Search
Module:
Directory

   Desktop Functions:

   Smart Device Functions:


Show Recent Changes
Subscribe (RSS)
Misc. Pages
Comments
FAQ
Helpful Tools
Playground
Suggested Reading
Website TODO List
Download Visual Studio Add-In

USN_RECORD (Structures)
 
.
Summary
Returned by FSCTL_READ_USN_JOURNAL, etc.

C# Definition:

struct USN_RECORD {
        public UInt32 RecordLength;
        public UInt16 MajorVersion;
        public UInt16 MinorVersion;
        public UInt64 FileReferenceNumber;
        public UInt64 ParentFileReferenceNumber;
        public Int64 Usn;
        public Int64 TimeStamp;  // strictly, this is a LARGE_INTEGER in C
        public UInt32 Reason;
        public UInt32 SourceInfo;
        public UInt32 SecurityId;
        public UInt32 FileAttributes;
        public UInt16 FileNameLength;
        public UInt16 FileNameOffset;
        // immediately after the FileNameOffset comes an array of WCHARs containing the FileName
}

VB Definition:

<StructLayout(LayoutKind.Explicit)> Private Structure USN_RECORD
        <FieldOffset(0)> Public RecordLength As Integer         'DWORD RecordLength;
        <FieldOffset(4)> Public MajorVersion As Short           'WORD MajorVersion;  
        <FieldOffset(6)> Public MinorVersion As Short           'WORD MinorVersion;  
        <FieldOffset(8)> Public FileReferenceNumber As Long     'DWORDLONG FileReferenceNumber;  
        <FieldOffset(16)> Public ParentFileReferenceNumber As Long  'DWORDLONG ParentFileReferenceNumber;
        <FieldOffset(24)> Public Usn As Long            'USN Usn;
        <FieldOffset(32)> Public TimeStamp As Long          'LARGE_INTEGER TimeStamp;
        <FieldOffset(40)> Public Reason As Integer          'DWORD Reason;
        <FieldOffset(44)> Public SourceInfo As Integer          'DWORD SourceInfo;
        <FieldOffset(48)> Public SecurityID As Integer          'DWORD SecurityId;
        <FieldOffset(52)> Public FileAttributes As Integer      'DWORD FileAttributes;  
        <FieldOffset(56)> Public FileNameLength As Short        'WORD FileNameLength;
        <FieldOffset(58)> Public FileNameOffset As Short        'WORD FileNameOffset;  
        <FieldOffset(60)> Public FileName As Char           'WCHAR FileName[1];
End Structure

User-Defined Field Types:

None.

Notes:

None.

The above is for what is now called USN_RECORD_V2. For USN_RECORD_V3 the FileReferenceNumber and ParentFileReferenceNumber change to 16-byte values. The result is something like this (not yet tested)

    [StructLayout(LayoutKind.Sequential)]
    unsafe struct USNJournalRecord
    {
    public UInt32 RecordLength;
    public UInt16 MajorVersion;
    public UInt16 MinorVersion;
    public fixed byte FileReferenceNumber[16];
    public fixed byte ParentFileReferenceNumber[16];
    public Int64 Usn;
    public Int64 TimeStamp;
    public USNJournalReason Reason;
    public USNJournalSourceInfo SourceInfo;
    public UInt32 SecurityId;
    public UInt32 FileAttributes;
    public UInt16 FileNameLength;
    public UInt16 FileNameOffset;
    public fixed char FileName[Windows.MAX_PATH];
    }

    [Flags]
    enum USNJournalReason : UInt32
    {
    DataOverwrite = 0x00000001,
    DataExtend = 0x00000002,
    DataTruncation = 0x00000004,

    NamedDataOverwrite = 0x00000010,
    NamedDataExtend = 0x00000020,
    NamedDataTruncation = 0x00000040,

    FileCreate = 0x00000100,
    FileDelete = 0x00000200,
    EAChange = 0x00000400,
    SecurityChange = 0x00000800,

    RenameOldName = 0x00001000,
    RenameNewName = 0x00002000,
    IndexableChange = 0x00004000,
    BasicInfoChange = 0x00008000,

    HardLinkChange = 0x00010000,
    CompressionChange = 0x00020000,
    EncryptionChange = 0x00040000,
    ObjectIDChange = 0x00080000,

    ReparsePointChange = 0x00100000,
    StreamChange = 0x00200000,

    Close = 0x80000000
    }

    [Flags]
    USNJournalSourceInfo : UInt32
    {
    DataManagement = 0x00000001,
    AuxiliaryData = 0x00000002,
    ReplicationManagement = 0x00000004
    }

Documentation
USN_RECORD on MSDN

Please edit this page!

Do you have...

  • helpful tips?
  • corrections to the existing content?
  • alternate definitions?
  • additional languages you want to include?

Select "Edit This Page" on the right hand toolbar and edit it! Or add new pages containing any supporting types needed.

 
Access PInvoke.net directly from VS:
Terms of Use
Find References
Show Printable Version
Revisions