Expand description
Pure USN_RECORD_V2 buffer parsing — no OS calls, so the whole layer is
testable from raw byte fixtures (docs/ARCHITECTURE.md, CLAUDE.md elevation rules).
Buffer layout returned by FSCTL_READ_USN_JOURNAL / FSCTL_ENUM_USN_DATA:
a leading u64 (the next USN / next FRN to resume from), then a sequence of
USN_RECORD_V2 structures, each RecordLength bytes, 8-byte aligned.
Modules§
- reason
- Reason flags we act on (winioctl.h).
Structs§
- UsnRecord
- One decoded journal record.
Constants§
- FILE_
ATTRIBUTE_ DIRECTORY - Directory attribute bit (
FILE_ATTRIBUTE_DIRECTORY). - FILE_
ATTRIBUTE_ HIDDEN - Hidden-file attribute bit (
FILE_ATTRIBUTE_HIDDEN). - FILE_
ATTRIBUTE_ REPARSE_ POINT - Reparse-point attribute bit (
FILE_ATTRIBUTE_REPARSE_POINT), e.g. symlinks/junctions. - FILE_
ATTRIBUTE_ SYSTEM - System-file attribute bit (
FILE_ATTRIBUTE_SYSTEM).
Functions§
- encode_
buffer - Serialize records into the FSCTL wire format — used to build test
fixtures and replay files (
fmf capture-usn). - parse_
buffer - Parse a raw FSCTL output buffer.
- u16_at 🔒
- u32_at 🔒
- u64_at 🔒