[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-discuss] follow file modifications made by guest os with qemu

From: Jakob Bohm
Subject: Re: [Qemu-discuss] follow file modifications made by guest os with qemu
Date: Thu, 16 Mar 2017 04:56:10 +0100
User-agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 15/03/2017 08:47, Pascal wrote:
hi everybody,

how could I (easily) follow file modifications made by guest os (Windows) with qemu ? could I directly exploit the overlay image based on an original Windows image ?

regards, lacsaP.
qemu (like most hypervisors), only provides, and thus only sees, the
"sector-level" disk I/O, not the logical meaning in terms of file names.

If you want to see the differences between specific points in time, you
could create (qemu) disk snapshots at those points in time, loop-mount
read-only views of those snapshots under Linux and examine them with
ntfsprogs (so no Windows-based code can interfere with the accuracy of
the results).

If you can get a list of modified disk sector numbers from either the
qemu-image or some other tool, you can map them to NTFS file names as

1. If not already done, convert from a (virtual) disk-relative sector
  number to a (virtual) partition-based sector number (usually by
  subtracting the start of partition sector number).

2. Divide the sector number by the NTFS cluster size on the partition
  (usual 4KB = 8 sectors), this gives you the NTFS cluster number.

3. Use ntfscluster from ntfsprogs to get the NTFS filename.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

reply via email to

[Prev in Thread] Current Thread [Next in Thread]