Mapping a FileReferenceNumber to a Filename
CASTalk.com Forum Index CASTalk.com
Discussion of DSP, FPGA, storage and embedded system.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web castalk.com
Mapping a FileReferenceNumber to a Filename

 
Post new topic   Reply to topic    CASTalk.com Forum Index -> File System
Author Message
Andrew Brampton
Guest
Posted: Sun Nov 28, 2004 10:04 pm    Post subject: Mapping a FileReferenceNumber to a Filename Reply with quote
Hi,
I wasn't sure were to post this message, so apologies in advance if this is
the wrong place.

So I've been reading NTFS USN Journal data, so I can track which files have
changed over a period of time.
I'm reading them with DeviceIoControl and FSCTL_READ_USN_JOURNAL, This
returns a USN_RECORD which allows me to get the filename and other
information about the change, however it does not tell me what path the file
was in. To get that information I have to use either the
ParentFileReferenceNumber or FileReferenceNumber (FRN). These numbers
represent a one to one mapping between a Filename (with path) and a unique
FileReferenceNumber (that NTFS uses internally)

I was reading a article on using Journals [1] and they mention there is no
direct way to get the path from the FRN, however you can do it in a round
about way. They don't mention how they do it but say in their next article
they will explain more. However I can not find their next article :( and all
matches for FileReferenceNumber on google do not provide useful information.

So I'm asking here if anyone knows how to turn a FileReferenceNumber into a
Filename... I did find FSCTL_GET_NTFS_FILE_RECORD but this does not always
return the filename for the FRN I want.

Thanks for any help
Andrew


[1] Keeping an Eye on Your NTFS Drives: the Windows 2000 Change Journal
Explained
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/featusability/msjntfs5.mspx
Back to top
Jeremy Boschen
Guest
Posted: Sun Nov 28, 2004 11:55 pm    Post subject: Re: Mapping a FileReferenceNumber to a Filename Reply with quote
"Andrew Brampton" <andrew@bramp.freeserve.co.uk> wrote in message
news:uDlMTxW1EHA.1564@TK2MSFTNGP09.phx.gbl...
Quote:
Hi,
I wasn't sure were to post this message, so apologies in advance if this
is the wrong place.

So I'm asking here if anyone knows how to turn a FileReferenceNumber into
a Filename... I did find FSCTL_GET_NTFS_FILE_RECORD but this does not
always return the filename for the FRN I want.


AFIK, it's a two step process.

1) Use ZwCreateFile to open the file by ID using the FILE_OPEN_BY_ID
CreateOption.
2) Retrieve the file path using the returned HANDLE. There is 1 undocumented
way to do this using file-mapping, and multiple undocumented ways which have
been discussed at length in this and other groups.

There is also an alternative way using FindFirstFile/FindNextFile as it
returns the file-id.

Regards,
Jeremy Boschen
Back to top
Jochen Kalmbach
Guest
Posted: Mon Nov 29, 2004 1:48 am    Post subject: Re: Mapping a FileReferenceNumber to a Filename Reply with quote
Hi Jeremy Boschen,

Quote:
2) Retrieve the file path using the returned HANDLE. There is 1
undocumented way to do this

You mean "documented"...

See: Obtaining a File Name From a File Handle
http://msdn.microsoft.com/library/en-
us/fileio/base/obtaining_a_file_name_from_a_file_handle.asp


--
Greetings
Jochen

My blog about Win32 and .NET
http://blog.kalmbachnet.de/
Back to top
Jeremy Boschen
Guest
Posted: Mon Nov 29, 2004 4:33 am    Post subject: Re: Mapping a FileReferenceNumber to a Filename Reply with quote
"Jochen Kalmbach" <nospam-Jochen.Kalmbach@holzma.de> wrote in message
news:Xns95AFDDE75275FJochenKalmbachholzm@207.46.248.16...
Quote:
Hi Jeremy Boschen,

2) Retrieve the file path using the returned HANDLE. There is 1
undocumented way to do this

You mean "documented"...


Yeah, it was a typo.

- Jeremy
Back to top
Carl Appellof
Guest
Posted: Mon Nov 29, 2004 10:14 pm    Post subject: Re: Mapping a FileReferenceNumber to a Filename Reply with quote
"Andrew Brampton" <andrew@bramp.freeserve.co.uk> wrote in message
news:uDlMTxW1EHA.1564@TK2MSFTNGP09.phx.gbl...
Quote:
Hi,

I was reading a article on using Journals [1] and they mention there is no
direct way to get the path from the FRN, however you can do it in a round
about way. They don't mention how they do it but say in their next article
they will explain more. However I can not find their next article :( and
all
matches for FileReferenceNumber on google do not provide useful
information.


Check out http://www.microsoft.com/msj/1099/journal2/journal2.aspx for the
next article. Basically, you have to save the FRNs for all directories on a
volume, then do a stepwise lookup of ParentFRN to build up the path in a
backwards way.

As pointed out, there may be easier ways.

Carl
Back to top
 
Post new topic   Reply to topic    CASTalk.com Forum Index -> File System All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Electronics Powered by phpBB