+" ("+ue.Name+") "+((NtfsUsnJournal.UsnReasonCode)ue.Reason).ToString()); if (!uEntries.ContainsKey(entryId)) { uEntries[entryId] = ue; } else // cumulate reason flags // ignore created+deleted (temporary or short-lived (between 2 backups) items { if ( ((Win32Api.UsnReasonCode)ue.Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_DELETE) && ((Win32Api.UsnReasonCode)uEntries[entryId].Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_CREATE) ) { Console.WriteLine("*** item " + ue.Name + " CREATED+DELETED"); continue; } // file ID reused (file delete + new create) : totally replace previous entry else if ( ((Win32Api.UsnReasonCode)ue.Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_CREATE) && ((Win32Api.UsnReasonCode)uEntries[entryId].Reason).HasFlag(Win32Api.UsnReasonCode.USN_REASON_FILE_DELETE) ) { uEntries[entryId] = ue; } // cumulate flags else if (!((Win32Api.UsnReasonCode)uEntries[entryId].Reason).HasFlag(((Win32Api.UsnReasonCode)ue.Reason))) { Win32Api.UsnReasonCode newReason = ((Win32Api.UsnReasonCode)uEntries[entryId].Reason) | ((Win32Api.UsnReasonCode)ue.Reason); uEntries[entryId] = ue; uEntries[entryId].Reason = (uint)newReason; } // only keep the last rename operation /*if(((NtfsUsnJournal.UsnReasonCode)ue.Reason).HasFlag(NtfsUsnJournal.UsnReasonCode.USN_REASON_RENAME_NEW_NAME) ){ * Console.WriteLine ("*** item "+ue.Name+" RENAMED (reasons="+((NtfsUsnJournal.UsnReasonCode)ue.Reason).ToString()); * NtfsUsnJournal.UsnReasonCode newReason = ((NtfsUsnJournal.UsnReasonCode)entries[entryId].Reason) ; * if(!((NtfsUsnJournal.UsnReasonCode)entries[entryId].Reason).HasFlag(NtfsUsnJournal.UsnReasonCode.USN_REASON_RENAME_NEW_NAME) ) * newReason |= NtfsUsnJournal.UsnReasonCode.USN_REASON_RENAME_NEW_NAME; * entries[entryId] = ue; * entries[entryId].Reason = (uint)newReason; * }*/ } } } Logger.Append(Severity.TRIVIA, "Done reading USN journal " + journalId + " for '" + brd.SystemDrive.MountPoint); } //end using return(uEntries); }
public void BeginScan() { //clear parentFileReferenceIdentifiers.Clear(); USNEntries.Clear(); USNDirectories.Clear(); usnCurrentJournalState = new Win32Api.USN_JOURNAL_DATA(); //1 phase; handle try { usnJournal = new NtfsUsnJournal(selectedVolume); OnEntryAmountUpdate(true); } catch (Exception) { OnEntryAmountUpdate(false); return; } //2 phase; current state Win32Api.USN_JOURNAL_DATA journalState = new Win32Api.USN_JOURNAL_DATA(); NtfsUsnJournal.UsnJournalReturnCode rtn = usnJournal.GetUsnJournalState(ref journalState); if (rtn == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { usnCurrentJournalState = journalState; OnEntryAmountUpdate(true); } else { OnEntryAmountUpdate(false); return; } //3 phase; query uint reasonMask = Win32Api.USN_REASON_DATA_OVERWRITE | Win32Api.USN_REASON_DATA_EXTEND | Win32Api.USN_REASON_NAMED_DATA_OVERWRITE | Win32Api.USN_REASON_NAMED_DATA_TRUNCATION | Win32Api.USN_REASON_FILE_CREATE | Win32Api.USN_REASON_FILE_DELETE | Win32Api.USN_REASON_EA_CHANGE | Win32Api.USN_REASON_SECURITY_CHANGE | Win32Api.USN_REASON_RENAME_OLD_NAME | Win32Api.USN_REASON_RENAME_NEW_NAME | Win32Api.USN_REASON_INDEXABLE_CHANGE | Win32Api.USN_REASON_BASIC_INFO_CHANGE | Win32Api.USN_REASON_HARD_LINK_CHANGE | Win32Api.USN_REASON_COMPRESSION_CHANGE | Win32Api.USN_REASON_ENCRYPTION_CHANGE | Win32Api.USN_REASON_OBJECT_ID_CHANGE | Win32Api.USN_REASON_REPARSE_POINT_CHANGE | Win32Api.USN_REASON_STREAM_CHANGE | Win32Api.USN_REASON_CLOSE; OldestUSN = usnCurrentJournalState.FirstUsn; NtfsUsnJournal.UsnJournalReturnCode rtnCode = usnJournal.GetUsnJournalEntries(usnCurrentJournalState, reasonMask, out List <Win32Api.UsnEntry> usnEntries, out usnCurrentJournalState); if (rtnCode == NtfsUsnJournal.UsnJournalReturnCode.USN_JOURNAL_SUCCESS) { OnEntryAmountUpdate(true); //4 phase ResolveIdentifiers(usnEntries); OnEntryAmountUpdate(true); //5 phase AddEntries(usnEntries); OnEntryAmountUpdate(true); OnWorkEnded(); } else { OnEntryAmountUpdate(false); return; } }