USN Journal
The USN Journal (Update Sequence Number Journal), or Change Journal,[1] is a feature of the Windows NT file system (NTFS) which maintains a record of changes made to the volume. It is not to be confused with the journal used for the NTFS file system journaling.
When Windows 2000 was released, Microsoft created NTFS version 3.0, which included several new features and improvements over older versions of the file system. One of these was a new system management feature that is very useful for certain types of applications. Under Windows 2000, NTFS 3.0 partitions can be set to keep track of changes to files and directories on the volume, providing a record of when and what was done to the various objects. When enabled, the system records all changes made to the volume in the USN Journal, which is the name also used to describe the feature itself.
One journal is maintained for each NTFS volume and stored in the NTFS metafile named $Extend\$UsnJrnl. It begins as an empty file. Whenever a change is made to the volume, a record is added to the file. Each record is identified by a 64-bit Update Sequence Number or USN (for this reason Change Journals are sometimes called USN Journals). Each record in the Change Journal contains the USN, the name of the file, and information about what the change was.
The Change Journal describes the changes that took place using bit flags (e.g. USN_REASON_DATA_OVERWRITE[2]), therefore it does not include all the data or details associated with the change. For this reason the Change Journal cannot be used to undo operations on files within NTFS.
Uses
[edit]The USN Journal is used by the File History feature introduced in Windows 8 to determine which files have changed since the last backup so that only files that have changed are added to the history.[3] The desktop search utility Everything monitors the journal to update its database of file names.[4]
References
[edit]- ^ "Change Journals". Microsoft Docs. Microsoft Corporation. 31 May 2018. Retrieved 18 April 2020.
- ^ "USN_RECORD_V2 structure". Microsoft Developer Network. Microsoft Corporation. Retrieved 6 November 2014.
- ^ Bright, Peter (11 July 2012). "A step back in time with Windows 8's File History". Ars Technica. Retrieved 2 February 2014.
- ^ David Carpenter (22 May 2009). "How 'Everything' doesn't miss changes when not running". voidtools.com/forum. Retrieved 9 October 2024.
External links
[edit]- "Change Journals (Windows)". Microsoft Developers Network Library, Win32 and COM Development, Volume Management. Microsoft Corporation. Retrieved 10 June 2009.
- "FSUTIL: USN". Windows XP Professional Product Documentation. Microsoft Corporation. Retrieved 10 June 2009.
- "FSUTIL: USN". Microsoft Technet Library, Windows Server Tech Center. Microsoft Corporation. 28 September 2007. Retrieved 10 June 2009.
- "NTFS Self-Healing". Microsoft Technet Library, Windows Server Tech Center. Microsoft Corporation. 21 January 2008. Retrieved 10 June 2009.