add-circle-bold add-circle add-square add alarm-bell-1 alert-diamond analytics-pie-2 archive archive arrow-down-1 arrow-down-2 arrow-left-1 arrow-right-1 arrow-up-1 attachment-1 bin-paper-1 book-star button-record check-1 check-circle-1 close close-quote close cog-1 cog common-file-stack copy-paste credit-card-1 diagram-fall-down disable time-clock-midnight download-thick-bottom drawer-send envelope-letter envelope-letter expand-6 expand-6 file-code filter-1 floppy-disk flying-insect-honey folder-file-1 headphones-customer-support hierarchy-9 hyperlink-2 information-circle keyboard-arrow-down keyboard-arrow-up layout-module-1 list-bullets lock-2 lock-unlock-1 love-it messages-bubble-square move-to-top multiple-circle multiple-neutral-1 multiple-users-1 navigation-menu-horizontal navigation-menu network-browser open-quote pencil-1 pencil-write pencil-1 print-text rating-star rating-star remove-circle remove-square-1 search send-email-1 shield-warning single-neutral-actions single-neutral smiley-sad-1 smiley-unhappy smiley-indifferent smiley-smile-1_1 smiley-happy smiley-sad-1 smiley-unhappy smiley-indifferent smiley-happy smiley-thrilled social-media-twitter synchronize-arrows-1 tags-double ticket-1 ticket-1 time-clock-circle undo view-1 view-off view wench

Reading the Diagnostic Level Log

With regard to these trace statements:

DIAG - 2018-03-12 14:10:44.484 7668 Analyzing: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2379\Previous Files\02 Math and RNG\01 Vols\Touchdown Roulette.txt (0,478)[F,F] [0]


First DIAG statement indicates "Analyzing

- after the filename are two numbers in parenthesis (page_offset, page_length)  

- the values in braces will be T or F. The first indicates if a verify operation is required, and the second indicates if VRef (Index1) entry was found. If either are T the files will be processed.  

- In this case [F,F] indicates no further processing required.

- The finale [0] is the USN journal entry value, in this case a zero value means no USN is used (i.e. no -maxf parameter on the archive command)

DIAG - 2018-03-12 14:10:44.625 7668 Analyzing: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2379\Previous Files\02 Math and RNG\01 Vols\Touchdown Roulette.txt(10.3 KB)[T,T] [0]

DIAG - 2018-03-12 14:10:44.656 7668 *** Pre-Processing alternate StreamId=0x8 (1012 bytes)DIAG - 2018-03-12 14:10:44.656 7668 *** Pre-Processing alternate StreamId=0x9 (8 bytes)DETAIL - 2018-03-12 14:10:44.656 7668 Archived-> Y:\Previous Files\02 Math and RNG\01 Vols\Touchdown Roulette.txt (10.3 KB) A-----ZL-O- [L] 10589 (0) bytes archived 31ms (333 KB/sec).


The second DIAG statement indicates "Analyzing"  

- In this case [T,T] indicates verify required and no VRef entry, so the file will be processed.  

- StreamID = 0x08 is a REPARSE Stream  

- StreamID = 0x09 is a BACKUP_SPARSE_BLOCK  

- both are valid stream types as long as the BACKUP_SPARSE_BLOCK has a length under 8MB which in this case it does, 8 bytes.  

- the file is subsequently archived and '[L] 10589 (0) bytes' means the final data was linked to an existing blob, 10589 is the size, and (0) is the number of bytes stored.  

- the attributes 'A-----ZL-O-' indicate" 

A - Archive attribute

D - Directory

T - Temp file

S - System attribute

H - Hidden attribute

R - Read only attribute

Z - Sparse file

L - Reparse point

C - Compressed file

0 - Offline (stubbed) file

I - Do not content index


So in this case the files is: Read for archiving, Sparse, Reparse, and Offline. If this is a new stub, then this is expected behavior. If the same files keeps getting archived, then there's some issue.