USN Journal and ExportFromUSN
Windows Explorer search often feels slow because it behaves like a file-system crawl. NTFS already keeps richer metadata that can be used for much faster indexing.
What the USN Journal Gives You
The Update Sequence Number Journal records file-system changes on NTFS volumes. Every file and folder has a File Reference Number, and every record stores enough information to rebuild the file tree without walking directories one by one.
Important API Calls
FSCTL_ENUM_USN_DATA: enumerate MFT records and get the initial file list.FSCTL_READ_USN_JOURNAL: read ongoing changes from the journal.FSCTL_QUERY_USN_JOURNAL: check whether the journal exists and what range it covers.
Export Flow
- Open a handle to the volume with
CreateFile. - Query the journal state.
- Loop over
FSCTL_ENUM_USN_DATA, advancing the start file reference number each time. - Extract FRN, ParentFRN, and filename from each record.
- Write the data for later conversion into SQLite.
More context is in the FileFinder project page.