Friday, February 4, 2011

How to see if a subfile of a directory has changed

In Windows, is there an easy way to tell if a folder has a subfile that has changed?

I verified, and the last modified date on the folder does not get updated when a subfile changes.

Is there a registry entry I can set that will modify this behavior?

If it matters, I am using an NTFS volume.

I would ultimately like to have this ability from a C++ program.

Scanning an entire directory recursively will not work for me because the folder is much too large.

Update: I really need a way to do this without a process running while the change occurs. So installing a file system watcher is not optimal for me.

Update2: The archive bit will also not work because it has the same problem as the last modification date. The file's archive bit will be set, but the folders will not.

  • If you can't run a process when the change occurs, then there's not much you can do except scan the filesystem, and check the modification date/time. This requires you to store each file's last date/time, though, and compare.

    You can speed this up by using the archive bit (though it may mess up your backup software, so proceed carefully).

    An archive bit is a file attribute present in many computer file systems, notably FAT, FAT32, and NTFS. The purpose of an archive bit is to track incremental changes to files for the purpose of backup, also called archiving.

    As the archive bit is a binary bit, it is either 1 or 0, or in this case more frequently called set (1) and clear (0). The operating system sets the archive bit any time a file is created, moved, renamed, or otherwise modified in any way. The archive bit therefore represents one of two states: "changed" and "not changed" since the last backup.

    Archive bits are not affected by simply reading a file. When a file is copied, the original file's archive bit is unaffected, however the copy's archive bit will be set at the time the copy is made.

    So the process would be:

    1. Clear the archive bit on all the files
    2. Let the file system change over time
    3. Scan all the files - any with the archive bit set have changed

    This will eliminate the need for your program to keep state, and since you're only going over the directory entries (where the bit is stored) and they are clustered, it should be very, very fast.

    If you can run a process during the changes, however, then you'll want to look at the FileSystemWatcher class. Here's an example of how you might use it.

    It also exists in .NET (for future searchers of this type of problem)

    Perhaps you can leave a process running on the machine watching for changes and creating a file for you to read later.

    Reuben : Depending on the nature of your application, it's not necessarily a good idea to go around changing the archive bits of files that you don't "own"...
    From Adam Davis
  • If you are not opposed to using .NET the FileSystemWatcher class will handle this for you fairly easily.

    NotMyself : bah. Beat by Adam...
    From NotMyself
  • Nothing easy - if you have a running app you can use the Win32 file change notification apis (FindFirstChangeNotification) as suggested with the other answers. warning: circa 2000 trend micro real-time virus scanner would group the changes together making it necessary to use really large buffers when requesting the file system change lists.

    If you don't have a running app, you can turn on ntfs journaling and scan the journal for changes http://msdn.microsoft.com/en-us/library/aa363798(VS.85).aspx but this can be slower than scanning the whole directory when the # of changes is larger than the # of files.

    From Tony Lee
  • From the double post someone mentioned: WMI Event Sink

    Still looking for a better answer though.

  • This article should help. Basically, you create one or more notification object such as:

    HANDLE dwChangeHandles[2]; 
    dwChangeHandles[0] = FindFirstChangeNotification( 
          lpDir,                          // directory to watch 
          FALSE,                          // do not watch subtree 
          FILE_NOTIFY_CHANGE_FILE_NAME);  // watch file name changes 
    
       if (dwChangeHandles[0] == INVALID_HANDLE_VALUE) 
       {
         printf("\n ERROR: FindFirstChangeNotification function failed.\n");
         ExitProcess(GetLastError()); 
       }
    
    // Watch the subtree for directory creation and deletion.  
       dwChangeHandles[1] = FindFirstChangeNotification( 
          lpDrive,                       // directory to watch 
          TRUE,                          // watch the subtree 
          FILE_NOTIFY_CHANGE_DIR_NAME);  // watch dir name changes 
    
       if (dwChangeHandles[1] == INVALID_HANDLE_VALUE) 
       {
         printf("\n ERROR: FindFirstChangeNotification function failed.\n");
         ExitProcess(GetLastError()); 
       }
    

    and then you wait for a notification:

     while (TRUE) 
       { 
       // Wait for notification. 
          printf("\nWaiting for notification...\n");
    
          DWORD dwWaitStatus = WaitForMultipleObjects(2, dwChangeHandles, 
             FALSE, INFINITE); 
    
          switch (dwWaitStatus) 
          { 
             case WAIT_OBJECT_0: 
    
             // A file was created, renamed, or deleted in the directory.
             // Restart the notification. 
                 if ( FindNextChangeNotification(dwChangeHandles[0]) == FALSE )
                 {
                   printf("\n ERROR: FindNextChangeNotification function failed.\n");
                   ExitProcess(GetLastError()); 
                 }
                 break; 
    
             case WAIT_OBJECT_0 + 1: 
    
             // Restart the notification. 
                 if (FindNextChangeNotification(dwChangeHandles[1]) == FALSE )
                 {
                   printf("\n ERROR: FindNextChangeNotification function failed.\n");
                   ExitProcess(GetLastError()); 
                 }
                 break; 
    
             case WAIT_TIMEOUT:
    
             // A time-out occurred. This would happen if some value other 
             // than INFINITE is used in the Wait call and no changes occur.
             // In a single-threaded environment, you might not want an
             // INFINITE wait.
    
                printf("\nNo changes in the time-out period.\n");
                break;
    
             default: 
                printf("\n ERROR: Unhandled dwWaitStatus.\n");
                ExitProcess(GetLastError());
                break;
          }
       }
    }
    
    ΤΖΩΤΖΙΟΥ : However, this is not what Brian requested; this answer does not provide a solution for the case that some file (in the folder) is just modified (and not renamed, and no subdir/file created or deleted).
    botismarius : It depends what you understand by modified. If you plan to maintain a mirror of a folder, then renaming certainly if a modification.
  • Perhaps you can use the NTFS 5 Change Journal with DeviceIoControl as explained here

    From PabloG
  • ReadDirectoryChangesW

    Some excellent sample code in this CodeProject article

    ΤΖΩΤΖΙΟΥ : Serge, expand a little your suggestion with an example applying to the question.
    Serge - appTranslator : ΤΖΩΤΖΙΟΥ, I added a link to a very good CP article that contains sample code
  • This is perhaps overkill, but the IFS kit from MS or the FDDK from OSR might be an alternative. Create your own filesystem filter driver with simple monitoring of all changes to the filesystem.

0 comments:

Post a Comment