Search
Module:
Directory
Constants
Delegates
Enums
Interfaces
Structures

   Desktop Functions:
advapi32
avifil32
cards
cfgmgr32
comctl32
comdlg32
credui
crypt32
dbghelp
dbghlp
dbghlp32
dhcpsapi
difxapi
dmcl40
dnsapi
dtl
dwmapi
faultrep
fbwflib
fltlib
fwpuclnt
gdi32
gdiplus
getuname
glu32
glut32
gsapi
hhctrl
hid
hlink
httpapi
icmp
imm32
iphlpapi
iprop
irprops
kernel32
mapi32
MinCore
mpr
mqrt
mscorsn
msdelta
msdrm
msi
msports
msvcrt
ncrypt
netapi32
ntdll
ntdsapi
odbc32
odbccp32
ole32
oleacc
oleaut32
opengl32
pdh
powrprof
printui
propsys
psapi
pstorec
query
quickusb
rasapi32
rpcrt4
scarddlg
secur32
setupapi
shell32
shlwapi
twain_32
unicows
urlmon
user32
userenv
uxtheme
version
wer
wevtapi
winfax
winhttp
wininet
winmm
winscard
winspool
wintrust
winusb
wlanapi
ws2_32
wtsapi32
xolehlp
xpsprint

   Smart Device Functions:
aygshell
coredll
ipaqutil
rapi


Show Recent Changes
Subscribe (RSS)
Misc. Pages
Comments
FAQ
Helpful Tools
Playground
Suggested Reading
Website TODO List
Download Visual Studio Add-In
USN_RECORD (Structures)
 
.
Summary
Returned by FSCTL_READ_USN_JOURNAL, etc.

C# Definition:

struct USN_RECORD {
        public UInt32 RecordLength;
        public UInt16 MajorVersion;
        public UInt16 MinorVersion;
        public UInt64 FileReferenceNumber;
        public UInt64 ParentFileReferenceNumber;
        public Int64 Usn;
        public Int64 TimeStamp;  // strictly, this is a LARGE_INTEGER in C
        public UInt32 Reason;
        public UInt32 SourceInfo;
        public UInt32 SecurityId;
        public UInt32 FileAttributes;
        public UInt16 FileNameLength;
        public UInt16 FileNameOffset;
        // DO NOT ASSUME THE FILENAME COMES NEXT, use the FileNameOffset field!
        // The FileNameOffset is relative to the beginning of the structure
        // Use the RecordLength to find the beginning of the next record, which
        // is also relative to the beginning of the structure
        // Note that the FileNameLength length is in bytes, not in (wide) characters
}

VB Definition:

<StructLayout(LayoutKind.Explicit)> Private Structure USN_RECORD
        <FieldOffset(0)> Public RecordLength As Integer         'DWORD RecordLength;
        <FieldOffset(4)> Public MajorVersion As Short           'WORD MajorVersion;  
        <FieldOffset(6)> Public MinorVersion As Short           'WORD MinorVersion;  
        <FieldOffset(8)> Public FileReferenceNumber As Long     'DWORDLONG FileReferenceNumber;  
        <FieldOffset(16)> Public ParentFileReferenceNumber As Long  'DWORDLONG ParentFileReferenceNumber;
        <FieldOffset(24)> Public Usn As Long            'USN Usn;
        <FieldOffset(32)> Public TimeStamp As Long          'LARGE_INTEGER TimeStamp;
        <FieldOffset(40)> Public Reason As Integer          'DWORD Reason;
        <FieldOffset(44)> Public SourceInfo As Integer          'DWORD SourceInfo;
        <FieldOffset(48)> Public SecurityID As Integer          'DWORD SecurityId;
        <FieldOffset(52)> Public FileAttributes As Integer      'DWORD FileAttributes;  
        <FieldOffset(56)> Public FileNameLength As Short        'WORD FileNameLength;
        <FieldOffset(58)> Public FileNameOffset As Short        'WORD FileNameOffset;  
        <FieldOffset(60)> Public FileName As Char           'WCHAR FileName[1];
End Structure

User-Defined Field Types:

None.

Notes:

None.

The above is for what is now called USN_RECORD_V2. For USN_RECORD_V3 the FileReferenceNumber and ParentFileReferenceNumber change to 16-byte values. The result is something like this (not yet tested)

    [StructLayout(LayoutKind.Sequential)]
    unsafe struct USNJournalRecord
    {
    public UInt32 RecordLength;
    public UInt16 MajorVersion;
    public UInt16 MinorVersion;
    public fixed byte FileReferenceNumber[16];
    public fixed byte ParentFileReferenceNumber[16];
    public Int64 Usn;
    public Int64 TimeStamp;
    public USNJournalReason Reason;
    public USNJournalSourceInfo SourceInfo;
    public UInt32 SecurityId;
    public UInt32 FileAttributes;
    public UInt16 FileNameLength;
    public UInt16 FileNameOffset;
    public fixed char FileName[Windows.MAX_PATH];
    }

    [Flags]
    enum USNJournalReason : UInt32
    {
    DataOverwrite = 0x00000001,
    DataExtend = 0x00000002,
    DataTruncation = 0x00000004,

    NamedDataOverwrite = 0x00000010,
    NamedDataExtend = 0x00000020,
    NamedDataTruncation = 0x00000040,

    FileCreate = 0x00000100,
    FileDelete = 0x00000200,
    EAChange = 0x00000400,
    SecurityChange = 0x00000800,

    RenameOldName = 0x00001000,
    RenameNewName = 0x00002000,
    IndexableChange = 0x00004000,
    BasicInfoChange = 0x00008000,

    HardLinkChange = 0x00010000,
    CompressionChange = 0x00020000,
    EncryptionChange = 0x00040000,
    ObjectIDChange = 0x00080000,

    ReparsePointChange = 0x00100000,
    StreamChange = 0x00200000,

    Close = 0x80000000
    }

    [Flags]
    enum USNJournalSourceInfo : UInt32
    {
    DataManagement = 0x00000001,
    AuxiliaryData = 0x00000002,
    ReplicationManagement = 0x00000004
    }

Documentation
USN_RECORD on MSDN

Please edit this page!

Do you have...

  • helpful tips?
  • corrections to the existing content?
  • alternate definitions?
  • additional languages you want to include?

Select "Edit This Page" on the right hand toolbar and edit it! Or add new pages containing any supporting types needed.

 
Access PInvoke.net directly from VS:
Terms of Use
Edit This Page
Find References
Show Printable Version
Revisions