R
Default operations in Windows are not recorded in the event log (as there would be too many informal records). Their logic can be included as described https://superuser.com/questions/402792/can-i-log-file-operations-create-modify-delete-in-windows ♪ Then I'll get the files on the audit log, where it's possible. https://ru.stackoverflow.com/questions/612571/%D0%9F%D0%BE%D0%BB%D1%83%D1%87%D0%B5%D0%BD%D0%B8%D0%B5-%D1%82%D0%B5%D0%BA%D1%81%D1%82%D0%B0-%D1%81%D0%BE%D0%B1%D1%8B%D1%82%D0%B8%D0%B9-%D0%B8%D0%B7-event-loga-%D0%B2-windows ♪However, for NTFS-discs, some information on transactions with files can be obtained from the USN-book volume without the need to change the system. The lack of a way is that there's a lot of records, their reading is slow, and they can only be filtered by a consistent passage of the entire magazine until the necessary time. Code for the withdrawal of the first 50 entries from USN- Journal (administrative rights are required for launch):#include <Windows.h>
#include <WinIoCtl.h>
#include <stdlib.h>
#include <locale.h>
#include <stdio.h>
#define BUF_LEN 4096
//вывод содержимого журнала USN для тома
void PrintJournal(TCHAR* volume,UINT max_count){
HANDLE hVol;
CHAR Buffer[BUF_LEN];
USN_JOURNAL_DATA JournalData;
READ_USN_JOURNAL_DATA ReadData = {0, 0xFFFFFFFF, FALSE, 0, 0};
PUSN_RECORD UsnRecord;
SYSTEMTIME st;
int c=0;
DWORD dwBytes;
DWORD dwRetBytes;
hVol = CreateFile( volume,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);
if( hVol == INVALID_HANDLE_VALUE )
{
printf("CreateFile failed (%d)\n", GetLastError());
goto End;
}
if( !DeviceIoControl( hVol,
FSCTL_QUERY_USN_JOURNAL,
NULL,
0,
&JournalData,
sizeof(JournalData),
&dwBytes,
NULL) )
{
printf( "Query journal failed (%d)\n", GetLastError());
goto End;
}
ReadData.UsnJournalID = JournalData.UsnJournalID;
printf( "Journal ID: 0x%I64x\n", JournalData.UsnJournalID );
printf( "FirstUsn: 0x%I64x\n\n", JournalData.FirstUsn );
while(true)
{
memset( Buffer, 0, BUF_LEN );
if( !DeviceIoControl( hVol,
FSCTL_READ_USN_JOURNAL,
&ReadData,
sizeof(ReadData),
&Buffer,
BUF_LEN,
&dwBytes,
NULL) )
{
printf( "Read journal failed (%d)\n", GetLastError());
goto End;
}
dwRetBytes = dwBytes - sizeof(USN);
// Find the first record
UsnRecord = (PUSN_RECORD)(((PUCHAR)Buffer) + sizeof(USN));
printf( "****************************************\n");
// This loop could go on for a long time, given the current buffer size.
while( dwRetBytes > 0 )
{
//получаем время записи...
if(FileTimeToSystemTime((FILETIME*)&(UsnRecord->TimeStamp),&st)==false){
printf( "\nfailed to get time\n");
goto End;
}
//выводим данные
printf( "%4d.%02d.%02d %2d:%02d\n",(int)st.wYear,(int)st.wMonth,(int)st.wDay,(int)st.wHour,(int)st.wMinute); //время записи
printf("Reference number: 0x%I64x\n", UsnRecord->FileReferenceNumber ); //ID файла
printf("File name: %.*S\n", UsnRecord->FileNameLength/2, UsnRecord->FileName ); //имя файла
printf( "Reason: 0x%x", UsnRecord->Reason ); //причина изменений
if( (UsnRecord->Reason & USN_REASON_FILE_DELETE)>0)printf( " (File deleted)" );
if( (UsnRecord->Reason & USN_REASON_FILE_CREATE)>0)printf( " (File created)" );
if( (UsnRecord->Reason & USN_REASON_DATA_OVERWRITE)>0)printf( " (Data overwrite)" );
if( (UsnRecord->Reason & USN_REASON_DATA_EXTEND)>0)printf( " (Data extend)" );
printf( "\n\n" );
c++;
if(c>=max_count) goto End;//если прочитано указанное количество записей, выходим
dwRetBytes -= UsnRecord->RecordLength;
// Find the next record
UsnRecord = (PUSN_RECORD)(((PCHAR)UsnRecord) +
UsnRecord->RecordLength);
}
// Update starting USN for next call
ReadData.StartUsn = *(USN *)&Buffer;
}
End:
CloseHandle(hVol);
}
int wmain(int argc, wchar_t **argv)
{
setlocale(LC_ALL,"Russian");
PrintJournal(TEXT("\\\\.\\c:"),50);
getchar();
return 0;
}
Example of conclusion:Journal ID: 0x1d213cf6845e9c2
FirstUsn: 0x160b40000
2018.03.25 6:01
Reference number: 0xb80000000256ed
File name: GetStateWorker20180325.log
Reason: 0x2 (Data extend)
2018.03.25 6:02
Reference number: 0x21f0000000356fb
File name: cache.dat
Reason: 0x80000200 (File deleted)
2018.03.25 6:02
Reference number: 0x78000000038ae2
File name: asw-8d99b330-1115-4672-8629-c820c1720c18.tmp
Reason: 0x1103 (File created) (Data overwrite) (Data extend)
2018.03.25 6:02
Reference number: 0x78000000038ae2
File name: cache.dat
Reason: 0x2103 (File created) (Data overwrite) (Data extend)
2018.03.25 6:02
Reference number: 0x78000000038ae2
File name: cache.dat
Reason: 0xa103 (File created) (Data overwrite) (Data extend)
2018.03.25 6:02
Reference number: 0x78000000038ae2
File name: cache.dat
Reason: 0x8000a103 (File created) (Data overwrite) (Data extend)
https://msdn.microsoft.com/en-us/library/windows/desktop/aa365736(v=vs.85).aspx
