USN Journal

Last updated

The USN Journal (Update Sequence Number Journal), or Change Journal, [1] is a feature of the Windows NT file system (NTFS) which maintains a record of changes made to the volume. It is not to be confused with the journal used for the NTFS file system journaling.

Contents

When Windows 2000 was released, Microsoft created NTFS version 3.0, which included several new features and improvements over older versions of the file system. One of these was a new system management feature that is very useful for certain types of applications. Under Windows 2000, NTFS 3.0 partitions can be set to keep track of changes to files and directories on the volume, providing a record of when and what was done to the various objects. When enabled, the system records all changes made to the volume in the USN Journal, which is the name also used to describe the feature itself.

One journal is maintained for each NTFS volume and stored in the NTFS metafile named $Extend\$UsnJrnl. It begins as an empty file. Whenever a change is made to the volume, a record is added to the file. Each record is identified by a 64-bit Update Sequence Number or USN (for this reason Change Journals are sometimes called USN Journals). Each record in the Change Journal contains the USN, the name of the file, and information about what the change was.

The Change Journal describes the changes that took place using bit flags (e.g. USN_REASON_DATA_OVERWRITE [2] ), therefore it does not include all the data or details associated with the change. For this reason the Change Journal cannot be used to undo operations on files within NTFS.

Uses

The USN Journal is used by the File History feature introduced in Windows 8 to determine which files have changed since the last backup so that only files that have changed are added to the history so far. [3]

Related Research Articles

Windows 2000 Personal computer operating system by Microsoft released in 2000

Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officially released to retail on February 17, 2000. It was Microsoft's business operating system until the introduction of Windows XP Professional in 2001.

New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred filesystem on Windows and is supported in Linux and BSD as well. NTFS reading and writing support is provided using a free and open-source kernel implementation known as NTFS3 in Linux and the NTFS-3G driver in BSD. Windows can convert FAT32/16/12 into NTFS without the need to rewrite all files. NTFS uses several files typically hidden from the user to store metadata about other files stored on the drive which can help improve speed and performance when reading data. Unlike FAT and High Performance File System (HPFS), NTFS supports access control lists (ACLs), filesystem encryption, transparent compression, sparse files and file system journaling. NTFS also supports shadow copy to allow backups of a system while it is running, but the functionality of the shadow copies varies between different versions of Windows.

In computing, a hard link is a directory entry that associates a name with a file. Thus, each file must have at least one hard link. Creating additional hard links for a file makes the contents of that file accessible via additional paths. This causes an alias effect: a process can open the file by any one of its paths and change its content. By contrast, a soft link or “shortcut” to a file is not a direct link to the data itself, but rather a reference to a hard link or another soft link.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Windows Services for UNIX (SFU) is a discontinued software package produced by Microsoft which provided a Unix environment on Windows NT and some of its immediate successor operating-systems.

Shadow Copy Microsoft technology for storage snapshots

Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy service. A software VSS provider service is also included as part of Windows to be used by Windows applications. Shadow Copy technology requires either the Windows NTFS or ReFS filesystems in order to create and store shadow copies. Shadow Copies can be created on local and external volumes by any Windows component that uses this technology, such as when creating a scheduled Windows Backup or automatic System Restore point.

Windows Server 2008 Server operating system by Microsoft released in 2008

Windows Server 2008 is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on February 27, 2008. Derived from Windows Vista, Windows Server 2008 is the successor of Windows Server 2003 and the predecessor to Windows Server 2008 R2.

Windows Preinstallation Environment Lightweight version of Microsoft Windows for deployment

Windows Preinstallation Environment is a lightweight version of Windows used for the deployment of PCs, workstations, and servers, or troubleshooting an operating system while it is offline. It is intended to replace MS-DOS boot disks and can be booted via USB flash drive, PXE, iPXE, CD-ROM, or hard disk. Traditionally used by large corporations and OEMs, it is now widely available free of charge via Windows Assessment and Deployment Kit (WADK).

Microsoft Virtual Server was a virtualization solution that facilitated the creation of virtual machines on the Windows XP, Windows Vista and Windows Server 2003 operating systems. Originally developed by Connectix, it was acquired by Microsoft prior to release. Virtual PC is Microsoft's related desktop virtualization software package.

Transactional NTFS is a component introduced in Windows Vista and present in later versions of the Microsoft Windows operating system that brings the concept of atomic transactions to the NTFS file system, allowing Windows application developers to write file-output routines that are guaranteed to either succeed completely or to fail completely. Major operating system components, including System Restore, Task Scheduler, and Windows Update, rely on TxF for stability. During the development of Windows Vista, WinFS also relied on TxF for storing files.

BitLocker Disk encryption software for Microsoft Windows

BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.

The following tables compare general and technical information for a number of file systems.

Robocopy, for "Robust File Copy", is a command-line directory and/or file replication command for Microsoft Windows. Robocopy functionally replaces Xcopy, with more options. Created by Kevin Allen and first released as part of the Windows NT 4.0 Resource Kit, it has been a standard feature of Windows since Windows Vista and Windows Server 2008. The command is robocopy.

An NTFS reparse point is a type of NTFS file system object. It is available with the NTFS v3.0 found in Windows 2000 or later versions. Reparse points provide a way to extend the NTFS filesystem. A reparse point contains a reparse tag and data that are interpreted by a filesystem filter identified by the tag. Microsoft includes several default tags including NTFS symbolic links, directory junction points, volume mount points and Unix domain sockets. Also, reparse points are used as placeholders for files moved by Windows 2000's Remote Storage Hierarchical Storage System. They also can act as hard links, but aren't limited to point to files on the same volume: they can point to directories on any local volume. The feature is inherited to ReFS.

Backup and Restore

Backup and Restore is the primary backup component of Windows Vista and Windows 7. It can create file and folder backups, as well as system images backups, to be used for recovery in the event of data corruption, hard disk drive failure, or malware infection. It replaces NTBackup, which has been part of Windows since Windows NT 3.51. Unlike its predecessor, it supports CDs, DVDs, and Blu-rays discs as backup media.

Windows Server 2008 R2 Server operating system by Microsoft released in 2009

Windows Server 2008 R2 is the fifth version of the Windows Server operating system produced by Microsoft and released as part of the Windows NT family of operating systems. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009, shortly after the completion of Windows 7. It is the successor to Windows Server 2008, which is derived from the Windows Vista codebase, released the previous year, and was succeeded by the Windows 8-based Windows Server 2012.

VHD and its successor VHDx are file formats representing a virtual hard disk drive (HDD). They may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders. They are typically used as the hard disk of a virtual machine, are built into modern versions of Windows, and are the native file format for Microsoft's hypervisor, Hyper-V.

Windows NT is a proprietary graphical operating system produced by Microsoft, the first version of which was released on July 27, 1993. It is a processor-independent, multiprocessing and multi-user operating system.

Resilient File System (ReFS), codenamed "Protogon", is a Microsoft proprietary file system introduced with Windows Server 2012 with the intent of becoming the "next generation" file system after NTFS.

Windows Server 2012 Server operating system by Microsoft released in 2012

Windows Server 2012 is the sixth version of the Windows Server operating system by Microsoft, as part of the Windows NT family of operating systems. It is the server version of Windows based on Windows 8 and succeeds Windows Server 2008 R2, which is derived from the Windows 7 codebase, released nearly three years earlier. Two pre-release versions, a developer preview and a beta version, were released during development. The software was officially launched on September 4, 2012, two months before the release of Windows 8. A successor was released on October 18, 2013, entitled Windows Server 2012 R2. Microsoft ended mainstream support for Windows Server 2012 on October 9, 2018, and extended support will end on October 10, 2023.

References

  1. "Change Journals". Microsoft Docs. Microsoft Corporation. 31 May 2018. Retrieved 18 April 2020.
  2. "USN_RECORD_V2 structure". Microsoft Developer Network. Microsoft Corporation. Retrieved 6 November 2014.
  3. Bright, Peter (11 July 2012). "A step back in time with Windows 8′s File History". Ars Technica . Retrieved 2 February 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.