VB版 NTFS文件系统USN日志读取

已于 2024-05-28 22:24:32 修改
阅读量427 收藏 4
点赞数 3
文章标签: windows 个人开发 数据结构 开发语言
于 2024-05-28 22:23:43 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/guoyong_cy/article/details/139279036
版权

NTFS文件系统USN日志读取,这东西不新鲜,但是好像找不到VB 版本的,发一个。

获取文件的名字比较简单,获取路径麻烦点,可以采用:1、Api函数OpenFileById获取;2、也可以通过USN信息重建完整路径。
Private Declare Function OpenFileById Lib "kernel32" (ByVal hVoluemHint As Long, lpFileID As FILE_ID_DESCRIPTOR, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes As SECURITY_ATTRIBUTES, ByVal dwFlagsAndAttributes As Long) As Long
通过测试在VB下应用OpenFileById 与USN信息重建速度差不多。

这段代码是采用的第2种方法取得全路径。

对于非NTFS文件系统,采用非递归法遍历。

以下是获取所有盘中文件名及全路径代码。

在form1中添加三个控件:text1,command1和drive1。获取的数据在app目录下的file.txt文件中。

Option Explicit

Private Const MAX_PATH = 260
Private Const MAXDWORD = &HFFFF
Private Const INVALID_HANDLE_VALUE = -1
Private Const FILE_ATTRIBUTE_ARCHIVE = &H20
Private Const FILE_ATTRIBUTE_DIRECTORY = &H10
Private Const FILE_ATTRIBUTE_HIDDEN = &H2
Private Const FILE_ATTRIBUTE_NORMAL = &H80
Private Const FILE_ATTRIBUTE_READONLY = &H1
Private Const FILE_ATTRIBUTE_SYSTEM = &H4
Private Const FILE_ATTRIBUTE_TEMPORARY = &H100

Private Type LargeLong
    A As Long
    b As Long

End Type
Private Type CREATE_USN_JOURNAL_DATA
    MaximumSize As Double
    AllocationDelta As Double
End Type
Private Type SECURITY_ATTRIBUTES
        nLength As Long
        bInheritHandle As Long
        lpSecurityDescriptor As Long
End Type
Private Type OVERLAPPED
        ternal As Long
        hEvent As Long
        offset As Long
        OffsetHigh As Long
        ternalHigh As Long
End Type
Private Type USN_JOURNAL_DATA
    UsnJournalID As Double
    FirstUsn As Double
    NextUsn As Double
    LowestValidUsn As Double
    MaxUsn As Double
    MaximumSize As Double
    AllocationDelta As Double
End Type
Private Type MFT_ENUM_DATA
    StartFileReferenceNumber As Double
    LowUsn As Double
    HighUsn As Double
End Type
Private Type USN
    RecordLength As Long ': Cardinal;
    MajorVersion As Integer ': Word;
    MinorVersion As Integer ': Word;
    FileReferenceNumber As Double ': UInt64;       // Int64Rec;
    ParentFileReferenceNumber As Double ': UInt64; // Int64Rec;
    USN As Double ': Int64;
    TimeStamp As LargeLong ': LARGE_INTEGER;
    Reason As Long ': Cardinal;
    SourceInfo As Long ': Cardinal;
    SecurityId As Long ': Cardinal;
    FileAttributes As Long ': Cardinal;
    FileNameLength As Integer ': Word;
    FileNameOffset As Integer ': Word;
    'FileName(512) As Byte ': PWideChar;'VB里面没有指针,在后面使用时再动态声明
End Type
Private Type TypeFolderInfo         '所有目录信息
    folderNumber As Double
    parentFolderNumber As Double
    parentID As Long                '直接定位到ID
    folderName As String
End Type
Private Type TypeFileAllInfo        '所有文件
    fileNumber As Double
    parentFileNumber As Double
    FileName As String
    fPath As String
End Type
Private Type TypeFolderIndex            '目录的索引
    folderNumber As Double
    myID As Long
End Type
Private Type DELETE_USN_JOURNAL_DATA
    UsnJournalID As Double
    DeleteFlags As Integer
End Type


Private Type FILETIME
    dwLowDateTime As Long
    dwHighDateTime As Long
End Type

Private Type WIN32_FIND_DATA
    dwFileAttributes As Long
    ftCreationTime As FILETIME
    ftLastAccessTime As FILETIME
    ftLastWriteTime As FILETIME
    nFileSizeHigh As Long
    nFileSizeLow As Long
    dwReserved0 As Long
    dwReserved1 As Long
    cFileName As String * MAX_PATH
    cAlternate As String * 14
End Type

Private Const BUF_LEN = 2000 * 1034& ' 500 * 1024&
Private Const FSCTL_ENUM_USN_DATA = 590003
Private Const FSCTL_CREATE_USN_JOURNAL = 590055
Private Const FSCTL_QUERY_USN_JOURNAL = 590068
Private Const FSCTL_DELETE_USN_JOURNAL = 590072
Private Const USN_DELETE_FLAG_DELETE = 1&
Private Const GENERIC_READ = &H80000000
Private Const GENERIC_WRITE = &H40000000
Private Const FILE_SHARE_READ = &H1
Private Const FILE_SHARE_WRITE = &H2
Private Const OPEN_EXISTING = 3&
Private Declare Function FindFirstFile Lib "kernel32" Alias "FindFirstFileA" (ByVal lpFileName As String, lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function FindNextFile Lib "kernel32" Alias "FindNextFileA" (ByVal hFindFile As Long, lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function GetFileAttributes Lib "kernel32" Alias "GetFileAttributesA" (ByVal lpFileName As String) As Long
Private Declare Function FindClose Lib "kernel32" (ByVal hFindFile As Long) As Long

Private Declare Function GetVolumeInformation Lib "kernel32" Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Long, lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, ByVal nFileSystemNameSize As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes As SECURITY_ATTRIBUTES, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Private Declare Function DeviceIoControl Lib "kernel32" (ByVal hDevice As Long, ByVal dwIoControlCode As Long, lpInBuffer As Any, ByVal nInBufferSize As Long, lpOutBuffer As Any, ByVal nOutBufferSize As Long, lpBytesReturned As Long, lpOverlapped As OVERLAPPED) As Long
Private Declare Function DeviceIoControl2 Lib "kernel32" Alias "DeviceIoControl" (ByVal hDevice As Long, ByVal dwIoControlCode As Long, lpInBuffer As Any, ByVal nInBufferSize As Long, ByVal lpOutBuffer As Long, ByVal nOutBufferSize As Long, lpBytesReturned As Long, lpOverlapped As OVERLAPPED) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (pDest As Any, pSrc As Any, ByVal ByteLen As Long)
Private Declare Sub CopyMemory2 Lib "kernel32" Alias "RtlMoveMemory" (ByVal pDest As Long, ByVal pSrc As Long, ByVal ByteLen As Long)
Private Declare Function timeGetTime Lib "winmm.dll" () As Long
Private Declare Function GetTickCount Lib "kernel32" () As Long

Dim hVol As Long
Dim folderList() As TypeFolderInfo
Dim fileList() As TypeFileAllInfo
Dim folderIndex() As TypeFolderIndex    '目录索引
Dim countFile As Long
Dim curF As Integer
Private Sub Command1_Click()
Dim T As Long, lastT As Long, ct As Long
Dim n As Long
'Dim dr As DriveListBox
Dim driveCha As String
Dim inf As String, lastCountF As Long
countFile = 0
curF = FreeFile
    Dim fs As String
    fs = App.Path & "\file.txt"
    If Len(Dir(fs)) > 0 Then Kill fs
    T = GetTickCount
    lastT = T
    'Set dr = Me.Controls.Add("VB.DriveListBox", "DR")
    Open fs For Output As #curF
    'SearchFiles ("h")
    'GoTo ex
    Dim fss As String
    For n = 0 To Drive1.ListCount - 1 ' dr.ListCount - 1
        driveCha = Left(Drive1.List(n), 1) 'Left(dr.List(n), 1)
        If IsNTFS(driveCha) Then
            'If LCase(driveCha) = "c" Then
            Call GetNtfsDriveFile(driveCha)     '调试检查错误
            fss = "NTFS"
            'End If
        Else
            Call SearchFiles(driveCha, 100000)
            fss = "FAT32"
        End If
        ct = timeGetTime
        If ct > lastT Then
            inf = inf & driveCha & "盘 " & fss & "系统,共有 " & countFile - lastCountF & " 个文件,用时 " & ct - lastT & " ms,平均" & Format((countFile - lastCountF) / (ct - lastT), "0.00") & "/ms" & vbCrLf
        End If
        lastCountF = countFile
        lastT = ct
    Next
'ex:
    Close #curF
    'Me.Controls.Remove dr
Text1.Text = inf & vbCrLf & "共找到 " & countFile & " 个文件!耗时 " & GetTickCount - T & " 毫秒"
MsgBox "数据已写入到:   " & fs
End Sub
Private Sub GetNtfsDriveFile(driveCha As String)
Dim lp As SECURITY_ATTRIBUTES
Dim lpO As OVERLAPPED
Dim res As Long
Dim qujd As CREATE_USN_JOURNAL_DATA
Dim br As Long
Dim cujd As CREATE_USN_JOURNAL_DATA
Dim ujd As USN_JOURNAL_DATA
Dim dwRet As Long
Dim hi As Long, lo As Long
Dim disk As String

disk = driveCha & ":"
    hVol = CreateFile("\\.\" & disk, GENERIC_READ Or GENERIC_WRITE, FILE_SHARE_READ Or FILE_SHARE_WRITE, lp, OPEN_EXISTING, 0, 0)
    res = DeviceIoControl(hVol, FSCTL_CREATE_USN_JOURNAL, cujd, Len(cujd), Null, 0, br, lpO)
    res = DeviceIoControl(hVol, FSCTL_QUERY_USN_JOURNAL, lpO, 0, ujd, Len(ujd), dwRet, lpO)
    
    Dim la As LargeLong
    CopyMemory la, ujd.NextUsn, 8
    
Dim BufferIn As MFT_ENUM_DATA
Dim BufferOut() As Byte
ReDim BufferOut(BUF_LEN)
Dim UsnInfo As USN
Dim count As Long, countLoop As Long

ReDim folderList(10000)
ReDim fileList(1000000)
Dim curAddFolder As Long, curAddFile As Long, cc As Long
    'int64Size                         := SizeOf(Int64);
    BufferIn.StartFileReferenceNumber = 0
    BufferIn.LowUsn = 0
    BufferIn.HighUsn = ujd.NextUsn ' CDblEx(la.a)
    dwRet = 0

    'res = DeviceIoControl2(hVol, FSCTL_ENUM_USN_DATA, BufferIn, Len(BufferIn), StrPtr(BufferOut), BUF_LEN, dwRet, lpO)
    Do While DeviceIoControl2(hVol, FSCTL_ENUM_USN_DATA, BufferIn, Len(BufferIn), VarPtr(BufferOut(0)), BUF_LEN, dwRet, lpO) <> 0
        'Debug.Print BufferOut ' Left(BufferOut, 1000)
        Dim seat As Long
        Dim tmpF() As Byte
        count = count + 1
        seat = VarPtr(BufferOut(0)) + 8
        
        'If count = 2 Then Exit Do ''''''debug
        Do While seat <= VarPtr(BufferOut(UBound(BufferOut))) - Len(UsnInfo)
            
            CopyMemory2 VarPtr(UsnInfo), seat, Len(UsnInfo)
            If UsnInfo.RecordLength + seat > VarPtr(BufferOut(UBound(BufferOut))) Then Exit Do
            If UsnInfo.RecordLength <= 0 Then Exit Do
            If UsnInfo.FileNameLength <= 0 Then Exit Do
            'Debug.Print Left(UsnInfo.FileName, UsnInfo.FileNameLength)
            ReDim tmpF(UsnInfo.FileNameLength - 1)
            'CopyMemory2 VarPtr(tmpF(0)), VarPtr(UsnInfo.FileName(0)), UsnInfo.FileNameLength
            CopyMemory2 VarPtr(tmpF(0)), seat + Len(UsnInfo), UsnInfo.FileNameLength
            If UsnInfo.FileAttributes And vbDirectory Then      '新增目录结构
                curAddFolder = curAddFolder + 1         '0不用
                If curAddFolder > UBound(folderList) Then ReDim Preserve folderList(curAddFolder + 10000)
                folderList(curAddFolder).folderName = tmpF
                folderList(curAddFolder).folderNumber = UsnInfo.FileReferenceNumber
                folderList(curAddFolder).parentFolderNumber = UsnInfo.ParentFileReferenceNumber
            End If

            curAddFile = curAddFile + 1
            If curAddFile > UBound(fileList) Then ReDim Preserve fileList(curAddFile + 100000)
            fileList(curAddFile).FileName = tmpF
            fileList(curAddFile).fileNumber = UsnInfo.FileReferenceNumber
            fileList(curAddFile).parentFileNumber = UsnInfo.ParentFileReferenceNumber
            'If InStr(folderList(curAddFolder).folderName, "神话(连续剧)") > 0 Or InStr(folderList(curAddFolder).folderName, "人工智能") > 0 Then                  '调试
                'Print #curF, fileList(curAddFile).FileName, DoubleToHex(fileList(curAddFile).fileNumber), DoubleToHex(fileList(curAddFile).parentFileNumber)
            'End If
            countFile = countFile + 1
            seat = seat + UsnInfo.RecordLength
        Loop
        CopyMemory2 VarPtr(BufferIn), VarPtr(BufferOut(0)), 8
    Loop
    Dim djd As DELETE_USN_JOURNAL_DATA
    djd.UsnJournalID = ujd.UsnJournalID
    djd.DeleteFlags = USN_DELETE_FLAG_DELETE
    res = DeviceIoControl(hVol, FSCTL_DELETE_USN_JOURNAL, djd, Len(djd), Null, 0, dwRet, lpO)
    CloseHandle hVol
    
'Exit Sub
    'Debug.Print curAddFile, countLoop
    
    
    ReDim folderIndex(1 To curAddFolder)       '创建目录索引
    Dim ct As Long
    ct = timeGetTime
    For cc = 1 To curAddFolder
        folderIndex(cc).folderNumber = folderList(cc).folderNumber
        folderIndex(cc).myID = cc
    Next
    '''''''索引排序
    SortFolderIndex 1, curAddFolder
    '''''''''''填入父ID
    Debug.Print "time", disk, timeGetTime - ct
    Dim fIndex As Long
    For cc = 1 To curAddFolder
        If folderList(cc - 1).parentID <> 0 And folderList(cc).parentFolderNumber = folderList(cc - 1).parentFolderNumber Then
            folderList(cc).parentID = folderList(cc - 1).parentID
        Else
            fIndex = NumFind(folderList(cc).parentFolderNumber)
            'If cc = 91635 Then Stop
            If fIndex > 0 Then
                If cc <> folderIndex(fIndex).myID Then
                    folderList(cc).parentID = folderIndex(fIndex).myID
                End If
            End If
        End If
    Next

    
    Dim allPath As String, curParent As Double, nextParentID As Long
    Dim lastParent As Double
    For cc = 1 To curAddFile
        'If fileList(cc).FileName = "神话(连续剧)" Or fileList(cc).FileName = "人工智能" Then
            'Debug.Print fileList(cc).parentFileNumber
        '    Stop
        'End If
        
        If lastParent = fileList(cc).parentFileNumber Then  ' UsnInfo.ParentFileReferenceNumber Then
            fileList(cc).fPath = fileList(cc - 1).fPath ' disk & "\" & allPath
        Else
            allPath = ""
            curParent = fileList(cc).parentFileNumber 'UsnInfo.ParentFileReferenceNumber
            fIndex = NumFind(curParent)
            If fIndex > 0 Then
                allPath = folderList(folderIndex(fIndex).myID).folderName & "\"
                nextParentID = folderList(folderIndex(fIndex).myID).parentID
            End If

            Do While nextParentID > 0
                allPath = folderList(nextParentID).folderName & "\" & allPath
                nextParentID = folderList(nextParentID).parentID
            Loop
            fileList(cc).fPath = disk & "\" & allPath
        End If
        lastParent = fileList(cc).parentFileNumber ' UsnInfo.ParentFileReferenceNumber
    Next
    Erase folderList
    Erase folderIndex
    
Exit Sub
    For cc = 1 To curAddFile
        Print #curF, fileList(cc).FileName, fileList(cc).fPath ' DoubleToHex(fileList(cc).fileNumber)
    Next

End Sub
Private Function NumFind(FNumber As Double) As Long
    Dim K As Long, i As Long
    Dim L1 As Long, R1 As Long
    Dim l As Long, R As Long
    
    l = LBound(folderIndex): R = UBound(folderIndex)
    
NextLoop:
    K = (l + R) Mod 2
    If K = 1 Then '中点
       i = (l + R + 1) / 2
    Else
       i = (l + R) / 2
    End If
    If folderIndex(i).folderNumber <> FNumber Then
       If folderIndex(i).folderNumber > FNumber Then
          L1 = l: R1 = i
       Else
          L1 = i: R1 = R
       End If
       If (R1 - L1) = 1 Then '第一个和最后一个
          If folderIndex(L1).folderNumber = FNumber Then
             NumFind = L1
          ElseIf folderIndex(R1).folderNumber = FNumber Then
             NumFind = R1
          Else
             NumFind = -1 '没有发现
          End If
       Else
          l = L1: R = R1
          GoTo NextLoop
       End If
    Else
       NumFind = i
    End If
End Function

Private Sub SortFolderIndex(l As Long, R As Long)
    Dim i As Long, J As Long, A As Long
    Dim TmpX As TypeFolderIndex, TmpA As TypeFolderIndex
    i = l: J = R: TmpX = folderIndex((l + R) / 2)
    While (i <= J)
        While (folderIndex(i).folderNumber < TmpX.folderNumber And i < R)
            i = i + 1
        Wend
        While (TmpX.folderNumber < folderIndex(J).folderNumber And J > l)
            J = J - 1
        Wend
        If (i <= J) Then
            TmpA = folderIndex(i)
            folderIndex(i) = folderIndex(J)
            folderIndex(J) = TmpA
            i = i + 1: J = J - 1
        End If
    Wend
    If (l < J) Then Call SortFolderIndex(l, J) ' Call NumSortAZ(folderIndex, l, J)
    If (i < R) Then Call SortFolderIndex(i, R) 'Call NumSortAZ(folderIndex, I, R)
End Sub

Private Function DoubleToHex(ByVal Dbl As Double) As String
Dim lo As Long
Dim hi As Long
Dim n() As Long
ReDim n(1)
CopyMemory n(0), Dbl, 8
'lo = DoubleToLongs(Dbl, hi)
DoubleToHex = CStr(Hex(n(1))) & CStr(Hex(n(0)))
End Function

Private Function DoubleToLongs(ByVal Dbl As Double, ByRef SizeHigh As Long) As Long
    Dim SizeLowDbl As Double
    SizeHigh = Fix(Dbl / 4294967296#)
    SizeLowDbl = Dbl - SizeHigh * 4294967296#
    If SizeLowDbl > 2147483647 Then
        DoubleToLongs = CLng(SizeLowDbl - 2147483648#) Xor &H80000000
    Else
        DoubleToLongs = SizeLowDbl
    End If
End Function

Public Function CDblEx(ByVal l As Long) As Double   'LongToDouble
    CDblEx = -CDbl(l And &H80000000) + (l And &H7FFFFFFF)
End Function
Private Function IsNTFS(driveCha As String) As Boolean
Dim res As Long, ts As String, intLen As Long, sysFlags As Long
Dim strNTFS As String
    strNTFS = Space(256)
    If GetVolumeInformation(driveCha & ":\", ts, 0, 0, intLen, sysFlags, strNTFS, 256) Then
        strNTFS = Left(strNTFS, InStr(strNTFS, Chr(0)) - 1)
        If UCase(strNTFS) = "NTFS" Then IsNTFS = True
    End If
End Function

Private Function StripNulls(OriginalStr As String) As String
    If (InStr(OriginalStr, Chr(0)) > 0) Then
        OriginalStr = Left(OriginalStr, InStr(OriginalStr, Chr(0)) - 1)
    End If
    StripNulls = OriginalStr
End Function

'非递归法遍历目录
Public Function SearchFiles(driveCha As String, Optional uboundJump As Long = 10000) As Long ', GetFilePathName() As String) As Long
    Dim hSearch As Long
    Dim WFD As WIN32_FIND_DATA
    Dim cF As Long
    Dim curPath As String
    Dim CountAll As Long, curUbound As Long
    Dim NextSearch As Long
    Dim FileName As String
    Dim GetFilePathName() As String
    curUbound = uboundJump
    ReDim GetFilePathName(curUbound)
    GetFilePathName(0) = driveCha & ":" ', Left(driveCha, Len(driveCha) - 1), driveCha)
    Do
        curPath = GetFilePathName(cF)
        If GetFileAttributes(curPath) And FILE_ATTRIBUTE_DIRECTORY Then
            curPath = curPath & "\*"
            hSearch = FindFirstFile(curPath, WFD)
            If hSearch <> INVALID_HANDLE_VALUE Then
                Do
                    FileName = StripNulls(WFD.cFileName)
                    If (FileName <> ".") And (FileName <> "..") Then
                        CountAll = CountAll + 1
                        If CountAll > curUbound Then
                            curUbound = curUbound + 10000
                            ReDim Preserve GetFilePathName(curUbound)
                        End If
                        GetFilePathName(CountAll) = GetFilePathName(cF) & "\" & FileName
                        'Form1.TestFile GetFilePathName(cF), FileName
                        countFile = countFile + 1
                        Print #curF, FileName, GetFilePathName(cF)
                    End If
                    
                    NextSearch = FindNextFile(hSearch, WFD)
                Loop While NextSearch > 0
            End If
            Call FindClose(hSearch)
        End If
    cF = cF + 1
    Loop While cF <= CountAll
    SearchFiles = CountAll
End Function

和其他语言对比,纯VB代码实现USN读取要慢得多,性能大概相差一倍以上。

VB 利用WMI进行日志监视
chenhui530的专栏
10-03 1573
VERSION 5.00Begin VB.Form frmMain    Caption         =   "Form1"   ClientHeight    =   3090   ClientLeft      =   60   ClientTop       =   450   ClientWidth     =   4680   LinkTopic       =   "Form1" 
获取USN日志基本信息
08-07
关于获取USN基本日志信息的C++ code block 上运行,因为是自己参照网上VC本改编的可能会有些许疏漏。
Everything研究之读取NTFS下的USN日志文件(1)
热门推荐
XuePiaoFei1的专栏
10-10 1万+
转自:http://univasity.iteye.com/blog/805234   http://univasity.iteye.com/blog/805235 我在第一次使用 Everything 时,对其速度确实感到惊讶,后来了解到是通过操作 USN 实现的,并且有一定的局限性(只有 NTFS 下才能使用)。   近来清闲无事(失业了),搞些自己的小项目玩玩。其
Everything研究之读取NTFS下的USN日志文件代码
marg112536的博客
02-27 1050
everything,c++
读取NTFSUSN(快速检索文件)
blackbean的专栏
11-23 4859
有个名叫Everything的软件,搜索文件飞快,看了一下原理,原来NTFS会记录文件的所有操作,也就是说即便文件被删除了,通过USN记录仍然可以知道文件名等部分信息。于是准备写个程序删掉这个信息,但研究了一下,发现它默认其实是关闭的,也就是没必要担心信息外漏。 #define _CRT_SECURE_NO_WARNINGS #include #include #include
C#制作的windows系统文件快速搜索工具,读取USN,易用性与速度都已优化的很好。程序为免安装的exe文件。
07-17
原理是读取ntfsUSN文件日志,然后内建索引加速文件搜索过程。 1、列表文件支持批量处理(删除、复制、复制文件名路径、打开、重命名),或者引用系统菜单。 2、支持拼音首字母缩写搜索,指定文件夹内搜索,多...
C#使用USN技术快速遍历NTFS文件系统
- USN技术不能替代传统的文件遍历方法,因为在某些特定条件下(如非NTFS文件系统USN日志损坏等)可能无法使用。 总结而言,C#中利用USN技术进行极速遍历磁盘文件是一种高效且专业的方法,适用于需要高性能和实时...
Everything:基于 NTFS 文件系统,实现 Windows 文件的实时搜索
最新发布
11-10
不同于 Windows 自带的搜索功能,Everything 不依赖于文件名中的关键词,而是直接读取 NTFS 文件系统USN 日志,这意味着即使文件内容发生变化,它也能快速更新索引。输入关键词后,搜索结果几乎是即时显示的,...
Python实现的NTFS USN日志阅读器
NTFSWindows操作系统中使用的文件系统的标准,而USN日志则是一项系统管理功能,记录着对NTFS卷上所有文件、文件流、目录进行的各种更改操作,包括文件属性的变化和安全设置的更新。此工具对于数据恢复、监控文件...
C#快速NTFS硬盘文件索引
08-09
USN日志NTFS中的一个重要特性,用于记录文件系统中所有更改。每当文件或目录发生改变,如创建、删除、重命名或修改,USN日志都会生成一个条目,记录这些变化。利用USN日志开发者可以构建实时的文件索引,以便...
读取ntfsusn
lusic01的专栏
04-03 1756
上回说到NTFS USN会记录下文件的所有操作,但默认情况下并没有激活这一功能,所以不用担心。在非激活状态,它也只剩下快速查找文件的功能。这回,假设USN JOURNAL被激活了(你可以用控制台命令fsutil usn,或上回说到的FSCTL_CREATE_USN_JOURNAL来开启这一功能),怎么回窥过去的操作?为此,写了段代码来进行试验,程序是检索 123.txt 操作历史(记录空间不是无穷...
NTFS -usnjournal监控
weixin_43763292的博客
06-02 2345
usnjournal 监控
一个API方式存取日志文件的模块
鬼靈空間
10-18 391
<br /><br />'**************************************<br />' 模块名称: AppendToLog<br />' 功能描述:一个很不错的日志文件写入模块,不同于<br />'     open/print/close写文件方法,这个模块使用API <br />'     存取文件,这样保证文件能正确的存取,及时被<br />'     存取的文件正被其他用户打开。这个模块是最安全<br />'     有效的文件写入方法,用于日志文件的创建,当然<br
NTFS的忠实秘书—USN日志
07-20 718
 最近,在江湖中出现了一匹黑马,名为Everything,用它搜索东西转瞬即可搞定,甚至你连眼睛还来不及眨一下。它真的有这么神吗?来试一下便知,进入http://www.voidtools.com/下载安装后,如图1所示,在搜索栏输入关键词后,马上就会出现搜索结果。      点击“Search”(查找)可以定义查找结果的范围,包括“在结果中查找”、“关键词包含路径”等。      Everyth...
NTFS下的USN日志文件
qq_41786318的博客
09-04 3911
Advanced $UsnJrnl Forensics http://forensicinsight.org/wp-content/uploads/2013/07/F-INSIGHT-Advanced-UsnJrnl-Forensics-English.pdf   Everything研究之读取NTFS下的USN日志文件(1) http://www.voidcn.com/article/p...
NTFS - 使用手册
weixin_43763292的博客
06-20 2290
快速搜索
NTFS下的USN日志文件研究
hellozhuzhuye的博客
01-24 1437
Fsutil usn MSDN:https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc788042(v=ws.10)?redirectedfrom=MSDN MSDN
重拾VB之四,日志加强篇
guanking的专栏
03-03 1087
重拾VB之四,日志加强篇   关劲松 PMP     一、关于日志记录功能 主要功能点有 1 在程序目录下生成log目录,用于保存日志文件。 2 自动在log目录中,生成日志文件,文件命名用年月日定义,如20100119_log.log。 3 在日志文件中,每行记录一个时间点的运行内容。时间点的精度应该达到毫秒。 4 在日志文件中,每一行的记录内容为文本信息。 5 在需要记录
USN
lusic01的专栏
03-29 1067
USN是一种在IP协议下融合NAS和SAN的统一存储网络系统.通过全局多协议文件系统,统一存储网络能同时支持文件协议和块协议,实现了NAS设备和SAN设备在IP上的无缝融合,满足了应用开放性、高扩展和海量存储的需求;通过iSCSI软件实现模块,统一存储网络能同时为客户提供文件I/O和块I/O服务,具有NAS和SAN二者的优点;通过自主存储代理文件系统,统一存储网络能同时通过服务器通道或高速附网通道...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

guoyong_cy

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值