# USN Journal Clearing * **Description:** This involves the complete deletion of the NTFS Update Sequence Number (USN) Journal (`$J` stream within `$Extend\$UsnJrnl`) for a specific volume. * **Mechanism:** Typically performed using the built-in `fsutil.exe` command with administrative privileges: `fsutil usn deletejournal /D C:` (replace `C:` with the target drive). This command **completely wipes** the existing journal log, forcing Windows to create a new, empty one upon the next filesystem change. * **Why Cheaters Use It:** To erase the *entire* recorded history of file creations, deletions, renames, attribute changes, and stream modifications on a volume, effectively blinding analysis techniques that rely heavily on the Journal (like detecting Prefetch clearing, file replacement, timestomping via `BASIC_INFO_CHANGE`, ADS manipulation, etc.). * **Detection:** Clearing the USN Journal is a drastic action that leaves clear, detectable traces: * **Event Logs:** The act of deleting the USN Journal reliably triggers **Event ID 3079** in the **Application** event log. The event details usually specify the volume (drive letter) whose journal was deleted and often mention `fsutil.exe` as the source process. Finding this event is **definitive proof** of intentional Journal clearing. * **Journal Metadata Analysis:** Examining the Journal's metadata files (`$J` and `$MAX` streams within `$Extend\$UsnJrnl`) using tools like **FTK Imager** or **MFTECmd** reveals clearing: * *Modification Times:* The "Date Modified" timestamps of both the `$J` stream and the `$MAX` stream will be **very recent**, coinciding with the time the `deletejournal` command was run. Comparing these timestamps is crucial; a recent modification to both confirms the clearing event. * *Oldest Entry Timestamp:* Tools like **JournalTrace** display the timestamp of the oldest record currently in the Journal. If this oldest entry is dated *after* the user's logon time or the game start time (i.e., very recent), it strongly suggests the Journal was cleared during the current boot/game instance. * *Size:* A newly created Journal (`$J` stream) will be very small compared to one that has been accumulating logs. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://itzicehere.gitbook.io/redlotusguide/screensharing-general-knowledge/eighth-section-common-bypass-techniques-in-screensharing/artifact-clearing-techniques/usn-journal-clearing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.