unsafe private static void EnumerateFiles(string volumeName, IntPtr pVolume, IntPtr medBuffer, Dictionary <ulong, USNRecord> files)
{
IntPtr pData = Marshal.AllocHGlobal(sizeof(UInt64) + 0x10000);
PInvokeWin32.ZeroMemory(pData, sizeof(UInt64) + 0x10000);
uint outBytesReturned = 0;
while (false != PInvokeWin32.DeviceIoControl(pVolume, PInvokeWin32.FSCTL_ENUM_USN_DATA, medBuffer,
sizeof(PInvokeWin32.MFT_ENUM_DATA), pData, sizeof(UInt64) + 0x10000, out outBytesReturned,
IntPtr.Zero))
{
IntPtr pUsnRecord = new IntPtr(pData.ToInt32() + sizeof(Int64));
while (outBytesReturned > 60)
{
PInvokeWin32.USN_RECORD usn = new PInvokeWin32.USN_RECORD(pUsnRecord);
files.Add(usn.FRN, new USNRecord
{
Name = usn.FileName,
ParentFrn = usn.ParentFRN,
FRN = usn.FRN,
IsFolder = usn.IsFolder,
VolumeName = volumeName
});
pUsnRecord = new IntPtr(pUsnRecord.ToInt32() + usn.RecordLength);
outBytesReturned -= usn.RecordLength;
}
Marshal.WriteInt64(medBuffer, Marshal.ReadInt64(pData, 0));
}
Marshal.FreeHGlobal(pData);
}
private void MonitorThread(string volume, MFTSearcherCache db)
{
IntPtr pbuffer = Marshal.AllocHGlobal(0x1000);
PInvokeWin32.READ_USN_JOURNAL_DATA rujd = SetupInputData4JournalRead(volume, 0xFFFFFFFF);
UInt32 cbRead;
IntPtr prujd;
while (true)
{
prujd = Marshal.AllocHGlobal(Marshal.SizeOf(rujd));
PInvokeWin32.ZeroMemory(prujd, Marshal.SizeOf(rujd));
Marshal.StructureToPtr(rujd, prujd, true);
IntPtr pVolume = MFTSearcher.GetVolumeJournalHandle(volume);
bool fok = PInvokeWin32.DeviceIoControl(pVolume,
PInvokeWin32.FSCTL_READ_USN_JOURNAL,
prujd, Marshal.SizeOf(typeof(PInvokeWin32.READ_USN_JOURNAL_DATA)),
pbuffer, 0x1000, out cbRead, IntPtr.Zero);
IntPtr pRealData = new IntPtr(pbuffer.ToInt32() + Marshal.SizeOf(typeof(Int64)));
uint offset = 0;
if (fok)
{
while (offset + Marshal.SizeOf(typeof(Int64)) < cbRead)
{
PInvokeWin32.USN_RECORD usn = new PInvokeWin32.USN_RECORD(new IntPtr(pRealData.ToInt32() + (int)offset));
ProcessUSN(usn, volume, db);
offset += usn.RecordLength;
}
}
Marshal.FreeHGlobal(prujd);
rujd.StartUsn = Marshal.ReadInt64(pbuffer);
}
}
unsafe private static void SetupMFTEnumInBuffer(ref IntPtr medBuffer, IntPtr pVolume)
{
uint bytesReturned = 0;
PInvokeWin32.USN_JOURNAL_DATA ujd = new PInvokeWin32.USN_JOURNAL_DATA();
bool bOk = QueryUSNJournal(pVolume, out ujd, out bytesReturned);
if (bOk)
{
PInvokeWin32.MFT_ENUM_DATA med;
med.StartFileReferenceNumber = 0;
med.LowUsn = 0;
med.HighUsn = ujd.NextUsn;
int sizeMftEnumData = Marshal.SizeOf(med);
medBuffer = Marshal.AllocHGlobal(sizeMftEnumData);
PInvokeWin32.ZeroMemory(medBuffer, sizeMftEnumData);
Marshal.StructureToPtr(med, medBuffer, true);
}
else
{
throw new IOException("DeviceIoControl() returned false", new Win32Exception(Marshal.GetLastWin32Error()));
}
}
unsafe private static void EnableVomuleJournal(IntPtr pVolume)
{
UInt64 MaximumSize = 0x800000;
UInt64 AllocationDelta = 0x100000;
UInt32 cb;
PInvokeWin32.CREATE_USN_JOURNAL_DATA cujd;
cujd.MaximumSize = MaximumSize;
cujd.AllocationDelta = AllocationDelta;
int sizeCujd = Marshal.SizeOf(cujd);
IntPtr cujdBuffer = Marshal.AllocHGlobal(sizeCujd);
PInvokeWin32.ZeroMemory(cujdBuffer, sizeCujd);
Marshal.StructureToPtr(cujd, cujdBuffer, true);
bool fOk = PInvokeWin32.DeviceIoControl(pVolume, PInvokeWin32.FSCTL_CREATE_USN_JOURNAL,
cujdBuffer, sizeCujd, IntPtr.Zero, 0, out cb, IntPtr.Zero);
if (!fOk)
{
throw new IOException("DeviceIoControl() returned false", new Win32Exception(Marshal.GetLastWin32Error()));
}
}
