Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

233 lines
7.4 KiB

  1. @rem = '
  2. @goto endofperl
  3. ';
  4. $USAGE = "
  5. Usage: $0 USN_dump_file
  6. This script scans a usn dump file produced by
  7. \\\\sudarc-dev\\tools\\usnread d:
  8. and reformats it to a single line per entry, pitching some of
  9. the less interesting fields.
  10. Parameters are set via environment vars.
  11. USN_FID File ID of the form xxxxxxxxxxxxxxxx (no leading zeros)
  12. USN_PFID Parent File ID of the form xxxxxxxxxxxxxxxx (no leading zeros)
  13. USN_FNAME Filename
  14. USN_DATE All records for a given day e.g. May 1,2000
  15. USN_START Only records between the given start and end USNs are processed (default is all)
  16. USN_END
  17. USN_REASON All records with any selected flag set. (default CLOSE)
  18. USN_REASON_OR Set to 1 if USN_REASON filter is an OR condtion. (default is AND condition)
  19. A null env var means the log is not filtered on that parameter.
  20. Each env var can have multiple values separated by a comma. These params
  21. are used as search patterns and the , is replaced by a |
  22. Watch out for left over trailing commas. They will foul up the search.
  23. USN_REASON_DATA_OVERWRITE (0x00000001)
  24. USN_REASON_DATA_EXTEND (0x00000002)
  25. USN_REASON_DATA_TRUNCATION (0x00000004)
  26. USN_REASON_NAMED_DATA_OVERWRITE (0x00000010)
  27. USN_REASON_NAMED_DATA_EXTEND (0x00000020)
  28. USN_REASON_NAMED_DATA_TRUNCATION (0x00000040)
  29. USN_REASON_FILE_CREATE (0x00000100)
  30. USN_REASON_FILE_DELETE (0x00000200)
  31. USN_REASON_EA_CHANGE (0x00000400)
  32. USN_REASON_SECURITY_CHANGE (0x00000800)
  33. USN_REASON_RENAME_OLD_NAME (0x00001000)
  34. USN_REASON_RENAME_NEW_NAME (0x00002000)
  35. USN_REASON_INDEXABLE_CHANGE (0x00004000)
  36. USN_REASON_BASIC_INFO_CHANGE (0x00008000)
  37. USN_REASON_HARD_LINK_CHANGE (0x00010000)
  38. USN_REASON_COMPRESSION_CHANGE (0x00020000)
  39. USN_REASON_ENCRYPTION_CHANGE (0x00040000)
  40. USN_REASON_OBJECT_ID_CHANGE (0x00080000)
  41. USN_REASON_REPARSE_POINT_CHANGE (0x00100000)
  42. USN_REASON_STREAM_CHANGE (0x00200000)
  43. USN_REASON_CLOSE (0x80000000)
  44. USN_SOURCE_DATA_MANAGEMENT (0x00000001)
  45. USN_SOURCE_AUXILIARY_DATA (0x00000002)
  46. USN_SOURCE_REPLICATION_MANAGEMENT (0x00000004)
  47. FILE_ATTRIBUTE_READONLY 0x00000001
  48. FILE_ATTRIBUTE_HIDDEN 0x00000002
  49. FILE_ATTRIBUTE_SYSTEM 0x00000004
  50. OLD DOS VOLID 0x00000008
  51. FILE_ATTRIBUTE_DIRECTORY 0x00000010
  52. FILE_ATTRIBUTE_ARCHIVE 0x00000020
  53. FILE_ATTRIBUTE_DEVICE 0x00000040
  54. FILE_ATTRIBUTE_NORMAL 0x00000080
  55. FILE_ATTRIBUTE_TEMPORARY 0x00000100
  56. FILE_ATTRIBUTE_SPARSE_FILE 0x00000200
  57. FILE_ATTRIBUTE_REPARSE_POINT 0x00000400
  58. FILE_ATTRIBUTE_COMPRESSED 0x00000800
  59. FILE_ATTRIBUTE_OFFLINE 0x00001000
  60. FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x00002000
  61. FILE_ATTRIBUTE_ENCRYPTED 0x00004000
  62. ";
  63. die $USAGE unless @ARGV;
  64. $InFile = "";
  65. $iusn_start = 0;
  66. $iusn_end = 0xFFFFFFFF;
  67. $ireason = 0x80000000;
  68. $fid = $ENV{'USN_FID'}; printf("USN_FID: %s\n", $fid);
  69. $pfid = $ENV{'USN_PFID'}; printf("USN_PFID: %s\n", $pfid);
  70. $fname = $ENV{'USN_FNAME'}; printf("USN_FNAME: %s\n", $fname);
  71. $date = $ENV{'USN_DATE'}; printf("USN_DATE: %s\n", $date);
  72. $usn_start = $ENV{'USN_START'}; printf("USN_START: %s\n", $usn_start);
  73. $usn_end = $ENV{'USN_END'}; printf("USN_END: %s\n", $usn_end);
  74. $reason = $ENV{'USN_REASON'}; printf("USN_REASON: %s\n", $reason);
  75. $reason_or = $ENV{'USN_REASON_OR'}; printf("USN_REASON_OR: %s\n", $reason_or);
  76. #
  77. # replace commas with | for pattern matching.
  78. #
  79. if ($fname ne "") { $fname = "($fname)"; $fname =~ s/,/\|/g; }
  80. if ($fid ne "") { $fid = "($fid)"; $fid =~ s/,/\|/g; }
  81. if ($pfid ne "") { $pfid = "($pfid)"; $pfid =~ s/,/\|/g; }
  82. if ($date ne "") { $date = "($date)"; $date =~ s/,/\|/g; }
  83. if ($usn_start ne "") { $iusn_start = hex($usn_start); }
  84. if ($usn_end ne "") { $iusn_end = hex($usn_end); }
  85. if ($reason ne "") { $ireason = hex($reason); }
  86. printf("\n\n");
  87. print $0 @argv;
  88. printf("fname: %s\n", $fname) if ($fname ne "");
  89. printf("fid: %s\n", $fid) if ($fid ne "");
  90. printf("pfid: %s\n", $pfid) if ($pfid ne "");
  91. printf("date: %s\n", $date) if ($date ne "");
  92. printf("usn_start: 0x%08x\n", $iusn_start) if ($usn_start ne "");
  93. printf("usn_end: 0x%08x\n", $iusn_end) if ($usn_end ne "");
  94. printf("usn_reason: 0x%08x\n", $ireason) if ($ireason != 0);
  95. printf("usn_reason_or: %s\n", $reason_or) if ($reason_or ne "");
  96. printf("\n\n\n");
  97. printf(" Usn Event Time File ID Parent File ID Usn Reason SrcInfo Attrib Filename\n\n");
  98. $recstart = 0;
  99. $recprint = 0;
  100. if (($usn_start ne "") || ($usn_end ne "")) {$usn_check = 1};
  101. while (<>) {
  102. if ($InFile ne $ARGV) {
  103. $InFile = $ARGV;
  104. #printf("- - - - - %s - - - - -\n\n", $InFile);
  105. }
  106. chop;
  107. ($field, $value) = split(/:/, $_);
  108. if (m/timestamp:/) {
  109. # get the whole value.
  110. $value = $_;
  111. $value =~ s/timestamp: //i;
  112. }
  113. #
  114. # Get field values.
  115. #
  116. if ((m/fileref:/) || (m/parentref:/) ||
  117. (m/usn:/) || (m/timestamp:/) ||
  118. (m/reason:/) || (m/SourceInfo:/) ||
  119. (m/attributes:/) || (m/filename:/) ) {
  120. $rec{$field} = $value;
  121. } else {
  122. next;
  123. }
  124. if (m/usn:/ || m/reason:/) {
  125. $value =~ s/h//g;
  126. $value =~ s/ //g;
  127. $value = hex($value);
  128. $rec{$field} = $value;
  129. }
  130. #
  131. # check this entry against filter.
  132. #
  133. if ((($fname ne "") && (m/filename: $fname/o)) ||
  134. (($fid ne "") && (m/fileref: $fid/io)) ||
  135. (($pfid ne "") && (m/parentref: $pfid/io)) ||
  136. (($ireason != 0 ) && (m/reason: /o) && ($reason_or ne "")
  137. && (($value & $ireason) != 0)) ||
  138. (($date ne "") && (m/timestamp: .*$date/io))) {
  139. $recprint = 1;
  140. }
  141. if (m/filename: /) {
  142. #
  143. # End of entry. Dump it out if filter matched
  144. # if reason_or is not set then reason match is an AND condtion.
  145. # So only print if a selected reason mask bit is set.
  146. # Only print if in selected USN range.
  147. #
  148. if (($ireason != 0) && ($reason_or eq "") && (($rec{" reason"} & $ireason) == 0)) {
  149. $recprint = 0;
  150. }
  151. $usn = $rec{" usn"};
  152. if (($usn_check == 1) && (($usn < $iusn_start) || ($usn > $iusn_end))) {
  153. $recprint = 0;
  154. }
  155. if ($recprint == 1) {
  156. printf("%08x %s %18s %18s %08x %4s %9s %s\n",
  157. $usn, $rec{" timestamp"}, $rec{" fileref"},
  158. $rec{" parentref"}, $rec{" reason"}, $rec{" SourceInfo"},
  159. $rec{" attributes"}, $rec{" filename"});
  160. }
  161. $recprint = 0;
  162. }
  163. }
  164. __END__
  165. :endofperl
  166. @perl %0.cmd %*
  167. @goto :QUIT
  168. RECORD: 2
  169. reclen: 98h
  170. Major ver: 2
  171. Minor ver: 0
  172. fileref: BFEA0000000001B0h
  173. parentref: 1000000000025h
  174. usn: 1BD00098h
  175. timestamp: Mon May 1, 2000 06:03:42
  176. reason: 102h
  177. SourceInfo: 0h
  178. security-id: 11Ah
  179. attributes: 22h
  180. filename length: 56h
  181. filename offset: 3Ch
  182. filename: NTFRS_G_39b9bb65-952f-4a72-997c6672bc460073
  183. ---------------------------------------
  184. @:QUIT