USN_RECORD (Structures)
Last changed: Doug Gale-216.58.84.12

.
Summary
Returned by FSCTL_READ_USN_JOURNAL, etc.

C# Definition:

struct USN_RECORD {
        public UInt32 RecordLength;
        public UInt16 MajorVersion;
        public UInt16 MinorVersion;
        public UInt64 FileReferenceNumber;
        public UInt64 ParentFileReferenceNumber;
        public Int64 Usn;
        public Int64 TimeStamp;  // strictly, this is a LARGE_INTEGER in C
        public UInt32 Reason;
        public UInt32 SourceInfo;
        public UInt32 SecurityId;
        public UInt32 FileAttributes;
        public UInt16 FileNameLength;
        public UInt16 FileNameOffset;
        // DO NOT ASSUME THE FILENAME COMES NEXT, use the FileNameOffset field!
        // The FileNameOffset is relative to the beginning of the structure
        // Use the RecordLength to find the beginning of the next record, which
        // is also relative to the beginning of the structure
}

VB Definition:

<StructLayout(LayoutKind.Explicit)> Private Structure USN_RECORD
        <FieldOffset(0)> Public RecordLength As Integer         'DWORD RecordLength;
        <FieldOffset(4)> Public MajorVersion As Short           'WORD MajorVersion;  
        <FieldOffset(6)> Public MinorVersion As Short           'WORD MinorVersion;  
        <FieldOffset(8)> Public FileReferenceNumber As Long     'DWORDLONG FileReferenceNumber;  
        <FieldOffset(16)> Public ParentFileReferenceNumber As Long  'DWORDLONG ParentFileReferenceNumber;
        <FieldOffset(24)> Public Usn As Long            'USN Usn;
        <FieldOffset(32)> Public TimeStamp As Long          'LARGE_INTEGER TimeStamp;
        <FieldOffset(40)> Public Reason As Integer          'DWORD Reason;
        <FieldOffset(44)> Public SourceInfo As Integer          'DWORD SourceInfo;
        <FieldOffset(48)> Public SecurityID As Integer          'DWORD SecurityId;
        <FieldOffset(52)> Public FileAttributes As Integer      'DWORD FileAttributes;  
        <FieldOffset(56)> Public FileNameLength As Short        'WORD FileNameLength;
        <FieldOffset(58)> Public FileNameOffset As Short        'WORD FileNameOffset;  
        <FieldOffset(60)> Public FileName As Char           'WCHAR FileName[1];
End Structure

User-Defined Field Types:

None.

Notes:

None.

The above is for what is now called USN_RECORD_V2. For USN_RECORD_V3 the FileReferenceNumber and ParentFileReferenceNumber change to 16-byte values. The result is something like this (not yet tested)

    [StructLayout(LayoutKind.Sequential)]
    unsafe struct USNJournalRecord
    {
    public UInt32 RecordLength;
    public UInt16 MajorVersion;
    public UInt16 MinorVersion;
    public fixed byte FileReferenceNumber[16];
    public fixed byte ParentFileReferenceNumber[16];
    public Int64 Usn;
    public Int64 TimeStamp;
    public USNJournalReason Reason;
    public USNJournalSourceInfo SourceInfo;
    public UInt32 SecurityId;
    public UInt32 FileAttributes;
    public UInt16 FileNameLength;
    public UInt16 FileNameOffset;
    public fixed char FileName[Windows.MAX_PATH];
    }

    [Flags]
    enum USNJournalReason : UInt32
    {
    DataOverwrite = 0x00000001,
    DataExtend = 0x00000002,
    DataTruncation = 0x00000004,

    NamedDataOverwrite = 0x00000010,
    NamedDataExtend = 0x00000020,
    NamedDataTruncation = 0x00000040,

    FileCreate = 0x00000100,
    FileDelete = 0x00000200,
    EAChange = 0x00000400,
    SecurityChange = 0x00000800,

    RenameOldName = 0x00001000,
    RenameNewName = 0x00002000,
    IndexableChange = 0x00004000,
    BasicInfoChange = 0x00008000,

    HardLinkChange = 0x00010000,
    CompressionChange = 0x00020000,
    EncryptionChange = 0x00040000,
    ObjectIDChange = 0x00080000,

    ReparsePointChange = 0x00100000,
    StreamChange = 0x00200000,

    Close = 0x80000000
    }

    [Flags]
    enum USNJournalSourceInfo : UInt32
    {
    DataManagement = 0x00000001,
    AuxiliaryData = 0x00000002,
    ReplicationManagement = 0x00000004
    }

Documentation
USN_RECORD on MSDN