Contains the information for an update sequence number (USN) change journal version 4.0 record. The version 2.0 and 3.0 records are defined by the USN_RECORD_V2 (also called USN_RECORD) and USN_RECORD_V3 structures respectively.
The 128-bit ordinal number of the file or directory for which this record notes changes.
This value is an arbitrarily assigned value that associates a journal record with a file.
The 128-bit ordinal number of the directory where the file or directory that is associated with this record
This value is an arbitrarily assigned value that associates a journal record with a parent directory.
The USN of this record.
The flags that identify reasons for changes that have accumulated in this file or directory journal record
since the file or directory opened.
When a file or directory closes, then a final USN record is generated with the
USN_REASON_CLOSE flag set. The next change (for example, after the next open
operation or deletion) starts a new record with a new set of reason flags.
A rename or move operation generates two USN records, one that records the old parent directory for the item,
and one that records a new parent.
The following table identifies the possible flags.
Note Unused bits are reserved.
A user has either changed one or more file or directory attributes (for example, the read-only, hidden,
system, archive, or sparse attribute), or one or more time stamps.
The file or directory is closed.
The compression state of the file or directory is changed from or to compressed.
The file or directory is extended (added to).
The data in the file or directory is overwritten.
The file or directory is truncated.
The user made a change to the extended attributes of a file or directory.
These NTFS file system attributes are not accessible to Windows-based applications.
The file or directory is encrypted or decrypted.
The file or directory is created for the first time.
The file or directory is deleted.
An NTFS file system hard link is added to or removed from the file or directory.
An NTFS file system hard link, similar to a POSIX hard link, is one of several directory entries that see
the same file or directory.
A user changes the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute.
That is, the user changes the file or directory from one where content can be indexed to one where content
cannot be indexed, or vice versa. Content indexing permits rapid searching of data by building a database of
A user changed the state of the FILE_ATTRIBUTE_INTEGRITY_STREAM attribute for the given stream.
On the ReFS file system, integrity streams maintain a checksum of all data for that stream, so that the contents of the file can be validated during read or write operations.
The one or more named data streams for a file are extended (added to).
The data in one or more named data streams for a file is overwritten.
The one or more named data streams for a file is truncated.
The object identifier of a file or directory is changed.
A file or directory is renamed, and the file name in the
USN_RECORD_V4 structure is the new name.
The file or directory is renamed, and the file name in the
USN_RECORD_V4 structure is the previous name.
The reparse point that is contained in a file or directory is changed, or a reparse point is added to or
deleted from a file or directory.
A change is made in the access rights to a file or directory.
A named stream is added to or removed from a file, or a named stream is renamed.
The given stream is modified through a committed TxF transaction.
When a thread writes a new USN record, the source information flags in the prior record continue to be
present only if the thread also sets those flags. Therefore, the source information structure allows
applications to filter out USN records that are set only by a known source, for example, an antivirus filter.
One of the following values can be set.
The operation adds a private data stream to a file or directory.
One example is a virus detector adding checksum information. As the virus detector modifies the item,
the system generates USN records. USN_SOURCE_AUXILIARY_DATA indicates that the
modifications did not change the application data.
The operation provides information about a change to the file or directory made by the operating system.
A typical use is when the Remote Storage system moves data from external to local storage. Remote Storage
is the hierarchical storage management software. Such a move usually at a minimum adds the
USN_REASON_DATA_OVERWRITE flag to a USN record. However, the data has not changed
from the user's point of view. By noting USN_SOURCE_DATA_MANAGEMENT in the
SourceInfo member, you can determine that although a write operation is performed
on the item, data has not changed.
The operation is modifying a file to match the contents of the same file which exists in another member
of the replica set.
The operation is modifying a file on client systems to match the contents of the same file that exists in the cloud.
The number of extents that remain after the current USN_RECORD_V4 record. Multiple version 4.0 records may be required to describe all of the modified extents for a given file. When the RemainingExtents member is 0, the current USN_RECORD_V4 record is the last USN_RECORD_V4 record for the file. The last USN_RECORD_V4 entry for a given file is always followed by a USN_RECORD_V3 record with at least the USN_REASON_CLOSE flag set.
The number of extents in current USN_RECORD_V4 entry.
An array of USN_RECORD_EXTENT structures that represent the extents in the USN_RECORD_V4 entry.
A USN_RECORD_V4 record is only output when range tracking is turned on and the file size is equal or larger than the value of the RangeTrackFileSizeThreshold member. The user always receives one or more USN_RECORD_V4 records followed by one USN_RECORD_V3 record.
To provide a path forward compatibility in change journal clients, Microsoft provides a major and minor version number of the change journal software in the USN_RECORD_V4 structure. Your code should examine these values, examine its own compatibility with the change journal software, and gracefully handle any incompatibility if necessary.
A change in the minor version number indicates that the existing USN_RECORD_V4 structure members are still valid, but that new members may have been added between the penultimate member and the last, which is a variable-length string.
To handle such a change gracefully, your code should not do any compile-time pointer arithmetic that relies on the location of the last member. For example, a change in the minor version number makes the sizeof(USN_RECORD) call unreliable. Instead, rely on run-time calculations that use the RecordLength member.
An increase in the major version number of the change journal software indicates that the USN_RECORD_V4 structure may have undergone major changes, and that the current definition may not be reliable. If your code detects a change in the major version number of the change journal software, the code should not work with the change journal.
The feedback system for this content will be changing soon. Old comments will not be carried over. If content within a comment thread is important to you, please save a copy. For more information on the upcoming change, we invite you to read our blog post.