Using the Change Journal Identifier

NTFS associates an unsigned 64-bit identifier with each change journal. The journal is stamped with this identifier when it is created. The file system restamps the journal with a new identifier where the existing USN records either are or may be unusable.

For example, NTFS restamps a change journal with a new identifier when a volume is moved from Windows 2000 to Microsoft® Windows NT® version 4.0 and then back to Windows 2000. Such a move can happen in a dual-boot environment or when working with removable media.

To obtain the identifier of the current change journal on a specified volume, use the FSCTL_QUERY_USN_JOURNAL operation for the DeviceIoControl function. To perform this and all other change journal operations, you must have system administrator privileges. That is, you must be a member of the Administrators group.

When an administrator deletes and recreates the change journal, for example when the current USN value approaches the maximum possible USN value, the USN values begin again from zero. When NTFS stamps a journal with a new identifier rather than recreating the journal, it does not reset the USN to zero but continues from the current USN. In either case, all existing USNs are less than any future USNs.

When you need information on a specific set of records, use the DeviceIoControl operation FSCTL_QUERY_USN_JOURNAL to obtain the change journal identifier. Then use the FSCTL_READ_USN_JOURNAL operation to read the journal records of interest. NTFS only returns records that are valid for the journal specified by the identifier.

Your application needs both the records' USNs and the identifier to read the journal. This requirement provides an integrity check for cases where your application should ignore the existing records in the file and where records were written in previous instances of the journal for the same volume.

To obtain the records in which you are interested, you must start at the oldest record (that is, with the lowest USN) and scan forward until you locate the first record of interest.

Note  In order for a Windows NT 4.0 system to read an NTFS file system in Windows 2000, either you should upgrade the Windows NT 4.0 system to Windows NT 4.0 Service Pack 4 or higher, or install Windows 2000 on the same computer. Installation of Windows 2000 beta 2 or higher upgrades Windows NT 4.0 to read and write Windows 2000 volumes and upgrades all volumes to Windows 2000 NTFS.

The Windows NT 4.0 drivers for NTFS volumes in Windows 2000 do not maintain the change journal, and Windows NT 4.0 does not allow access to the change journal.