How many file changes can be stored in an NTFS Change journal database with size 32MB for instance. How do I get from megabytes to amount of files?
SnapOverflow
How many file changes can be stored in an NTFS Change journal database with size 32MB for instance. How do I get from megabytes to amount of files?
The number of changes that a given USN journal file can hold can be estimated with the following formula:
journal size/((60 bytes + (length of file name)) * 2)
The number "2" in this formula stems from two journal entries for each file change: 1 for open and 1 for close. Divide the journal size by the size per change to determine the approximate number of changes that can occur before the journal wrap error is encountered. Assuming 8.3 filenames, this maps to approximately 200,000 files and/or directories for a 32 MB journal file. The number of changes would be less if long file names were used.
You can't because the records are variable length. Every record contains the name of the file that was modified.
You can determine the minimum number of records that can be stored by checking a particular record's
RecordLength, adjusting it by the difference between it'sFileNameLengthandlpMaximumComponentLengthreturned from a call toGetVolumeInformation, and dividing that result into the size of the journal.However, it's going to be pretty inaccurate since the overwhelming majority of file names on an NTFS drive are going to be significantly shorter than the maximum length.