CIS 6.0 Uses NTFS Change Journal

I was disappointed to learn that COMODO Internet Security 6.0 activates and uses the NTFS Volume Change Journal functionality. One change journal is kept for each NTFS volume. This journal keeps a log of all changes to the directories and files on that volume.

I discovered the activation of the NTFS Change Journal functionality when I restored an image copy of my music files. I have a separate partition on my hard drive for my music files. With previous versions of CIS, I was able to restore the image copy of my music partition while working online in my primary partition, which contains the Windows operating system (I am on Windows XP SP3). However, when I restored the image copy of my music under CIS 6.0, my computer had to go “offline” to perform the restore. By “offline”, I mean the computer had to shut down and reboot into DOS to perform the restore. This “offline” process is the same process used when restoring my primary partition, the one containing the Windows operating system. Obviously, when restoring the primary partition, I know and expect that the restore process will be “offline”. However, when I restore a non-operating system partition, I assume and expect the restore will be performed “online”.

After seeing that the music partition restore was performed “offline”, I researched the issue and discovered that the NTFS change journal functionality was activated and used by COMODO Internet Security 6.0. I am very disappointed that COMODO now uses NTFS change journals.


If interested, you can query the NTFS change journal on a given volume via the following command:

fsutil usn queryjournal C:

In the example above, the change journal stored on the drive letter C is queried. There is a command to delete the change journal but CIS 6.0 will reactivate and create a new change journal when the computer is rebooted.

Out of curiosity, are you using the AV component in CIS?

What program are you using for back up?

What are the consequences of this behaviour?
Why is it introduced?

It’s for Antivirus Cache function so it can skip already scanned files (until it updates database again). Avast also uses $UsnJrnl for same reason. Downsides to it are, only way to de-fragment $UsnJrnl is to do it before system loads. You can do it with any defrag tool that provides off-line de-fragmentation functionality. $UsnJrnl fragments fast so I just delete it before de-fragmenting drives and let it recreate itself on next reboot.

Where do i find it?
Why isnt it shown in fragmentation info?

You can’t access it from file system. Most defragmenting programs should be able to see it and list in fragmentation statistics (view from PerfectDisk Free attached), some of them are able to defragment it upon reboot (Perfectdisk free can)

Only way to remove it is to run this command.

fsutil usn deletejournal /n c:

(this command removes journal from C:\ drive, to remove from other drives change drive letter accordingly).

Journal will be recreated on next reboot (with avast I noticed it can be recreated on next scanning if there is no system files or page file on drive so I disable real time shield before doing my maintenance).

Disclaimer: I suffer from OCD related to ordering items, and fragmented files tick me off. It might be not brightest idea to do what I do, but so far I did not notice any negative effects of doing it.

[attachment deleted by admin]

Why is this a problem?"