I have written a program that queries the change journal records and lists them. The change journal returns:
1) filereferencenumber( combination of fileindex.high and fileindex.low) 2) parentfilereferencenumber(
same as above except it is for directory) 3) szReason(Reason it appears in the change record) 4) Filename and Filelength.
I want to find the path of this file listed in the change journal. Most of the implementations I have seen keep track of all the filereferencenumber and query it to compare, or they use FindNextFile() functions ot traverse through the entire volume.
I came across a discussion where they say, they can open a file handle using just the filereferencenumber. http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.file_system/2004-11/0244.html
The msdn article says, we have to load a library before calling Internal API's http://msdn.microsoft.com/en-us/library/bb432380%28v=vs.85%29.aspx
Can someone point me in the right direction and tell me exactly what to do? How do I use NtCreateFile()?
Or, is there a way to access file path using just the filereferencenumber?