- Fast in-memory scan of all records in the $MFT
- Usn journal reader
See the examples directory for complete working examples.
// Open the C volume and its MFT.
// Must have elevated privileges or it will fail.
let volume = Volume::new("\\\\.\\C:")?;
let mft = Mft::new(volume)?;
// Iterate all files
for file in mft.files() {
// Can also use FileInfo::with_cache().
let info = FileInfo::new(&mft, &file);
// Available fields: name, path, is_directory, size, timestamps (created, accessed, modified).
}
// Some perf comparison
// Type Iteration Drop Total
// No Cache 12.326s 0 12.326s
// HashMap Cache 4.981s 323.150ms 5.305s
// Vec Cache 3.756s 114.670ms 3.871slet volume = Volume::new("\\\\?\\C:")?;
// With `JournalOptions` you can customize things like where to start reading
// from (beginning, end, specific point), the mask to use for the events and more.
let mut journal = Journal::new(volume, JournalOptions::default())?;
// Try to read some events.
// You can call `read_sized` to use a custom buffer size.
for result in journal.read()? {
// Available fields are: usn, timestamp, file_id, parent_id, reason, path.
}You can use plain cargo or install mise:
curl https://mise.run | shTasks
mise fix # Fix format and fixable linting errors
mise check # Check format and linting issues
mise build # Build debug
mise release # Build release
mise test # Run tests
mise test-32 # Run tests with the `i686-pc-windows-msvc` target, single threaded
mise bench # Run benchmarks (slow!)