I am using USN journal and parent FRN to get the file path. It works properly in Windows XP.But in windows vista and above it does not work properly as it gets some error related to access permission.
In the below code error comes for the line
fOk = NtCreateFile(hFile, 0, ObjAttributes, IoStatusBlock, 0, 0, _
FILE_SHARE_READ Or FILE_SHARE_WRITE, _
FILE_OPEN, FILE_OPEN_BY_FILE_ID Or FILE_OPEN_FOR_BACKUP_INTENT, 0, 0)
In the below code error comes for the line
fOk = NtCreateFile(hFile, 0, ObjAttributes, IoStatusBlock, 0, 0, _
FILE_SHARE_READ Or FILE_SHARE_WRITE, _
FILE_OPEN, FILE_OPEN_BY_FILE_ID Or FILE_OPEN_FOR_BACKUP_INTENT, 0, 0)
Code:
Private Function PathFromFrn(ByVal Id As Long) As String
Dim fOk As Integer
Dim FileName As String = String.Empty
Dim UnicodeString As UNICODE_STRING
Dim ObjAttributes As OBJECT_ATTRIBUTES
Dim IoStatusBlock As IO_STATUS_BLOCK
Dim hFile As IntPtr ' out handle
Dim Buffer As IntPtr = Marshal.AllocHGlobal(4096) ' Raw buffer
Dim Refptr As IntPtr = Marshal.AllocHGlobal(8) ' 8 byte FileID - allocate 8 bytes of unmanaged memory
Dim ObjAtt As IntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(ObjAttributes)) 'pointer to the unicode string struct
Static i As UInt32 : i += 1 ' If i = 100 Then Debugger.Break()
' pointer>>fileid
Marshal.WriteInt64(Refptr, 0, Id)
' 8 byte file id
UnicodeString.Length = 8
UnicodeString.MaximumLength = 8
UnicodeString.Buffer = Refptr
' copy unicode structure to pointer
Marshal.StructureToPtr(UnicodeString, ObjAtt, True)
' InitializeObjectAttributes Macro
ObjAttributes.Length = Marshal.SizeOf(ObjAttributes)
ObjAttributes.ObjectName = ObjAtt ' Or OBJ_KERNEL_HANDLE
ObjAttributes.RootDirectory = m_hCJ
ObjAttributes.Attributes = OBJ_CASE_INSENSITIVE
fOk = NtCreateFile(hFile, 0, ObjAttributes, IoStatusBlock, 0, 0, _
FILE_SHARE_READ Or FILE_SHARE_WRITE, _
FILE_OPEN, FILE_OPEN_BY_FILE_ID Or FILE_OPEN_FOR_BACKUP_INTENT, 0, 0)
' If Not fOk Then Debugger.Break()
If fOk <> INVALID_HANDLE_VALUE Then
fOk = NtQueryInformationFile(hFile, IoStatusBlock, Buffer, 4096, FileNameInformationClass)
If fOk = 0 Then
' The first 4 bytes is the length
Dim FileLength As Integer = Marshal.ReadInt32(Buffer, 0)
' The filename is just after the first 4 bytes.
FileName = Marshal.PtrToStringUni(New IntPtr(Buffer.ToInt32() + 4), FileLength / 2)
End If
End If
' free allocated memory and handles
CloseHandle(hFile)
Marshal.FreeHGlobal(Buffer)
Marshal.FreeHGlobal(ObjAtt)
Marshal.FreeHGlobal(Refptr)
Return FileName
End Function