| Platform SDK: Files and I/O |
The NTFS file system maintains a log or change journal that records changes to files. NTFS maintains the change journal in order to recover file system indexing, for example after a computer or volume failure. The ability to recover indexing means the file system can avoid the time-consuming process of reindexing the whole volume in such cases. The change journal software is available only with the Microsoft® Windows® 2000® operating system.
The change journal provides support for any service that tracks changes to a volume. Such services can include indexing packages as well as storage management software.
As files, directories, and other NTFS objects are added, deleted, and modified, NTFS enters records into the change journal in streams, one for each volume on the computer. Each record indicates the type of change and the object changed. The offset from the beginning of the stream for a particular record is called the update sequence number (USN) for the particular record. New records are appended to the end of the stream.
NTFS may delete old records in order to conserve space. If needed records have been deleted, the indexing service recovers by reindexing the volume, as it does when no change journal exists.
The change journal logs only the fact of a change to a file and the reason for the change (for example, write operations, truncation, lengthening, deletion, and so on). It does not record enough information to allow reversing the change.
In addition, multiple changes to the same file may result in only one reason flag being added to the current record. If the same kind of change occurs more than once, NTFS does not write a new record for the changes after the first. For example, several write operations with no intervening close and reopen operations result in only one change record with the reason flag USN_REASON_DATA_OVERWRITE set.
To illustrate how the change journal works, suppose a user accesses a file in the following fashion:
In this case, NTFS takes the following actions in the change journal (where | indicates a bitwise OR operation).
| Event | NTFS action |
|---|---|
| Initial write operation | NTFS writes a new USN record with the USN_REASON_DATA_OVERWRITE reason flag set. For more information on possible reason flags, see the USN_RECORD structure topic. |
| Setting of file time stamp | NTFS writes a new USN record with the flag setting USN_REASON_DATA_OVERWRITE | USN_REASON_BASIC_INFO_CHANGE. |
| Second write operation | NTFS does not write a new USN record. Because USN_REASON_DATA_OVERWRITE is already set for the existing record, no changes are made to the record. |
| File truncation | NTFS writes a new USN record with the flag setting USN_REASON_DATA_OVERWRITE | USN_REASON_BASIC_INFO_CHANGE | USN_REASON_DATA_TRUNCATION. |
| Third write operation | NTFS does not write a new USN record. Because USN_REASON_DATA_OVERWRITE is already set for the existing record, no changes are made to the record. |
| Close operation | If the user making changes is the only user of the file, NTFS writes a new USN record with the following flag setting: USN_REASON_DATA_OVERWRITE | USN_REASON_BASIC_INFO_CHANGE | USN_REASON_DATA_TRUNCATION | USN_REASON_CLOSE. |
The change journal accumulates a series of records between the first opening and last closing of a file. Each record has a new reason flag set, indicating that a new kind of change has occurred. The sequence of records gives a partial history of the file. The final record, created when the file is closed, adds the USN_REASON_CLOSE flag. This record represents a summary of changes to the file, but unlike the prior records, gives no indication of the order of the changes.
The next user to access and change the file generates a new USN record with a single reason flag.