That's the expected behaviour, as documented:
MaximumSize
The target maximum size for the change journal, in bytes. The change journal can grow larger than this value, but it is then truncated at the next NTFS file system checkpoint to less than this value.
Instead of trying to predetermine the size, loop until you reach the end of the data.
If you are using the FSCTL_ENUM_USN_DATA
control code, you have reached the end of the data when the error code from DeviceIoControl
is ERROR_HANDLE_EOF
.
If you are using the FSCTL_READ_USN_JOURNAL
control code, you have reached the end of the data when the next USN returned by the driver (the DWORDLONG at the beginning of the output buffer) is the USN you requested (the value of StartUsn
in the input buffer). You will need to set the input parameter BytesToWaitFor
to zero, otherwise the driver will wait for the specified amount of new data to be added to the journal.