■ USN journal for misplaced files and directories

Nobody's perfect. A momentary lapse of concentration may send files somewhere unintended, and you are left scratching your head which folder did they end up in? xplorer² has this Go to > Drop target menu command that can help you track the last file operation, but it won't catch all possible accidents.

NTFS formatted local drives usually track all file changes in a special system file called Change journal but not many people outside the forensic industry have heard of it. Any small file modification (even a change of readonly attribute) is recorded. To limit its size, the journal is periodically purged, but you should always find records for the latest file changes (a couple of days' worth or better).

I found this codeproject article that has source code and a demo program that lists every single record of the USN journal, but it is not focused enough for file management mishaps. You don't care about the thousands of temporary files that windows creates every second. So I wrote a console tool that examines recent file and folder copies and moves, ignoring the clutter and useless minutia.

Changes in these folders are ignored: ProgramData, AppData, c:\Windows

Click to download CJournal (30 KB)

You need to run it from an administrative (elevated) command console

To run it type CMD in your Start menu, right click on the command prompt search result and select Run as administrator from the menu. You must specify which drive letter you want to examine. There are also some optional command line arguments as such

USAGE: cjournal X [NAME] [/mm]
	X: drive letter to examine
	NAME: part of the filename you seek (default: all names)
	/mm: how many minutes to show (default: last 60 minutes' changes)

For example you can do a basic "cjournal C" to check the last hour of your C:\ drive, or "cjournal E pdf /30" to find changes for PDF files only in the last 30 minutes. Note that not all drives support a change journal:

The drive must be NTFS formatted (no FAT32 thumbdrives)
The drive must be local (or USB-attached) — sorry no mapped network drives
Change journal must be enabled (it is usually on by default)

If the output has lots of lines, you may want to redirect it to a text file, then open this file in MS Excel, it will be nicely organized in columns automatically. Use the > output redirector as such:
CJOURNAL C > changes.txt

Then open CHANGES.TXT with excel to browse the results; use TAB as the separator character

Misplaced files troubleshooter

Nobody likes to be wrongly accused, but if xplorer² does something unexpected it is 100% the operator's fault and not a bug in xplorer². With extra power comes greater responsibility and room for mistakes. Don't blame the knife for cutting your fingers :)

The most problematic operation is a file move, where the files didn't end up where you intended. Here's what you should do:

Act quickly. Don't let changes accumulate in the journal, it will make it harder to find your missing files. If you know the change was in the last 5 minutes use /5 command line switch for CJOURNAL
Consider your whereabouts. Which drives where you copying from and to? Write down the drive letters involved. You may have to check two change journals to discover what happened

The idea is to find the target folder where the files ended up into. If it was a move in the same partition, a move looks like a rename, so you get an OLD_NAME event followed by NEW_NAME that involves the new folder path as such:

DATE		EVENT		FILENAME
09:17:27	OLD_NAME	c:\root\translate.txt
09:17:27	NEW_NAME	c:\root\New Folder\translate.txt

Whereas if you moved the file from E:\ to C:\ you must check both C and E drive journals that will reveal entries like:

09:41:30     DELETE  e:\documents\mine\Release_unicode\change.txt
09:41:30     CREATE  c:\root\change.txt

Note this change appears as a delete followed by a fresh file creation. Good luck!