A Rust library for working with the NTFS USN change journal and enumerating the MFT.
usn-journal-rs provides safe, ergonomic abstractions for manipulating the USN change journal and accessing MFT records on NTFS volumes. It enables applications to efficiently enumerate file entries and monitor file system changes on Windows systems.
- 🔍 Read and monitor USN journal records
- 📂 Enumerate NTFS MFT entries
- 🏷️ Resolve file IDs to full paths
- 🦀 High-level, idiomatic Rust API
- 🛡️ Safe abstractions over Windows FFI
use usn_journal_rs::{volume::Volume, journal::UsnJournal};
let drive_letter = 'C';
let volume = Volume::from_drive_letter(drive_letter)?;
let journal = UsnJournal::new(&volume);
for entry_result in journal.iter()? {
match entry_result {
Ok(entry) => println!("USN entry: {:?}", entry),
Err(e) => eprintln!("Error reading USN entry: {e}"),
}
}use usn_journal_rs::{volume::Volume, mft::Mft};
let drive_letter = 'C';
let volume = Volume::from_drive_letter(drive_letter)?;
let mft = Mft::new(&volume);
for entry_result in mft.iter() {
match entry_result {
Ok(entry) => println!("MFT entry: {:?}", entry),
Err(e) => eprintln!("Error reading MFT entry: {e}"),
}
}You can find more usage examples in the examples directory. To run an example, use:
sudo cargo run --example change_monitorReplace change_monitor with any example file name in the directory.
- 🪟 Windows NTFS/ReFS volumes
- 🔑 Requires administrator privilege to access the USN journal or MFT.
See docs.rs/usn-journal-rs for full API documentation.
Contributions are welcome! Please open issues or pull requests on GitHub.
MIT License. See LICENSE for details.
Note:
- This crate is Windows-only.
- ReFS does not have a Master File Table (MFT).