The USN Journal (Update Sequence Number Journal), or Change Journal, [1] is a feature of the Windows NT file system (NTFS) which maintains a record of changes made to the volume. It is not to be confused with the journal used for the NTFS file system journaling.
When Windows 2000 was released, Microsoft created NTFS version 3.0, which included several new features and improvements over older versions of the file system. One of these was a new system management feature that is very useful for certain types of applications. Under Windows 2000, NTFS 3.0 partitions can be set to keep track of changes to files and directories on the volume, providing a record of when and what was done to the various objects. When enabled, the system records all changes made to the volume in the USN Journal, which is the name also used to describe the feature itself.
One journal is maintained for each NTFS volume and stored in the NTFS metafile named $Extend\$UsnJrnl. It begins as an empty file. Whenever a change is made to the volume, a record is added to the file. Each record is identified by a 64-bit Update Sequence Number or USN (for this reason Change Journals are sometimes called USN Journals). Each record in the Change Journal contains the USN, the name of the file, and information about what the change was.
The Change Journal describes the changes that took place using bit flags (e.g. USN_REASON_DATA_OVERWRITE [2] ), therefore it does not include all the data or details associated with the change. For this reason the Change Journal cannot be used to undo operations on files within NTFS.
The USN Journal is used by the File History feature introduced in Windows 8 to determine which files have changed since the last backup so that only files that have changed are added to the history. [3] The desktop search utility Everything monitors the journal to update its database of file names. [4]
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.
NT File System (NTFS) is a proprietary journaling file system developed by Microsoft in the 1990s.
In computing, a hard link is a directory entry that associates a name with a file. Thus, each file must have at least one hard link. Creating additional hard links for a file makes the contents of that file accessible via additional paths. This causes an alias effect: a process can open the file by any one of its paths and change its content. By contrast, a soft link or “shortcut” to a file is not a direct link to the data itself, but rather a reference to a hard link or another soft link.
The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.
The Installable File System (IFS) is a filesystem API in MS-DOS/PC DOS 4.x, IBM OS/2 and Microsoft Windows that enables the operating system to recognize and load drivers for file systems.
Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy service. A software VSS provider service is also included as part of Windows to be used by Windows applications. Shadow Copy technology requires either the Windows NTFS or ReFS filesystems in order to create and store shadow copies. Shadow Copies can be created on local and external volumes by any Windows component that uses this technology, such as when creating a scheduled Windows Backup or automatic System Restore point.
In computing, Windows on Windows is a discontinued compatibility layer of 32-bit versions of the Windows NT family of operating systems since 1993 with the release of Windows NT 3.1, which extends NTVDM to provide limited support for running legacy 16-bit programs written for Windows 3.x or earlier. There is a similar subsystem, known as WoW64, on 64-bit Windows versions that runs 32-bit programs.
Windows Server 2008, codenamed "Longhorn Server", is the seventh release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on February 27, 2008. Derived from Windows Vista, Windows Server 2008 is the successor of Windows Server 2003 and the predecessor to Windows Server 2008 R2. It removed support for processors without ACPI, and is the first version that includes Hyper-V.
Windows Preinstallation Environment is a lightweight version of Windows used for the deployment of PCs, workstations, and servers, or troubleshooting an operating system while it is offline. It is intended to replace MS-DOS boot disks and can be booted via USB flash drive, PXE, iPXE, CD, DVD, or hard disk. Traditionally used by large corporations and OEMs, it is now widely available free of charge via Windows Assessment and Deployment Kit (WADK).
Transactional NTFS is a component introduced in Windows Vista and present in later versions of the Microsoft Windows operating system that brings the concept of atomic transactions to the NTFS file system, allowing Windows application developers to write file-output routines that are guaranteed to either succeed completely or to fail completely. Major operating system components, including System Restore, Task Scheduler, and Windows Update, rely on TxF for stability. During the development of Windows Vista, WinFS also relied on TxF for storing files.
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) or "xor–encrypt–xor (XEX)-based Tweaked codebook mode with ciphertext Stealing" (XTS) mode with a 128-bit or 256-bit key. CBC is not used over the whole disk; it is applied to each individual sector.
The following tables compare general and technical information for a number of file systems.
Robocopy is a command-line file transfer utility for Microsoft Windows. Robocopy is functionally more comprehensive than the COPY command and XCOPY, but replaces neither. Created by Kevin Allen and first released as part of the Windows NT 4.0 Resource Kit, it has been a standard feature of Windows since Windows Vista and Windows Server 2008.
An NTFS reparse point is a type of NTFS file system object. It is available with the NTFS v3.0 found in Windows 2000 or later versions. Reparse points provide a way to extend the NTFS filesystem. A reparse point contains a reparse tag and data that are interpreted by a filesystem filter driver identified by the tag. Microsoft includes several default tags including NTFS symbolic links, directory junction points, volume mount points and Unix domain sockets. Also, reparse points are used as placeholders for files moved by Windows 2000's Remote Storage Hierarchical Storage System. They also can act as hard links, but are not limited to pointing to files on the same volume: they can point to directories on any local volume. The feature is inherited to ReFS.
NTFS links are the abstraction used in the NTFS file system—the default file system for all Microsoft Windows versions belonging to the Windows NT family—to associate pathnames and certain kinds of metadata, with entries in the NTFS Master File Table (MFT). NTFS broadly adopts a pattern akin to typical Unix file systems in the way it stores and references file data and metadata; the most significant difference is that in NTFS, the MFT "takes the place of" inodes, fulfilling most of the functions which inodes fulfill in a typical Unix filesystem.
Backup and Restore is the primary backup component of Windows Vista and Windows 7. It can create file and folder backups, as well as system images backups, to be used for recovery in the event of data corruption, hard disk drive failure, or malware infection. It replaces NTBackup, which has been part of Windows since Windows NT 3.51. Unlike its predecessor, it supports CDs, DVDs, and Blu-rays discs as backup media.
Windows Server 2008 R2, codenamed "Windows Server 7", is the eighth version of the Windows Server operating system produced by Microsoft and released as part of the Windows NT family of operating systems. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009, the same respective release dates of Windows 7. It is the successor to Windows Server 2008, which is derived from the Windows Vista codebase, released the previous year, and was succeeded by the Windows 8-based Windows Server 2012.
VHD and its successor VHDX are file formats representing a virtual hard disk drive (HDD). They may contain what is found on a physical HDD, such as disk partitions and a file system, which in turn can contain files and folders. They are typically used as the hard disk of a virtual machine, are built into modern versions of Windows, and are the native file format for Microsoft's hypervisor, Hyper-V.
Resilient File System (ReFS), codenamed "Protogon", is a Microsoft proprietary file system introduced with Windows Server 2012 with the intent of becoming the "next generation" file system after NTFS.
Windows Server 2012, codenamed "Windows Server 8", is the ninth version of the Windows Server operating system by Microsoft, as part of the Windows NT family of operating systems. It is the server version of Windows based on Windows 8 and succeeds Windows Server 2008 R2, which is derived from the Windows 7 codebase, released nearly three years earlier. Two pre-release versions, a developer preview and a beta version, were released during development. The software was officially launched on September 4, 2012, which was the month before the release of Windows 8. It was succeeded by Windows Server 2012 R2 in 2013. Mainstream support for Windows Server 2012 ended on October 9, 2018, and extended support ended on October 10, 2023. Windows Server 2012 is eligible for the paid Extended Security Updates (ESU) program, which offers continued security updates until October 13, 2026.