Re: NTFS $LOGFILE metafile

From: George M. Garner Jr. (gmgarnerat_private)
Date: Mon Mar 17 2003 - 14:54:37 PST

Next message: George M. Garner Jr.: "Re: NTFS $LOGFILE metafile"

Previous message: Harlan Carvey: "Re: NTFS $LOGFILE metafile"
In reply to: Harlan Carvey: "Re: NTFS $LOGFILE metafile"
Next in thread: George M. Garner Jr.: "Re: NTFS $LOGFILE metafile"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Harlan,

>> As yet, I haven't found a way to access the  $LOGFILE metafile on a live
system,
>> let alone parse it... <<

The FSCTL control codes to read and write from the $Logfile do not appear to
be documented.  Maybe they are in the IFS SDK.  On Windows XP and .Net
Server you can use the volume shadow copy service to backup a snapshot of
the $Logfile.  The syntax is as follows:

ntbackup backup C:\$Logfile /F "A:\myLogfile"

This assumes that C:\ is a ntfs volume and you want to write the backup file
to the a: drive.

Regards,

George.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: George M. Garner Jr.: "Re: NTFS $LOGFILE metafile"
Previous message: Harlan Carvey: "Re: NTFS $LOGFILE metafile"
In reply to: Harlan Carvey: "Re: NTFS $LOGFILE metafile"
Next in thread: George M. Garner Jr.: "Re: NTFS $LOGFILE metafile"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 17 2003 - 16:53:31 PST