Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

347 lines
12 KiB

//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation 1997-1998
//
// File: usndump.cxx
//
// Contents: Usn dump utility. Needs admin privileges to run.
//
// History: 05-Jul-97 SitaramR Created
//
//----------------------------------------------------------------------------
#include <pch.cxx>
#pragma hdrstop
void Usage()
{
printf( "Needs admin privileges to run, usage: usndump <drive_letter>, e.g. usndump c\n" );
}
DECLARE_INFOLEVEL(ci)
//+---------------------------------------------------------------------------
//
// Function: PrintUsnRecords
//
// Purpose: Prints usn records from buffer
//
// History: 05-Jul-97 SitaramR Created
// 21-May-98 KLam Added SourceInfo as output
//
//----------------------------------------------------------------------------
void PrintUsnRecords( IO_STATUS_BLOCK *iosb, void *pBuffer )
{
USN usnNextStart;
USN_RECORD * pUsnRec;
ULONG_PTR dwByteCount = iosb->Information;
if ( dwByteCount != 0 )
{
usnNextStart = *(USN *)pBuffer;
pUsnRec = (USN_RECORD *)((PCHAR)pBuffer + sizeof(USN));
dwByteCount -= sizeof(USN);
}
while ( dwByteCount != 0 )
{
if ( pUsnRec->MajorVersion != 2 || pUsnRec->MinorVersion != 0 )
{
printf( "Unrecognized USN version, Major=%u, Minor=%u\n",
pUsnRec->MajorVersion, pUsnRec->MinorVersion );
break;
}
if ( 0 != pUsnRec->SourceInfo )
printf( "FileId=%#I64x, ParentFileId=%#I64x, Usn=%#I64x, Reason=%#x, SourceInfo=%#x, FileAttr=%#x, FileName=%.*ws\n",
pUsnRec->FileReferenceNumber,
pUsnRec->ParentFileReferenceNumber,
pUsnRec->Usn,
pUsnRec->Reason,
pUsnRec->SourceInfo,
pUsnRec->FileAttributes,
pUsnRec->FileNameLength / sizeof WCHAR ,
&pUsnRec->FileName );
else
printf( "FileId=%#I64x, ParentFileId=%#I64x, Usn=%#I64x, Reason=%#x, FileAttr=%#x, FileName=%.*ws\n",
pUsnRec->FileReferenceNumber,
pUsnRec->ParentFileReferenceNumber,
pUsnRec->Usn,
pUsnRec->Reason,
pUsnRec->FileAttributes,
pUsnRec->FileNameLength / sizeof WCHAR,
&pUsnRec->FileName );
if ( pUsnRec->RecordLength <= dwByteCount )
{
dwByteCount -= pUsnRec->RecordLength;
pUsnRec = (USN_RECORD *) ((PCHAR) pUsnRec + pUsnRec->RecordLength );
}
else
{
printf( "***--- Usn read fsctl returned bogus dwByteCount 0x%x ---***\n", dwByteCount );
THROW( CException( STATUS_UNSUCCESSFUL ) );
}
}
}
//+---------------------------------------------------------------------------
//
// Function: main
//
// Purpose: Main dump routine
//
// History: 05-Jul-97 SitaramR Created
//
//----------------------------------------------------------------------------
int __cdecl main( int argc, char * argv[] )
{
if ( argc != 2 )
{
Usage();
return 0;
}
WCHAR wcDriveLetter = argv[1][0];
TRY
{
//
// Looking at a file?
//
if ( strlen(argv[1]) > 2 )
{
int ccUnicodeStr = strlen( argv[1] ) + 1;
WCHAR * pUnicodeStr = new WCHAR[ccUnicodeStr];
if ( !MultiByteToWideChar( CP_ACP, 0, argv[1], -1, pUnicodeStr, ccUnicodeStr ) )
{
printf("MultiByteToWideChar failed.\n");
delete [] pUnicodeStr;
return 0;
}
CFunnyPath funnyPath( pUnicodeStr );
delete [] pUnicodeStr;
HANDLE hFile = CreateFile( funnyPath.GetPath(),
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_FLAG_BACKUP_SEMANTICS,
NULL );
if ( INVALID_HANDLE_VALUE == hFile && ERROR_ACCESS_DENIED == GetLastError() )
hFile = CreateFile( funnyPath.GetPath(),
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL );
if ( hFile == INVALID_HANDLE_VALUE )
{
printf( "***--- Usn file open failed 0x%x, check for admin privileges ---***\n", GetLastError() );
THROW( CException( HRESULT_FROM_WIN32( GetLastError() ) ) );
}
NTSTATUS status;
SHandle xFile( hFile );
IO_STATUS_BLOCK iosb;
ULONGLONG readBuffer[100];
for ( unsigned i = 0; i < sizeof(readBuffer)/sizeof(readBuffer[0]); i++ )
readBuffer[i] = 0xFFFFFFFFFFFFFFFFi64;
USN_RECORD *pUsnRec;
status = NtFsControlFile( hFile,
NULL,
NULL,
NULL,
&iosb,
FSCTL_READ_FILE_USN_DATA,
NULL,
NULL,
&readBuffer,
sizeof(readBuffer) );
if ( !NT_SUCCESS(status) || !NT_SUCCESS(iosb.Status) )
{
printf( "***--- Error 0x%x / 0x%x returned from READ_FILE_USN_DATA ---***\n", status, iosb.Status );
return 0;
}
pUsnRec = (USN_RECORD *) &readBuffer;
if ( pUsnRec->MajorVersion != 2 || pUsnRec->MinorVersion != 0 )
printf( "Unrecognized USN version, Major=%u, Minor=%u\n",
pUsnRec->MajorVersion, pUsnRec->MinorVersion );
else
printf( "FileId=%#I64x, ParentFileId=%#I64x, Usn=%#I64x, FileAttr=%#x, FileName=%.*ws\n",
pUsnRec->FileReferenceNumber,
pUsnRec->ParentFileReferenceNumber,
(ULONG)(pUsnRec->Usn>>32),
(ULONG)pUsnRec->Usn,
pUsnRec->FileAttributes,
pUsnRec->FileNameLength / sizeof(WCHAR),
&pUsnRec->FileName );
}
else
{
//
// Create the volume handle that will be used for usn fsctls
//
WCHAR wszVolumePath[] = L"\\\\.\\a:";
wszVolumePath[4] = wcDriveLetter;
HANDLE hVolume = CreateFile( wszVolumePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL );
if ( hVolume == INVALID_HANDLE_VALUE )
{
printf( "***--- Usn volume open failed 0x%x, check for admin privileges ---***\n", GetLastError() );
THROW( CException( HRESULT_FROM_WIN32( GetLastError() ) ) );
}
SWin32Handle xHandleVolume( hVolume );
IO_STATUS_BLOCK iosb;
//
// Get the Journal ID
//
USN_JOURNAL_DATA UsnJournalInfo;
NTSTATUS status = NtFsControlFile( hVolume,
NULL,
NULL,
NULL,
&iosb,
FSCTL_QUERY_USN_JOURNAL,
0,
0,
&UsnJournalInfo,
sizeof(UsnJournalInfo) );
if ( status == STATUS_PENDING )
{
printf( "***--- Status_pending returned for synchronous read fsctl ---***\n" );
return 0;
}
if ( !NT_SUCCESS(status) || !NT_SUCCESS(iosb.Status) )
{
printf( "***--- Error 0x%x / 0x%x returned from QUERY_USN_JOURNAL ---***\n", status, iosb.Status );
return 0;
}
READ_USN_JOURNAL_DATA usnData = {0, MAXULONG, 0, 0, 0, UsnJournalInfo.UsnJournalID};
ULONGLONG readBuffer[2048];
status = NtFsControlFile( hVolume,
NULL,
NULL,
NULL,
&iosb,
FSCTL_READ_USN_JOURNAL,
&usnData,
sizeof(usnData),
&readBuffer,
sizeof(readBuffer) );
if ( status == STATUS_PENDING )
{
printf( "***--- Status_pending returned for synchronous read fsctl ---***\n" );
return 0;
}
if ( NT_SUCCESS( status ) )
{
status = iosb.Status;
if ( STATUS_KEY_DELETED == status ||
STATUS_JOURNAL_ENTRY_DELETED == status )
{
printf( "***--- Status key deleted, rerun ---***\n" );
return 0;
}
PrintUsnRecords( &iosb, readBuffer );
//
// Read usn records until the end of usn journal
//
USN usnStart = 0;
while ( NT_SUCCESS( status ) )
{
ULONG_PTR dwByteCount = iosb.Information;
if ( dwByteCount <= sizeof(USN) )
return 0;
else
{
usnStart = *(USN *)&readBuffer;
usnData.StartUsn = usnStart;
status = NtFsControlFile( hVolume,
NULL,
NULL,
NULL,
&iosb,
FSCTL_READ_USN_JOURNAL,
&usnData,
sizeof(usnData),
&readBuffer,
sizeof(readBuffer) );
if ( NT_SUCCESS( status ) )
status = iosb.Status;
else
{
printf( "***--- Error 0x%x returned from read fsctl ---***\n", status );
return 0;
}
if ( STATUS_KEY_DELETED == status ||
STATUS_JOURNAL_ENTRY_DELETED == status )
{
printf( "***--- Status key deleted, rerun usndump ---***\n" );
return 0;
}
PrintUsnRecords( &iosb, readBuffer );
}
}
return 0;
}
else
printf( "***--- Usn read fsctl returned 0x%x, check if usn journal has created on that volume ---***\n",
status );
}
return 0;
}
CATCH( CException, e )
{
printf( "***--- Caught exception 0x%x ---***\n", e.GetErrorCode() );
}
END_CATCH
return 0;
}