Notes NTFS / Windows API

USN Journal and ExportFromUSN

Windows Explorer search often feels slow because it behaves like a file-system crawl. NTFS already keeps richer metadata that can be used for much faster indexing.

What the USN Journal Gives You

The Update Sequence Number Journal records file-system changes on NTFS volumes. Every file and folder has a File Reference Number, and every record stores enough information to rebuild the file tree without walking directories one by one.

Important API Calls

  • FSCTL_ENUM_USN_DATA: enumerate MFT records and get the initial file list.
  • FSCTL_READ_USN_JOURNAL: read ongoing changes from the journal.
  • FSCTL_QUERY_USN_JOURNAL: check whether the journal exists and what range it covers.

Export Flow

  1. Open a handle to the volume with CreateFile.
  2. Query the journal state.
  3. Loop over FSCTL_ENUM_USN_DATA, advancing the start file reference number each time.
  4. Extract FRN, ParentFRN, and filename from each record.
  5. Write the data for later conversion into SQLite.

More context is in the FileFinder project page.