[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-discuss] follow file modifications made by guest os with qemu
|
From: |
Jakob Bohm |
|
Subject: |
Re: [Qemu-discuss] follow file modifications made by guest os with qemu |
|
Date: |
Thu, 16 Mar 2017 04:56:10 +0100 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 |
On 15/03/2017 08:47, Pascal wrote:
hi everybody,
how could I (easily) follow file modifications made by guest os
(Windows) with qemu ?
could I directly exploit the overlay image based on an original
Windows image ?
regards, lacsaP.
qemu (like most hypervisors), only provides, and thus only sees, the
"sector-level" disk I/O, not the logical meaning in terms of file names.
If you want to see the differences between specific points in time, you
could create (qemu) disk snapshots at those points in time, loop-mount
read-only views of those snapshots under Linux and examine them with
ntfsprogs (so no Windows-based code can interfere with the accuracy of
the results).
If you can get a list of modified disk sector numbers from either the
qemu-image or some other tool, you can map them to NTFS file names as
follows:
1. If not already done, convert from a (virtual) disk-relative sector
number to a (virtual) partition-based sector number (usually by
subtracting the start of partition sector number).
2. Divide the sector number by the NTFS cluster size on the partition
(usual 4KB = 8 sectors), this gives you the NTFS cluster number.
3. Use ntfscluster from ntfsprogs to get the NTFS filename.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded