{"id":74021,"date":"2015-08-12T00:01:00","date_gmt":"2015-08-12T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2015\/08\/12\/use-poshusnjournal-module-to-work-with-change-journal\/"},"modified":"2019-02-18T09:46:38","modified_gmt":"2019-02-18T16:46:38","slug":"use-poshusnjournal-module-to-work-with-change-journal","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-poshusnjournal-module-to-work-with-change-journal\/","title":{"rendered":"Use PoshUSNJournal Module to Work with Change Journal"},"content":{"rendered":"<p><b style=\"font-size:12px\">Summary<\/b><span style=\"font-size:12px\">: Boe Prox shows how to use the PoshUSNJournal module to work with the USN change journal.<\/span><\/p>\n<p>Honorary Scripting Guy and Windows PowerShell MVP, Boe Prox, here today, filling in for my good friend, the Scripting Guy. I&#039;m finishing up my three-day stint on the Hey, Scripting Guy! Blog. Be sure to catch up by reading:<\/p>\n<ul>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/connect-to-usn-change-journal\/\" target=\"_blank\">Connect to USN Change Journal<\/a><\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/view-entries-in-usn-change-journal\/\" target=\"_blank\">View Entries in USN Change Journal<\/a><\/li>\n<\/ul>\n<p>Today, I will demo my module called <b>PoshUSNJournal<\/b> and show you how to use it with the change journal.<\/p>\n<p>I have taken you on the journey of using Windows PowerShell along with PInvoke via reflection to hook into the Windows API to view the change journal and look at the entries to see what is happening on your file system. Although all of this can be done with a little bit of work, it is nicer to have the ability to do it via functions from a module.<\/p>\n<p>This is what <b>PoshUSNJournal<\/b> aims to do. Not only can you do everything that I have already covered, but this module takes it a little further by letting you wait for incoming entries for a near real-time view of what is happening. You can also configure the journal by removing it and re-creating it with a larger or smaller size!<\/p>\n<p>Are you running Windows PowerShell&nbsp;5.0? Great! You can install this module with pretty much no effort from the Windows PowerShell Gallery:<\/p>\n<p style=\"margin-left:30px\">Install-Module &ndash;Name PoshUSNJournal &ndash;Verbose<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/1_UsingPoshUSNJournal.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/1_UsingPoshUSNJournal.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>No worries if you do not have Windows PowerShell&nbsp;5.0 yet. You can grab the module from my GitHub site: <a href=\"https:\/\/github.com\/proxb\/PoshUSNJournal\" target=\"_blank\">PoshUSNJournal<\/a>. Place it in your modules folder and you are ready to go!<\/p>\n<p>I&rsquo;ll start off by showing how quickly we can view the journal by using <b>Get-USNJournal<\/b> with the <b>DriveLetter<\/b> parameter:<\/p>\n<p style=\"margin-left:30px\">Get-UsnJournal -DriveLetter C:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/2_UsingPoshUSNJournal.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/2_UsingPoshUSNJournal.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>Pretty cool, but we want more than that! I can delete this journal by using <b>Remove-USNJournal<\/b> and create a new one that is a little larger than the 30&nbsp;MB one that we currently have. Maybe something like 50&nbsp;MB would be better.<\/p>\n<p style=\"margin-left:30px\">Remove-USNJournal &ndash;DriveLetter C: -Verbose<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3_UsingPoshUSNJournal.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/3_UsingPoshUSNJournal.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>A verification using <b>Get-USNJournal<\/b> shows that it is, in fact, completely gone from my system.<\/p>\n<p>Of course, I need something here to continue demoing the entries, so I will re-create the journal and set it to be 50&nbsp;MB in size:<\/p>\n<p style=\"margin-left:30px\">New-UsnJournal -DriveLetter C: -Size 50MB -Allocation 8MB &ndash;Verbose<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/4_UsingPoshUSNJournal.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/4_UsingPoshUSNJournal.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>With that done, we can now look at tracking the changes in the file system by using <b>Get-USNJournalEntry<\/b>.<\/p>\n<p>If you view the Help to see the parameters for this function, you will see that you can actually specify <b>USNReasonMask<\/b> and basically watch the entries in real-time.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5_UsingPoshUSNJournal.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/5_UsingPoshUSNJournal.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>A basic run of <b>Get-USNJournalEntry<\/b> starts at the beginning of when we created the journal and begins showing all of the changes that have occurred since then.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6_UsingPoshUSNJournal.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/6_UsingPoshUSNJournal.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>As you can see, some of this (such as the use of SnagIt) has to do with this very post! If you wanted to view everything, you can definitely do that, but keep in mind that you may be waiting awhile because there could potentially be a lot of data to process. Filtering for a specific file or USNReason code will definitely help out here.<\/p>\n<p style=\"margin-left:30px\">Get-UsnJournalEntry | Where {$_.FileName -match &#039;\\.psd1$&#039;}<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/7_UsingPoshUSNJournal.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/7_UsingPoshUSNJournal.png\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>In this case, I wanted to see if I had any .psd1 files that had been updated since I created the journal. It turns out that I did, and I can see that it was actually deleted.<\/p>\n<p>The last thing I will show is monitoring the journal by using the <b>&ndash;Tail<\/b> and <b>&ndash;Wait<\/b> parameters:<\/p>\n<p style=\"margin-left:30px\">Get-UsnJournalEntry -DriveLetter C: -Tail &ndash;Wait<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/5037.8.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/5037.8.PNG\" alt=\"Image of command output\" title=\"Image of command output\" \/><\/a><\/p>\n<p>Take note of the New Text Document.txt and TestFileToDelete.txt files. These are the same files, but you can see how the first file was created (using right-click on the Desktop and <b>Create new text file<\/b>). This shows how the file was created prior to me renaming it.<\/p>\n<p>You can see the file is then sent to the recycle bin via its new name: $I27RNAF.txt and its subsequent return from the recycle bin (under the USN_REASON_RENAME_OLD_NAME and USN_REASON_RENAME_NEW_NAME masks). The hard deletion is presented under the USN_REASON_FILE_DELETE mask. You can also see that other changes were made on the file system while I was testing against the text file.<\/p>\n<p>With that, we are done exploring the USN change journal by using Windows PowerShell. We explored two methods&mdash;we took a dive using PInvoke with reflection and we used my module, PoshUSNJournal. (This module is available on GitHub and it is always available for pull requests to make it better!)<\/p>\n<p>We invite you to follow the Scripting Guys on&nbsp;<a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a>&nbsp;and&nbsp;<a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to the Scripting Guy at&nbsp;<a href=\"mailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the&nbsp;<a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. Until then, see ya!<\/p>\n<p><b>Boe Prox<\/b>, Windows PowerShell MVP and Honorary Scripting Guy<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Boe Prox shows how to use the PoshUSNJournal module to work with the USN change journal. Honorary Scripting Guy and Windows PowerShell MVP, Boe Prox, here today, filling in for my good friend, the Scripting Guy. I&#039;m finishing up my three-day stint on the Hey, Scripting Guy! Blog. Be sure to catch up by [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[162,610,538,3,45],"class_list":["post-74021","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-boe-prox","tag-change-journal","tag-pinvoke","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Boe Prox shows how to use the PoshUSNJournal module to work with the USN change journal. Honorary Scripting Guy and Windows PowerShell MVP, Boe Prox, here today, filling in for my good friend, the Scripting Guy. I&#039;m finishing up my three-day stint on the Hey, Scripting Guy! Blog. Be sure to catch up by [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/74021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=74021"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/74021\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=74021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=74021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=74021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}