Menu
When a Restore Point is created, Windows starts monitoring the volume and any changes are recorded in a proprietory diff file inside System Volume Information folder.
Thorough VSS-SDK api, we can expose the volume, but it shows us the whole volume and all the files/folders which have or have-not been modified since snapshot creation, and on access to any file, a filter-driver applies the diff, if required, and shows us the file.
My Question: Is it possible to list all the modified files, with respect to a restore point (except the brute-force method to compare each file inside the shadow-volume and the main-volume)?
How does Windows do it when we click on the previous versions tab in a file's Properties?
635
Make use of the NTFS Change Journal. Windows logs all changes to all files on an NTFS volume in a journal database (if the journal is on). This can be queried to return all changes from a specific start USN number (your restore point)
Here is an article about the journal that helped me a lot while implementing change journal functionality
136
To detect changes in the current file system vs a shadow copy, you can use a third party software like WinMerge with the shadow copy UNC paths http://winmerge.org/. This will provide a GUI for comparisons
For example, use "C:\", vs "\localhost\C$\@GMT-2017.08.24-18.07.46"
Of course, enter a valid UNC path to coincide with the date and time of a shadow copy.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
