3

Lets say NTFS's journalling is enabled but I dont want some of my file's change records to be added in the journal. Is this possible? and if not, Is there any way that even if the change related to a particular file is added into the USN journal, I can delete only that record related to that particular file? From what I have read so far that you can delete whole journal in one go using de-fragmentation API or using fsutil tool but not individual record.

Any help would be appreciated.

pnuts
  • 58,317
  • 11
  • 87
  • 139
awatan
  • 1,182
  • 15
  • 33
  • I think is possible using direct write to the disk. – Xearinox Feb 23 '14 at 12:43
  • but that would mean I'll have to understand the USN journal structure, reach to it and delete raw data which may introduce instability and on top of it, most probably, lock the whole volume just for this small operation. – awatan Feb 23 '14 at 13:35
  • It time ago when I work with this, but similar objective works without any problems. – Xearinox Feb 23 '14 at 14:42
  • I'm voting to close this question as off-topic because it appears to have malicious intent, and in keeping with https://meta.stackoverflow.com/questions/267699/how-do-we-handle-questions-that-are-potentially-or-blatantly-illegal-or-maliciou it should be removed. Plus, to add insult to injury, I mean to downvote the answer and upvoted instead. – Clay Mar 22 '19 at 18:55

1 Answers1

3

It's true. While the journal exists, you cannot hide file changes. And you cannot delete single usn records the regular way. As Xearinox pointed out, the only way to manipulate that data is through direct disk write operations.

If you are interested in that, this is what you want to read:

Keeping an Eye on Your NTFS Drives: the Windows 2000 Change Journal Explained
Keeping an Eye on Your NTFS Drives, Part II: Building a Change Journal Application

In short: The USN journal is a non-fragmented series of USN records. The Update Sequence Number is actually just an offset. [1] So the whole structure is pretty straight forward.

The Change Journal always writes new records to the end of the file, so the implementors chose to use the file offset of a record as its USN
Source: Keeping an Eye on Your NTFS Drives: the Windows 2000 Change Journal Explained

Daniel
  • 3,092
  • 3
  • 32
  • 49