I am working on a solution where I need to track all the file changes (read, write, change basic info etc) that are happening on a windows SMB share.
Thanks in advance.
Biju
> I am working on a solution where I need to track all the file changes
(read, write, change basic info etc) that are happening on a windows SMB
share.
You mean like procmon, or the Minispy example?
Yes, something like that. I am looking for a solution where I don’t have to add any agent on the windows server machine.
Can I use NTFS change journal feature ? Does change journal feature support SMB share changes ? Can I query change journal logs from client machine using the mounted volume ?
Assuming that the share is on an NTFS volume, the changes must be present in the change journal. Of course SMB shares can point to directories on any filesystem supported by windows so unless you are developing for s specific environment, this is not useful. Remember too that the NTFS journal will record all changes in the FS including those not made via the SMB share
I don?t think that you have any viable options as the only one I can think of (a network filter that would interpret the SMB commands) won?t work in the case of encrypted traffic (IIRC the default these days)
Sent from Mailhttps: for Windows 10
From: xxxxx@gmail.commailto:xxxxx
Sent: October 20, 2017 9:50 AM
To: Windows File Systems Devs Interest Listmailto:xxxxx
Subject: RE:[ntfsd] Change log for windows SMB share
Yes, something like that. I am looking for a solution where I don’t have to add any agent on the windows server machine.
Can I use NTFS change journal feature ? Does change journal feature support SMB share changes ? Can I query change journal logs from client machine using the mounted volume ?
—
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></mailto:xxxxx></mailto:xxxxx></https:>