Menu
Lets say NTFS's journalling is enabled but I dont want some of my file's change records to be added in the journal. Is this possible? and if not, Is there any way that even if the change related to a particular file is added into the USN journal, I can delete only that record related to that particular file? From what I have read so far that you can delete whole journal in one go using de-fragmentation API or using fsutil tool but not individual record.
Any help would be appreciated.
252
It's true. While the journal exists, you cannot hide file changes. And you cannot delete single usn records the regular way. As Xearinox pointed out, the only way to manipulate that data is through direct disk write operations.
If you are interested in that, this is what you want to read:
Keeping an Eye on Your NTFS Drives: the Windows 2000 Change Journal Explained
Keeping an Eye on Your NTFS Drives, Part II: Building a Change Journal Application
In short: The USN journal is a non-fragmented series of USN records. The Update Sequence Number is actually just an offset. [1] So the whole structure is pretty straight forward.
The Change Journal always writes new records to the end of the file, so the implementors chose to use the file offset of a record as its USN
Source: Keeping an Eye on Your NTFS Drives: the Windows 2000 Change Journal Explained
139
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
