The change journal is a new feature of NTFS in Windows 2000 that provides a persistent log of changes made to files on a volume. NTFS uses the change journal to track information about added, deleted, and modified files for each volume. The change journal describes the nature of any changes to files on the volume. When any file or folder is created, modified, or deleted, NTFS adds a record to the change journal for that volume.
The change journal conveys significant scalability benefits to applications that might otherwise need to scan an entire volume for changes. File system indexing, replication managers, virus scanners, and incremental backup applications can benefit from using the change journal.
The change journal is much more efficient than time stamps or file notifications for determining changes in a particular namespace. Applications that normally need to rescan an entire volume to determine changes can now scan once, and subsequently refer to the change journal. The I/O cost depends on how many files have changed, not on how many files exist on the volume.
Each record in the change journal takes approximately 80-100 bytes of space, but there is a configurable maximum size that it never exceeds on disk. When this size is reached, a proportion of the oldest records are discarded.
The APIs are fully documented and can be leveraged by independent software vendors (ISVs). Microsoft uses the change journal in Windows 2000 components such as the Indexing Service. ISVs are planning to use this feature to enhance the scalability and robustness of a range of products including backup, antivirus, and auditing tools.
For more information about the change journal, see the Platform Software Development Kit (SDK) link on the Web Resource page at https://windows.microsoft.com/windows2000/reskit/webresources .