How to get the full path for USN journal query?

Question

I am trying to go through the example on MSDN (https://msdn.microsoft.com/en-us/library/windows/desktop/aa365736%28v=vs.85%29.aspx) on how to query USN journal in order to trace file changes on a NTFS drive. The example code works well.

However, in this example code, the USN_RECORD structure only returns me a file reference number and the file name. It does not return me the full path of the file. Does anyone have any idea how to query USN journal to return a full path? Or there is a way to get the full path from file reference number?

Thanks.

Answer 1

The ParentFileReferenceNumber member of the USN_RECORD structure is the reference number for the directory containing the file.

You can use FSCTL_ENUM_USN_DATA to look up a file (or directory!) by reference number. You will need to iterate up the tree to build the complete path. There is some code in this answer which may be helpful as an example.

This code looks up the reference number for the root directory, so you can tell when you're finished:

HANDLE rootdir_handle;
USN_RECORD * rootdir_usn;

printf("Opening root directory.\n");

rootdir_handle = CreateFile(L"\\\\?\\C:\\", GENERIC_READ, 
                            FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, 
                            FILE_FLAG_BACKUP_SEMANTICS, NULL);

if (rootdir_handle == INVALID_HANDLE_VALUE)
{
    printf("CreateFile: %u\n", GetLastError());
    return 0;
}

if (!DeviceIoControl(rootdir_handle, FSCTL_READ_FILE_USN_DATA, NULL, 0, 
                     buffer, BUFFER_SIZE, &bytecount, NULL))
{
    printf("FSCTL_READ_FILE_USN_DATA: %u\n", GetLastError());
}
else
{
    rootdir_usn = (USN_RECORD *)buffer;
    show_record(rootdir_usn, FALSE);
    rootdir = rootdir_usn->FileReferenceNumber;
}