Recent

Author Topic: Raw access to file  (Read 3344 times)

theflakes

  • Newbie
  • Posts: 5
Raw access to file
« on: December 25, 2017, 09:06:06 pm »
Want to create console application to read the below file:

C:\$extend\$UsnJrnl:$J:$DATA

This requires raw disk access I think and then access the $J alternate data stream.  I've found info on the byte format of the data but I'm not sure how to get access to it.

Any help is greatly appreciated.

thanks

Thaddy

  • Hero Member
  • *****
  • Posts: 14213
  • Probably until I exterminate Putin.
Re: Raw access to file
« Reply #1 on: December 25, 2017, 09:57:59 pm »
Alternate datastreams on windows can simply be accessed by a TFilestream: you simply specify the datastream in the filename as usual. filename:alternate_stream.
You don't need raw disk access at all.
Specialize a type, not a var.

theflakes

  • Newbie
  • Posts: 5
Re: Raw access to file
« Reply #2 on: December 25, 2017, 10:10:37 pm »
Thanks, will give it a try.  This is a special NTFS Windows system file that can't be accessed via normal methods but will see what I can do with TFilestream.

Thaddy

  • Hero Member
  • *****
  • Posts: 14213
  • Probably until I exterminate Putin.
Re: Raw access to file
« Reply #3 on: December 25, 2017, 10:20:34 pm »
That file is not so special. It is simply a hidden file + a hidden datastream. It contains (in usermode) file change logs.But you may need access rights. In that case raw access won't help you....Even if you have the format it is likely to be encrypted on some systems. It is possible to delete the file with fsutils, so I suppose on a standard system it can be read with a TFilestream.
Of course you can change ownership, but not on all system owned files. That requires to take out the disk and mount it on another machine as a second drive. If is indeed encrypted you are normally at a loss.
« Last Edit: December 25, 2017, 10:33:18 pm by Thaddy »
Specialize a type, not a var.

 

TinyPortal © 2005-2018