GUI Parsing Tools

Directly reading the binary $J stream is impractical. Specialized tools are needed to parse it into a human-readable format.

  • Command-Line (fsutil.exe): Windows includes the built-in command-line utility fsutil.exe which can directly query the USN Journal.

    • Basic Command Structure: fsutil usn readjournal C: csv (Replace C: with the target drive). The csv argument outputs the data in a comma-separated format suitable for piping or redirection.

    • Filtering with findstr: The output is often piped (|) to the findstr.exe utility for filtering. Common findstr flags include:

      • /i: Case-insensitive search.

      • /C:"search string": Searches for a literal string. Multiple /C flags act like an OR condition.

      • /R: Interprets the search string as a Regular Expression (Regex).

    • Output Redirection: Results can be saved to a file using > output.txt.

    • Example (Finding specific reason codes for executables/prefetch files):

      fsutil usn readjournal c: csv | findstr /i /C:"0x80000200" /C:"0x00001000" /C:"0x00002000" | findstr /i /C:".exe\"" /C:".pf\"" > filtered_journal.txt

      (This searches for FileDelete, RenameOld, RenameNew reasons and filters for lines ending in .exe" or .pf").

    • Note: Requires administrative privileges. Crafting effective fsutil commands requires understanding the reason codes and findstr syntax.

  • GUI Parsing Tools: Several graphical tools offer a more user-friendly interface for Journal analysis.

    • JournalTrace (Ponei/Spokwn):

      • Functionality: A free, dedicated GUI tool for parsing and viewing USN Journal entries. Requires administrator privileges. Spokwn's version includes advanced filtering capabilities.

      • Workflow: Launch -> Select Drive -> Scan Drive -> Switch to "Data Grid" Layout -> Sort/Filter columns.

      • Key Features: Displays event reason codes clearly, allows easy filtering by column content (Name, Reason, Path), shows the timestamp of the "Oldest Entry" (useful for detecting recent clearing), potentially resolves file IDs better than basic tools. Advanced filters in Spokwn's version support AND (&&), OR (||), NOT (!!), and multi-column filtering.

    • Echo Easy Journal Viewer (Echo):

      • Functionality: Another free GUI tool from the Echo team, designed for simplicity and ease of use.

      • Interface: Features pre-defined buttons for common filters ("Deleted," "Created," "Renamed"). Allows sorting by columns (Timestamp, Name, etc.) and basic column filtering. Parses all NTFS drives at once.

      • Use: Good for beginners or quick checks of common events like deletions or renames.

PreviousThe USN Journal ( $UsnJrnl )NextApplication in ScreenSharing

Last updated