c++ - When Windows 10 reads the USN journal, the read FileName is empty - Stack Overflow

admin管理员组

文章数量:1352161

When I ran the code from MSDN (Walking a Buffer of Change Journal Records), some errors occurred. In this case, printf( "Read journal failed (%d)\n", GetLastError()); returned an error code of 87, so I found an improved version as follows:

#include <Windows.h>
#include <WinIoCtl.h>
#include <stdio.h>

#define BUF_LEN 4096

void main()
{
    HANDLE hVol;
    CHAR Buffer[BUF_LEN];

    USN_JOURNAL_DATA JournalData;
    READ_USN_JOURNAL_DATA_V1 ReadData = { 0, 0xFFFFFFFF, FALSE, 0, 0, 0, 2, 3 };
    PUSN_RECORD UsnRecord;

    DWORD dwBytes;
    DWORD dwRetBytes;
    int I;

    hVol = CreateFile(TEXT("\\\\.\\c:"),
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_EXISTING,
        0,
        NULL);

    if (hVol == INVALID_HANDLE_VALUE)
    {
        printf("CreateFile failed (%d)\n", GetLastError());
        return;
    }

    if (!DeviceIoControl(hVol,
        FSCTL_QUERY_USN_JOURNAL,
        NULL,
        0,
        &JournalData,
        sizeof(JournalData),
        &dwBytes,
        NULL))
    {
        printf("Query journal failed (%d)\n", GetLastError());
        return;
    }

    ReadData.UsnJournalID = JournalData.UsnJournalID;

    printf("Journal ID: %I64x\n", JournalData.UsnJournalID);
    printf("FirstUsn: %I64x\n\n", JournalData.FirstUsn);

    for (I = 0; I <= 10; I++)
    {
        memset(Buffer, 0, BUF_LEN);

        if (!DeviceIoControl(hVol,
            FSCTL_READ_USN_JOURNAL,
            &ReadData,
            sizeof(ReadData),
            &Buffer,
            BUF_LEN,
            &dwBytes,
            NULL))
        {
            printf("Read journal failed (%d)\n", GetLastError());
            return;
        }

        dwRetBytes = dwBytes - sizeof(USN);

        // Find the first record
        UsnRecord = (PUSN_RECORD)(((PUCHAR)Buffer) + sizeof(USN));
        NTFS_FILE_RECORD_OUTPUT_BUFFER* FileRef = (NTFS_FILE_RECORD_OUTPUT_BUFFER*)(UsnRecord);
        if (!FileRef) {
            printf("This was not the FileRef I was looking for\n");
            return;
        }
        printf("****************************************\n");

        // This loop could go on for a long time, given the current buffer size.
        while (dwRetBytes > 0)
        {
            printf("USN: %I64x\n", UsnRecord->Usn);
            printf("File name: %.*S\n",
                UsnRecord->FileNameLength / 2,
                UsnRecord->FileName);
            wprintf(UsnRecord->FileName);
            fputws(UsnRecord->FileName, stdout);


            printf("Reason: %x\n", UsnRecord->Reason);
            printf("\n");

            dwRetBytes -= UsnRecord->RecordLength;

            // Find the next record
            UsnRecord = (PUSN_RECORD)(((PCHAR)UsnRecord) +
                UsnRecord->RecordLength);
        }
        // Update starting USN for next call
        ReadData.StartUsn = *(USN*)&Buffer;
    }

    CloseHandle(hVol);

}

Although this version can run normally, the obtained filename is empty:

In addition, I went to look for the code from previous years, and without exception, I finally got that filename was empty. I debugged and checked it, and it was empty, but the predecessors did get the file name. I am a little suspicious that the Windows SDK has changed, resulting in the inability to use the previous code.

本文标签： cWhen Windows 10 reads the USN journalthe read FileName is emptyStack Overflow