How to list all changed files in a shadow volume?

Question

How to list all changed files in a shadow volume?

When a recovery point is created, Windows starts to control the volume, and any changes are written to its own diff file inside the System Volume Information folder.

A detailed VSS-SDK api, we can expose the volume, but it shows us the entire volume and all files / folders that have or have not been changed since the snapshot was created, as well as access to any file, the driver uses diff, if necessary, and shows us the file.

My question is: Is it possible to list all changed files relative to the recovery point (except for brute force method for comparing each file inside the shadow volume and the main volume)?

How does Windows do this when we click the previous versions tab in the Properties file?

+5

windows volume-shadow-service

lalli Aug 27 '10 at 8:21

source share

4 answers

Use the NTFS Change Log . Windows logs all changes in all files on the NTFS volume to the log database (if logging is enabled). This can be requested to return all changes from a specific USN number (recovery point)

Here is an article about a journal that has helped me a lot in implementing change log features

+3

Hannes de jager Oct 27 '10 at 14:04

source share

, , WinMerge, UNC- http://winmerge.org/.

, "C: \", vs "\ localhost\C $\ @GMT-2017.08.24-18.07.46"

, UNC-, .

+1

Jim Lutz 24 . '17 18:15

Windows . .

-1

Krish 02 . '10 20:59

lalli · Accepted Answer · 2010-09-06T06:54:03+0000

I think the best way is brute force, combined with matching USNs. For reference, a link to a similar question is here

How to list all changed files in a shadow volume?

More articles: