| Glossary |
A user-readable equivalent of the LogFile.
| Type | Description | Name |
|---|---|---|
| 0x10 | $STANDARD_INFORMATION | |
| 0x30 | $FILE_NAME | $UsnJrnl |
| 0x80 | $DATA | $J |
| 0x80 | $DATA | $Max |
repeating group
| Offset | Size | Description |
|---|---|---|
| 0x00 | 4 | Size of entry |
| 0x04 | 2 | Major Version |
| 0x06 | 2 | Minor Version |
| 0x08 | 8 | MFT Reference |
| 0x10 | 8 | Parent MFT Reference |
| 0x18 | 8 | Offset of this entry in $J |
| 0x20 | 8 | Timestamp |
| 0x28 | 4 | Reason |
| 0x2C | 4 | SourceInfo |
| 0x30 | 4 | SecurityID |
| 0x34 | 4 | FileAttributes |
| 0x38 | 2 | Size of filename (in bytes) |
| 0x3A | 2 | Offset to filename |
| 0x3C | V | Filename |
| V+0x3C | P | Padding (align to 8 bytes) |
| Offset | Size | Description |
|---|---|---|
| 0x00 | 8 | Maximum Size |
| 0x08 | 8 | Allocation Delta |
| 0x10 | 8 | USN ID (a) |
| 0x18 | 8 | Lowest Valid USN |
(a) In version 2.0 of the USN Journal, Microsoft uses a FILETIME 64-bit value to randomize the USN ID. However, future versions might use another way to generate the ID, so it is not safe to assume this to be the time of the journals creation.
| Flag | Description |
|---|---|
| 0x01 | Data in one or more named data streams for the file was overwritten. |
| 0x02 | The file or directory was added to. |
| 0x04 | The file or directory was truncated. |
| 0x10 | Data in one or more named data streams for the file was overwritten. |
| 0x20 | One or more named data streams for the file were added to. |
| 0x40 | One or more named data streams for the file was truncated. |
| 0x100 | The file or directory was created for the first time. |
| 0x200 | The file or directory was deleted. |
| 0x400 | The user made a change to the file's or directory's extended attributes. These NTFS attributes are not accessible to Windows-based applications. |
| 0x800 | A change was made in the access rights to the file or directory. |
| 0x1000 | The file or directory was renamed, and the file name in this structure is the previous name. |
| 0x2000 | The file or directory was renamed, and the file name in this structure is the new name. |
| 0x4000 | A user changed the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute. That is, the user changed the file or directory from one that can be content indexed to one that cannot, or vice versa. |
| 0x8000 | A user has either changed one or more file or directory attributes or one or more time stamps. |
| 0x10000 | An NTFS hard link was added to or removed from the file or directory |
| 0x20000 | The compression state of the file or directory was changed from or to compressed. |
| 0x40000 | The file or directory was encrypted or decrypted. |
| 0x80000 | The object identifier of the file or directory was changed. |
| 0x100000 | The reparse point contained in the file or directory was changed, or a reparse point was added to or deleted from the file or directory. |
| 0x200000 | A named stream has been added to or removed from the file, or a named stream has been renamed. |
| 0x80000000 | The file or directory was closed. |
| Flag | Description |
|---|---|
| 0x01 | The operation provides information about a change to the file or directory made by the operating system. A typical use is when the Remote Storage system moves data from external to local storage. Remote Storage is the hierarchical storage management software. Such a move usually at a minimum adds the USN_REASON_DATA_OVERWRITE (0x01) flag to a USN record. |
| 0x02 | The operation adds a private data stream to a file or directory. An example might be a virus detector adding checksum information. As the virus detector modifies the item, the system generates USN records. USN_SOURCE_AUXILIARY_DATA (0x02) indicates that the modifications did not change the application data. |
| 0x04 | The operation creates or updates the contents of a replicated file. For example, the file replication service sets this flag when it creates or updates a file in a replicated directory. |