How to read "fsutil usn readjournal C:" output

There is a utility that can be run on the Microsoft Windows command line called fsutil. One of the commands that it accepts is fsutil usn readjournal <volume pathname> along with several other arguments. Is there documentation on how to read the data produced by the program? My specific interests are how to interpret and use the File ID and Parent file ID fields. Since File name does not include the full path, it is unclear how one should determine if the file may be of interest based on location.

Example Record

Usn               : 9149751384
File name         : Preferences~RF101ac0ae.TMP
File name length  : 52
Reason            : 0x80000200: File delete | Close
Time stamp        : 7/12/2018 11:04:30
File attributes   : 0x00000020: Archive
File ID           : 0000000000000000000500000000a67b
Parent file ID    : 0000000000000000000500000003fa3c
Source info       : 0x00000000: *NONE*
Security ID       : 0
Major version     : 3
Minor version     : 0
Record length     : 128

That output corresponds to the USN_RECORD_V3 data structure. Regarding the ID rows, every object on an NTFS volume has a numeric identifier. The "file ID" line gives you the ID of the file affected by that update; the "parent file ID" is the ID of the directory containing it.

To get a path to the file, you can use another mode of this utility: fsutil file queryFileNameById. It takes a volume path and a file ID (with 0x prepended), and returns a full path. I say "a" path and not "the" path because NTFS allows hardlinks, which give different paths to the same file. Exactly which path is returned in that case is arbitrary. The vast majority of files only have one link/path, though.

Let's do an example. I have this USN record:

Usn               : 46966427728
File name         : settings.dat
File name length  : 24
Reason            : 0x80000001: Data overwrite | Close
Time stamp        : 7/11/2018 21:50:57
File attributes   : 0x00000020: Archive
File ID           : 00000000000000000005000000170d13
Parent file ID    : 0000000000000000001200000019ab0e
Source info       : 0x00000000: *NONE*
Security ID       : 0
Major version     : 3
Minor version     : 0
Record length     : 104

Let's use the file ID to find the path to the file:

fsutil file queryFileNameById C:\ 0x00000000000000000005000000170d13

The result:

A random link name to this file is \\?\C:\Users\Ben\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat

It looks like this file is some sort of configuration storage for the Photos app. In the case of your USN record, the file is probably deleted now, so you'll have to use the parent ID to find where it was. If I query by my file's parent ID...

fsutil file queryFileNameById C:\ 0x0000000000000000001200000019ab0e

...I get just the path to the folder, not the settings.dat file:

A random link name to this file is \\?\C:\Users\Ben\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings