UsnJournal wrap around behavior

prathi_2020

Hi,

Can someone shed light on how range tracking is done in NTFS UsnJournal? Is the information about modified ranges (the extents with offset and length) stored in some data structure, perhaps MFT?

The purpose of asking this question is to know if wrap around of UsnJournal can cause range tracking to get affected. For example, lets consider a file F1 whose size is above 1 MB and hence Is eligible for range tracking. Below are the operations on the file F1:
Open (creates a record in UsnJournal)
Write W1 (creates a record in UsnJournal)
Write W2 (does not create a record in UsnJournal as this operation is same as previous operation)
Write W3 (does not create a record in UsnJournal as this operation is same as previous operation)
...
Write Wn (does not create a record in UsnJournal as this operation is same as previous operation)
Close (creates a record in UsnJournal)
(Above example is based on UsnJournal documentation https://docs.microsoft.com/en-us/windows/win32/fileio/change-journal-records)

If the UsnJournal wraps around between lets say when write W3 happens and before Close of the file F1 is done, do we still get correct Extents as part of record written during Close operation? In other words, does journal wrap affect range tracking?

Also, can someone clarify if below is the right way detecting a wrap (T2 comes after T2)
At Time T1: fsutil usn queryJournal C: >> gives NextUsn = n1
At Time T2: fsutil usn queryJournal C: >> gives FirstUsn = f2

If f1 > n1, is it implied that between T1 and T2, the change journal wrapped over?

Thank you!