Tip of the Day: Reading the USN Journal

Today’s Tip…

While FSUTIL has been able to provide users with the ability to query and control the USN journal (the change journal for NTFS) for some time now, Windows 8.1/Server 2012 R2 added the ability to read the data within the journal.

fsutil usn readjournal x:

After creating a file named MyFile.txt and putting some text in it, I ran “fsutil usn readjournal c: > c:\tools\USN.txt”

I was able to see in the journal where the file was created, renamed to MyFile.txt, and extended when I added data to it.

NOTE:  I’m only showing the related USN entries.  I’ve filtered out anything else in order to simply and shorten the example.

Usn               : 6446415632

File name         : New Text Document.txt

File name length  : 42

Reason            : 0x00000100: File create

Time stamp        : 7/3/2014 13:02:53

File attributes   : 0x00000020: Archive

File ID           : 0000000000000000002e00000001ed0b

Parent file ID    : 000000000000000001f400000000153c

Source info       : 0x00000000: *NONE*

Security ID       : 0

Major version     : 3

Minor version     : 0

Record length     : 120

Usn               : 6446415736

File name         : New Text Document.txt

File name length  : 42

Reason            : 0x80000100: File create | Close

Time stamp        : 7/3/2014 13:02:53

File attributes   : 0x00000020: Archive

File ID           : 0000000000000000002e00000001ed0b

Parent file ID    : 000000000000000001f400000000153c

Source info       : 0x00000000: *NONE*

Security ID       : 0

Major version     : 3

Minor version     : 0

Record length     : 120

Usn               : 6446415872

File name         : New Text Document.txt

File name length  : 42

Reason            : 0x00001000: Rename: old name

Time stamp        : 7/3/2014 13:02:58

File attributes   : 0x00000020: Archive

File ID           : 0000000000000000002e00000001ed0b

Parent file ID    : 000000000000000001f400000000153c

Source info       : 0x00000000: *NONE*

Security ID       : 0

Major version     : 3

Minor version     : 0

Record length     : 120

Usn               : 6446415976

File name         : MyFile.txt

File name length  : 20

Reason            : 0x00002000: Rename: new name

Time stamp        : 7/3/2014 13:02:58

File attributes   : 0x00000020: Archive

File ID           : 0000000000000000002e00000001ed0b

Parent file ID    : 000000000000000001f400000000153c

Source info       : 0x00000000: *NONE*

Security ID       : 0

Major version     : 3

Minor version     : 0

Record length     : 96

Usn               : 6446416056

File name         : MyFile.txt

File name length  : 20

Reason            : 0x80002000: Rename: new name | Close

Time stamp        : 7/3/2014 13:02:58

File attributes   : 0x00000020: Archive

File ID           : 0000000000000000002e00000001ed0b

Parent file ID    : 000000000000000001f400000000153c

Source info       : 0x00000000: *NONE*

Security ID       : 0

Major version     : 3

Minor version     : 0

Record length     : 96

Usn               : 6446419560

File name         : MyFile.txt

File name length  : 20

Reason            : 0x00000002: Data extend

Time stamp        : 7/3/2014 13:03:07

File attributes   : 0x00000020: Archive

File ID           : 0000000000000000002e00000001ed0b

Parent file ID    : 000000000000000001f400000000153c

Source info       : 0x00000000: *NONE*

Security ID       : 0

Major version     : 3

Minor version     : 0

Record length     : 96

Usn               : 6446419640

File name         : MyFile.txt

File name length  : 20

Reason            : 0x80000002: Data extend | Close

Time stamp        : 7/3/2014 13:03:07

File attributes   : 0x00000020: Archive

File ID           : 0000000000000000002e00000001ed0b

Parent file ID    : 000000000000000001f400000000153c

Source info       : 0x00000000: *NONE*

Security ID       : 0

Major version     : 3

Minor version     : 0

Record length     : 96