Win32 NTFS Journal Dump

01/30/08 - 18:00 PST - Posted by Rob Wyatt, Engine Programmer

Below is the code for a very simple tool that will dump the change journal, in its entirety, directly from the NTFS device driver. The journal normally holds a couple of weeks of disk history. The code below dumps everything and tries to decode the reason code indicating why the journal entry was created, it also displays when the change was made. The tool generates a lot of data but it is possible to pass filters to the driver.

Another thing to consider is it possible to mark kernel handles with user data and when those kernel handles are file handles that user data gets written to the journal with the journal events and that user data can be searched. This could be used to silently log modifications to certain files and its all done for you without any external data files and it cannot be bypassed.

The journal can be configured to perform full journaling across the file system including recording the actual changes made to a file, making it possible to roll back file changes without actually having a copy of the file and to undo any type of deleted file. This is not enabled by default as it makes things ridiculously slow and I don’t think there may any system tools to enable it the non-server versions of windows. It can be enabled directly at the driver level in any version of windows.

There is so much that can be done at this level to optimize disk access patterns that an entire book could be written on it. Search indexing and the now defunct vista file system work at this level.

In general be very careful with handles to partitions/drives as you can very easily mess them up. WriteFile() can be called on any kernel handle, most of the time it does nothing other than when the handle is a file in which case it writes data to the file. If the handle is a driver the data write entry point within the driver is called and for disks and partitions this will write sectors and by default it starts at sector 0. If you open device ‘hdd0’ (the physical boot drive) and write 512 bytes to it you’ll destroy the master boot record on the HDD. You have to be an administrator to do it but that’s the way we all run. You have been warned…

Download disk_journal_dump.cpp