When a Restore Point is created, Windows starts monitoring the volume and any changes are recorded in a proprietory diff file inside System Volume Information folder.

Thorough VSS-SDK api, we can expose the volume, but it shows us the whole volume and all the files/folders which have or have-not been modified since snapshot creation, and on access to any file, a filter-driver applies the diff, if required, and shows us the file.

My Question: Is it possible to list all the modified files, with respect to a restore point (except the brute-force method to compare each file inside the shadow-volume and the main-volume)?

How does Windows do it when we click on the previous versions tab in a file's Properties?

I guess the best way IS brute-force, coupled with USN number-comparison For reference, the link to a similar question is here

Make use of the NTFS Change Journal. Windows logs all changes to all files on an NTFS volume in a journal database (if the journal is on). This can be queried to return all changes from a specific start USN number (your restore point)

Here is an article about the journal that helped me a lot while implementing change journal functionality

To detect changes in the current file system vs a shadow copy, you can use a third party software like WinMerge with the shadow copy UNC paths http://winmerge.org/. This will provide a GUI for comparisons

For example, use "C:\", vs "\localhost\C$\@GMT-2017.08.24-18.07.46"

Of course, enter a valid UNC path to coincide with the date and time of a shadow copy.

I guess the best way IS brute-force, coupled with USN number-comparison For reference, the link to a similar question is here

Windows know from the attributes date modified. It compares the the two file and checks the modified date.