USN Journal defragmentation

eL_PuSHeR · December 20, 2011, 6:05pm

Hello.

I wonder if Defraggler is able to defrag $UsnJrnl:$J located at C:\$Extend on my system drive.

I am asking because that's the only file that appears as fragmented on Defraggler drive map (red block).

I think I ran a boot time defrag yesterday but the same file remains fragmented.

Any ideas?

PS - I am running W7 x86

Winapp2.ini · December 20, 2011, 6:34pm

You can actually delete the usn journal

fsutil usn deletejounal /d C:\

it should rebuild it non-fragmented, and remove old data from it at the same time.

Andavari · December 21, 2011, 4:09am

I've never actually deleted it with software installed that enables it, not feeling too experimental to do it really.

And I do wonder if deleting it would possibly cause a problem with some security software which will automatically enable it during setup if it isn't already enabled, such as; Avast Antivirus, Microsoft Security Essentials, etc...

Winapp2.ini · December 21, 2011, 6:34am

i should have noted that fsutil is built into windows

eL_PuSHeR · December 21, 2011, 8:20am

I have used the fsutil sometime. I was just wondering about defragmenting metadata. I will try deleting it to see what happens.

Best regards.

robh · November 13, 2013, 9:25am

If you delete the $UsnJrnl:$J on a domain controller, you will create a big problem. Before recommending anyone deletes a system file, you should be very sure of what you are saying.

As far as I can find, there is no 100% safe way to deal with a fragmented UsnJrnl. In some cases you "may" be able to delete it with no significant side effects. In others it may be catastrophic.

eL_PuSHeR · November 13, 2013, 5:41pm

I have been lucky so far, then.

But yes, tinkering with NTFS metadata can be dangerous.

robh · November 13, 2013, 9:24pm

Here is a post from another site that sums up the issue around deleting this file on a DC.

This can be a really BAD idea on a domain controller. If you delete this file it KILLS the File Replication Service that keeps multiple DCs in sync. After doing this you have to manually reconnect and reinitialise the NTFRS from a DC that is still working. If you do this on all your DCs (eg: both) the only supported way to get back to a working system is a complete domain reinstall (or backups).

So while it is normally safe to delete this file there is a ball buster waiting for you.

The source of that post is located here, just so you can see the post in context.

Sadly, I will say that a year or so ago I learned this lesson the hard way when I followed instructions from someone that sounded very competent and deleted the file from a DC.

julevine · November 14, 2013, 8:21pm

i have same issue $UsnJrnl:$J gets so big before i had to reinstall my system my $UsnJrnl:$J size was massive i had not reinstalled my system for yrs the size at last time i checked was 6 or 7 GB of a 40GB drive i had more files on system then

but i reinstalled xp pro and check like day later or so on sept 24 2013

it was around 55,313Kb

now on nov 14 2013 it's around

in app 399,279KB

in log 408861280KB

i do not know if $UsnJrnl:$J gets created right away when installing os

becuase first time i looked it was not there

im pretty sure it was not there untill 1 day or 2 after installing OS

can someone confirm this for me if $UsnJrnl:$J gets created right away or not when installing os

Andavari · November 17, 2013, 11:25am

i do not know if $UsnJrnl:$J gets created right away when installing os

On a normal XP install I don't think it does. Like I eluded to a few posts up from 2 years ago in 2011 certain software will enable it, mostly I've seen antivirus software that enables it.

I don't however think the newest versions for the past few months of Microsoft Security Essentials enables it anymore on XP systems.

The only time I've ever deleted it with confidence and knew I probably wasn't going to break something was after I had uninstalled software I knew enabled it.

julevine · December 6, 2013, 8:00pm

does anyone know what will happen if you delete $UsnJrnl:$J from system

i know i have no software that uses it exept NTFS file system keeping track of system changes

eL_PuSHeR · December 7, 2013, 11:22am

I think it will be recreated by the filesystem.

Andavari · December 7, 2013, 4:15pm

I don't however think the newest versions for the past few months of Microsoft Security Essentials enables it anymore on XP systems.

The newest Microsoft Security Essentials v4.4.304.0 does enable the USN Journal on the system drive C:\ on XP systems.

julevine · December 9, 2013, 7:45pm

yesterday i found the correct delete comand and it deleted it without problems it very easy

in windows xp pro it works

do not know about windows 7

just open cmd and type it in

fsutil usn deletejounal /d C:\

i am so happy you can delete it while system is on

Nergal · December 9, 2013, 10:40pm

So everyone can see what this command does:/D disables the USN(http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fsutil_usn.mspx?mfr=true)EDIT: important!!!!!!

Using deletejournal Deleting or disabling an active journal is very time consuming, because the system must access all the records in the master file table (MFT) and set the last USN attribute to zero. This process can take several minutes, and can continue after the system restarts, if necessary. During this process, the change journal is not considered active, nor is it disabled. While the system is disabling the journal, it cannot be accessed, and all journal operations return errors. You should use extreme care when disabling an active journal, because it adversely affects other applications using the journal

USN Journal defragmentation

Announcements