Simple file search utility using NTFS MFT / USN Change journal
Change Journals - Win32 apps | Microsoft Learn
typedef struct {
DWORD RecordLength;
WORD MajorVersion;
WORD MinorVersion;
DWORDLONG FileReferenceNumber;
DWORDLONG ParentFileReferenceNumber;
USN Usn;
LARGE_INTEGER TimeStamp;
DWORD Reason;
DWORD SourceInfo;
DWORD SecurityId;
DWORD FileAttributes;
WORD FileNameLength;
WORD FileNameOffset;
WCHAR FileName[1];
} USN_RECORD_V2, *PUSN_RECORD_V2;
used FileReferenceNumber and ParentFileReferenceNumber members for reconstructing directory
- first, get ROOT file USN and save
- enumerate all files in TargetDrive and call callback
- in callback, compare file name with finding option
- if found, get parent folder names to root
- continue enum files (2nd step)
- need administrator previledge
- cannot find in recycle folder
- cannot find hardlink files
c:\> fsutil hardlink list C:\Windows\SysWOW64\eventvwr.exe
\Windows\SysWOW64\eventvwr.exe
\Windows\WinSxS\wow64_eventviewersettings_31bf3856ad364e35_10.0.25267.1000_none_e931c8cba9c8100d\eventvwr.exe
usnquery [option] <driveletter>
driveletter : * = all drives
-f %1 : filaname filter
-e %1|%2|%3 : extension filter
-d : directory only
PS D:\git\usnquery\Release> .\usnquery.exe -f eventvwr -e exe C
file count = 1601532, directory count = 298161
eventvwr.exe - C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.25295.1000_none_660b78eb9cfa762d\
eventvwr.exe - C:\Windows\WinSxS\wow64_eventviewersettings_31bf3856ad364e35_10.0.25295.1000_none_7060233dd15b3828\
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent