"VanguardLH" wrote in message
In addition, Windows Explorer will never show you the size of Alternate
Data Streams (ADS) added to a file. For example, I can create a .txt
file whose primary data stream chews up only, say 5KB but then add an
alternate data stream that is gigabytes in size. Windows Explorer,
'dir', and other normal file utilities will only show you the size of
the primary data stream.
You know the implication of this is that a hacker who gains control of your
system could hide an entire encrypted partition inside the ADS of a single
file and most users would never have any clue that this existed.
Given that it would surely be useful to have a service running 24x7 that
looked for abnormally large files or ADS streams on specified partitions and
sent out a warning when any are found.
If you're dealing with NTFS, you want a copy of nfi.exe.
It too is a crude utility, but it does present all the
useful information. To be really useful, it needs post-processing
with scripts. It only works on NTFS, and there is no equivalent
Still, when no other utility is available or convenient, you
use what you've got.
When you find two files that have the same set of data sectors,
those files are probably hard linked, and get double-counted
by Explorer while you're attempting to total the space. Only
the "summary pie chart" in Windows, tells you how much
space the partition is really using. Attempting to use
a hand calculator and mousing over folders in the (file) Explorer
is a waste of time. More so on Vista/Win7/Win8, as things like
hard linking aren't really used that much on something like
There are still a few files on NTFS, that no utility
will touch. For that case, there's Linux...
Even nfi.exe doesn't list everything. Compare the
listing from Linux with Windows, for more info about
what you might be missing. It's even possible
if you use listdir in Linux and list by inode, the
fake inode will correspond to the file number
seen in nfi. But I haven't tested for that.
That's just a guess.