When a Restore Point is created, Windows starts monitoring the volume and any changes are recorded in a proprietory diff file inside System Volume Information folder.
Thorough VSS-SDK api, we can expose the volume, but it shows us the whole volume and all the files/folders which have or have-not been modified since snapshot creation, and on access to any file, a filter-driver applies the diff, if required, and shows us the file.
My Question: Is it possible to list all the modified files, with respect to a restore point (except the brute-force method to compare each file inside the shadow-volume and the main-volume)?
How does Windows do it when we click on the previous versions tab in a file's Properties?
I guess the best way IS brute-force, coupled with USN number-comparison For reference, the link to a similar question is here