If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#16
|
|||
|
|||
Windows folder excessively large
On 8/27/2018 11:35 AM, Ralph Fox wrote:
On Mon, 27 Aug 2018 07:08:00 -0600, Ken Springer wrote: Ran some of the typical clean up programs, found nothing. Virus scan, SuperAntiSpyware, Adware Cleaner, and Malwarebytes. Not a single issue found. What about the built-in Windows Disk Clean-up? I'm looking for ideas as to how to discover what is using up the space, or at least telling W10 the space is in use. Run Windows Disk Clean-up, click the button "Clean Up System Files", and while in "Clean Up System Files" check the space used by (for example) "Windows Update Clean-up". To run Windows Disk Clean-up (a) Right-click on the drive in Windows Explorer and choose "Properties". On the Properties pop-up, "General" tab, click the button "Disk Clean-up". or, (b) Click on the search magnifying glass icon on the taskbar and type "Disk Clean-up". Don't forget chkdsk /F. Sometimes the file map gets corrupted. |
Ads |
#17
|
|||
|
|||
Windows folder excessively large
On 8/27/18 12:35 PM, Ralph Fox wrote:
On Mon, 27 Aug 2018 07:08:00 -0600, Ken Springer wrote: Ran some of the typical clean up programs, found nothing. Virus scan, SuperAntiSpyware, Adware Cleaner, and Malwarebytes. Not a single issue found. What about the built-in Windows Disk Clean-up? I'm looking for ideas as to how to discover what is using up the space, or at least telling W10 the space is in use. Run Windows Disk Clean-up, click the button "Clean Up System Files", and while in "Clean Up System Files" check the space used by (for example) "Windows Update Clean-up". To run Windows Disk Clean-up (a) Right-click on the drive in Windows Explorer and choose "Properties". On the Properties pop-up, "General" tab, click the button "Disk Clean-up". or, (b) Click on the search magnifying glass icon on the taskbar and type "Disk Clean-up". Hi, Ralph, Disk Cleanup of System Files was one of the first things I did. :-) -- Ken Mac OS X 10.11.6 Firefox 59.0.1 (64 bit) Thunderbird 52.6.0 "My brain is like lightning, a quick flash and it's gone!" |
#18
|
|||
|
|||
Windows folder excessively large
On 8/27/18 1:01 PM, mike wrote:
On 8/27/2018 11:35 AM, Ralph Fox wrote: On Mon, 27 Aug 2018 07:08:00 -0600, Ken Springer wrote: Ran some of the typical clean up programs, found nothing. Virus scan, SuperAntiSpyware, Adware Cleaner, and Malwarebytes. Not a single issue found. What about the built-in Windows Disk Clean-up? I'm looking for ideas as to how to discover what is using up the space, or at least telling W10 the space is in use. Run Windows Disk Clean-up, click the button "Clean Up System Files", and while in "Clean Up System Files" check the space used by (for example) "Windows Update Clean-up". To run Windows Disk Clean-up (a) Right-click on the drive in Windows Explorer and choose "Properties". On the Properties pop-up, "General" tab, click the button "Disk Clean-up". or, (b) Click on the search magnifying glass icon on the taskbar and type "Disk Clean-up". Don't forget chkdsk /F. Sometimes the file map gets corrupted. Thanks, Mike, I'd forgotten this command. I never did much in this area of computing, and I do even less now. A lot of things I used to do, I just don't think of these days. -- Ken Mac OS X 10.11.6 Firefox 59.0.1 (64 bit) Thunderbird 52.6.0 "My brain is like lightning, a quick flash and it's gone!" |
#19
|
|||
|
|||
Windows folder excessively large
On 08/27/2018 8:15 PM, Ken Springer wrote:
On 8/27/18 12:35 PM, Ralph Fox wrote: On Mon, 27 Aug 2018 07:08:00 -0600, Ken Springer wrote: Ran some of the typical clean up programs, found nothing.Â* Virus scan, SuperAntiSpyware, Adware Cleaner, and Malwarebytes.Â* Not a single issue found. What about the built-inÂ* Windows Disk Clean-up? I'm looking for ideas as to how to discover what is using up the space, or at least telling W10 the space is in use. Run Windows Disk Clean-up, click the button "Clean Up System Files", and while in "Clean Up System Files" check the space used by (for example) "Windows Update Clean-up". To run Windows Disk Clean-up Â* (a)Â* Right-click on the drive in Windows Explorer and choose "Properties". Â*Â*Â*Â*Â*Â* On the Properties pop-up, "General" tab, click the button "Disk Clean-up". or, Â* (b)Â* Click on the search magnifying glass icon on the taskbar and type Â*Â*Â*Â*Â*Â* "Disk Clean-up". Hi, Ralph, Disk Cleanup of System Files was one of the first things I did.Â* :-) Why is disk cleanup so cussedly slow when you tick the windows update cleanup box. I know there are a lot of compressed files to do but this is really slow, Any way to do a manual delete of this stuff, not knowing where its stored? Rene ' |
#20
|
|||
|
|||
Windows folder excessively large
VanguardLH wrote:
MJP wrote: Run something like sequiaview to give a graphic representation, large folders/files are easy to distinguish. I use TreeSize Free. While handy to find the obviously huge files or folders, they query the file system using standard system file calls. That means they cannot show you more than what Windows Explorer is willing to show you (except hidden- and system-attributed files will be seen by the file size tools rather than hidden as in Windows Explorer). These tools are useful but not complete. The problem with those type of utilities is they use the queries from the file system API to determine file size. You could have a file that looks like 10KB in size but when you copy or transfer it the actual size is 10GB. Alternate Data Streams, availble only NTFS, are not accounted for in a normal file size query. .... What free utilities can handle that API then? -- Quote of the Week: "One day he sprained an ankle rather than crush an ant." --Les Miserables Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly. /\___/\Ant(Dude) @ http://antfarm.home.dhs.org / http://antfarm.ma.cx / /\ /\ \ Please nuke ANT if replying by e-mail privately. If credit- | |o o| | ing, then please kindly use Ant nickname and URL/link. \ _ / ( ) |
#21
|
|||
|
|||
Windows folder excessively large
Ant wrote:
VanguardLH wrote: MJP wrote: Run something like sequiaview to give a graphic representation, large folders/files are easy to distinguish. I use TreeSize Free. While handy to find the obviously huge files or folders, they query the file system using standard system file calls. That means they cannot show you more than what Windows Explorer is willing to show you (except hidden- and system-attributed files will be seen by the file size tools rather than hidden as in Windows Explorer). These tools are useful but not complete. The problem with those type of utilities is they use the queries from the file system API to determine file size. You could have a file that looks like 10KB in size but when you copy or transfer it the actual size is 10GB. Alternate Data Streams, availble only NTFS, are not accounted for in a normal file size query. ... What free utilities can handle that API then? Streams https://docs.microsoft.com/en-us/sys...nloads/streams And NFI should be able to dump info (requires interpretation). It's possible there is a structure to hold a stream which is visible in the output of "nfi C: all_fs_info.txt". https://web.archive.org/web/20150329...us/oem3sr2.zip The thing is, nfi.exe shows all the cluster LBAs with each construct in the file system. (You can figure out if a file is fragmented, by looking at that info.) So it should come pretty close to showing space consumption. But it still has "access denied" problems, and things like VSS Shadow copies in C:\System Volume Information may not be there. If I need closer to everything, I can use Linux. That solves my "Access Denied" problem. On a Windows 10 file system, there could be "I/O error" responses to a run like this. (Attempts to get info on individual items, ones processed by CompactOS, may cause a problem.) Here I use the "find" command on a mounted Win10 volume. Using "df" you can get the actual name of the mount point and replace the /media/WIN10 strawman in the example. Windows 8 introduced the Windows Overlay Filesystem, but didn't really use it that I can see. find /media/WIN10 -type d -exec ls -al -1 -d {} + ~/directories.txt find /media/WIN10 -type f -exec ls -al -1 {} + ~/filelist.txt There really isn't a single tool now (any more), which is good enough for forensics. It's now a mess. Thanks, Microsoft. Think of the good they could do, if they updated nfi.exe ... You just know they have an internal utility they're not sharing with us :-) The output format of nfi.exe needs massaging with a text processing script, to make the output "useful". Looking at the text listing will probably make you curse just a little bit. A big limitation of nfi.exe, is not showing all the file pointers on hard-linked files. For that, if you go to Linux and find two files with the same "fake" inode number in your listing, then those are hardlinked together. Or, Sysinternals offers us this for hardlink dumping. You could run this hoover style, over your WinSxS directory and see what pops up in other C:\Windows\System32 areas. https://docs.microsoft.com/en-us/sys...oads/findlinks Paul |
#22
|
|||
|
|||
Windows folder excessively large
😉 Good Guy 😉 wrote:
On 27/08/2018 14:25, MJP wrote: Run something like sequiaview to give a graphic representation, large folders/files are easy to distinguish. You mean run something crap like the one you are suggesting? I would use what is already available in Windows 10. Go to Settings System Storage Now click on the C drive to see which folders are occupying the most space. See this picture for people who are stupid not to understand how to go to Settings and follow my instructions. https://i.imgur.com/uAIVuHu.png https://i.imgur.com/uAIVuHu.png Microsoft does not offer forensic grade utilities. Period and end of sentence. I don't even need to look at Storage Spaces, to waste my time looking for what they missed. Sysinternals has done more for us, than the main Microsoft windows team. https://docs.microsoft.com/en-us/sysinternals/ The closest Microsoft ever got, was the nfi.exe utility from the year 2000. And that utility has not been re-issued since. We get copies of that now, off archive.org . There is not *one* single stinking utility, that shows *every* structure in an NTFS file system. Not *one*. The closest you can get, is still missing references to around four files. You can spot this to some extent, by noticing some #filenum are missing from your listing. And the OS recycles low filenum, and if a low filenum became available in the $MFT, the file system would use it. When a low number just doesn't show up, you know you're not getting the full story. Paul |
#23
|
|||
|
|||
Windows folder excessively large
On 8/27/2018 9:16 PM, Ken Springer wrote:
On 8/27/18 1:01 PM, mike wrote: On 8/27/2018 11:35 AM, Ralph Fox wrote: On Mon, 27 Aug 2018 07:08:00 -0600, Ken Springer wrote: Ran some of the typical clean up programs, found nothing.Â* Virus scan, SuperAntiSpyware, Adware Cleaner, and Malwarebytes.Â* Not a single issue found. What about the built-inÂ* Windows Disk Clean-up? I'm looking for ideas as to how to discover what is using up the space, or at least telling W10 the space is in use. Run Windows Disk Clean-up, click the button "Clean Up System Files", and while in "Clean Up System Files" check the space used by (for example) "Windows Update Clean-up". To run Windows Disk Clean-up Â*Â* (a)Â* Right-click on the drive in Windows Explorer and choose "Properties". Â*Â*Â*Â*Â*Â*Â* On the Properties pop-up, "General" tab, click the button "Disk Clean-up". or, Â*Â* (b)Â* Click on the search magnifying glass icon on the taskbar and type Â*Â*Â*Â*Â*Â*Â* "Disk Clean-up". Don't forget chkdsk /F. Sometimes the file map gets corrupted. Thanks, Mike, I'd forgotten this command.Â* I never did much in this area of computing, and I do even less now.Â* A lot of things I used to do, I just don't think of these days. I have always been told for best results itshould be chkdsk /F /R /X /X Forces the volume to dismount first /R Locates bad sectors and recovers readable information /F Fixes errors on the disk. -- 2018: The year we learn to play the great game of Euchre |
#24
|
|||
|
|||
Windows folder excessively large
On 8/27/2018 9:32 PM, Rene Lamontagne wrote:
On 08/27/2018 8:15 PM, Ken Springer wrote: On 8/27/18 12:35 PM, Ralph Fox wrote: On Mon, 27 Aug 2018 07:08:00 -0600, Ken Springer wrote: Ran some of the typical clean up programs, found nothing.Â* Virus scan, SuperAntiSpyware, Adware Cleaner, and Malwarebytes.Â* Not a single issue found. What about the built-inÂ* Windows Disk Clean-up? I'm looking for ideas as to how to discover what is using up the space, or at least telling W10 the space is in use. Run Windows Disk Clean-up, click the button "Clean Up System Files", and while in "Clean Up System Files" check the space used by (for example) "Windows Update Clean-up". To run Windows Disk Clean-up Â* (a)Â* Right-click on the drive in Windows Explorer and choose "Properties". Â*Â*Â*Â*Â*Â* On the Properties pop-up, "General" tab, click the button "Disk Clean-up". or, Â* (b)Â* Click on the search magnifying glass icon on the taskbar and type Â*Â*Â*Â*Â*Â* "Disk Clean-up". Hi, Ralph, Disk Cleanup of System Files was one of the first things I did.Â* :-) Why is disk cleanup so cussedly slow when you tick the windows update cleanup box. I know there are a lot of compressed files to do but this is really slow, Any way to do a manual delete of this stuff, not knowing where its stored? Rene I have always assumed that it took time to work with the Windows update system to release files. -- 2018: The year we learn to play the great game of Euchre |
#25
|
|||
|
|||
Windows folder excessively large
Good Guy 😉" wrote in message newsm2efc$jd3
Office 365 doesn't and it's cheaper in the long run. You get free updates on your subscription which is very low IMO. Not always true. The long run break even price point for no subscription versions of Office vs. comparable Office 365 subscription plans for a single user, one device, transferrable license. Without Outlook - 2 yrs 2 months(of use) With Outlook - 3 yrs 4 months(of use) The average user purchases a new pc at a longer interval than either of the above break points thus in most cases the no subscription license is the better economics when a need for the latest version of Office(free version update, released every 3 yrs) is not needed. ....w¡ñ§±¤ñ ms mvp windows 2007-2016, insider mvp 2016-2018 |
#26
|
|||
|
|||
Windows folder excessively large
Ant wrote:
VanguardLH wrote: The problem with those type of utilities is they use the queries from the file system API to determine file size. You could have a file that looks like 10KB in size but when you copy or transfer it the actual size is 10GB. Alternate Data Streams, availble only NTFS, are not accounted for in a normal file size query. ... What free utilities can handle that API then? I already mentioned one: Stream Armor. It has a GUI. Another would be the one Paul mention provided by SysInternals: streams. That's a console-mode program (you load a command shell to run it to see its stdout display). The system APIs don't report the existence or size of ADSes. A file must be opened to be interrogated. That is why the above tools have to scan each file checking if it has an ADS. The 2nd article below mentions that the ADS attribute is query-able in Powershell in Windows 8+. Before that, I don't know of a Windows-included tool that let users see ALL attributes of a file, including ADSes. https://support.microsoft.com/en-us/...e-data-streams https://blog.malwarebytes.com/101/20...-data-streams/ https://www.owasp.org/index.php/Wind...te_data_stream The last article shows how one executable could carry another executable. The calculator (calc.exe) would be executed by using the code in the primary data stream. The hidden executable would be executed by specifying the stream containing it. Don't blame Microsoft for adding the ADS feature in NTFS. Blame Apple for adding the feature in HFS to store resource forks for icons and other information. Microsoft decided to emulate the feature for file compatibility. https://en.wikipedia.org/wiki/Hierarchical_File_System "Files could have multiple forks (normally a data and a resource fork), which allowed the main data of the file to be stored separately from resources such as icons that might need to be localized." I remember reporting to Avast and other AV vendors that they weren't checking for an ADS on each file and were not scanning the ADS of any that had them. Their argument was that there must be a caller whether the user or a program to call the code in the secondary data stream to run that hidden program. Yet I asked them why they had a manual scan mode if the on-demand (real-time) scanner would catch everything. That was to discover any malware that got deposited should the AV become quiescent, like the user purposely disabled the AV scanner and downloaded some files. I used their same argument that ADS should get scanned simply because social engineered e-mails or other communication could tell the user to run file:streamname. They should detect during the scan of a file if ANYTHING within contained malicious code. Took about 2 years of nagging before Avast added ADS scanning and soon the others did, too. That was so long ago (maybe around 1998-2002) that I am not sure when I learned of ADS, tested the AVs didn't scan them, and began nagging the AVs to include them. I don't remember testing if MS Defender scanned ADSes simply because I never considered it a decent AV solution. Up until Windows 8, Defender was just an adware scanner, not an anti-virus program. It has never received high marks regarding malware detection coverage. I even found AVs that used the ADS to their own advantage. They would create an ADS that recorded the hash the AV created for a file when it scanned that file. On a subsequent scan, the AV would hash the file again and compare against the stored hash in the ADS. If they matched, the AV would skip the scan of that file since the file has not changed since the prior scan. They would skip files that haven't changed since the prior scan by using an ADS to store the file's hash value. This let them speed up their scan by not rescanning files that haven't changed. I'm sure other software uses the ADS to store information. The Zone.Identifier ADS attribute is used to track from where a file originated. It can, for example, track that you obtained the file from an Internet download and how to possibly restrict its execution. https://docs.microsoft.com/en-us/pre...537183(v=vs.85) http://www.sandersonforensics.com/Fi...Identifier.pdf Anyone knowledgeable about NTFS will know about ADS, so that method of hiding content, like for executable code, really only hides it from users that don't know about ADS. Of course, most users don't see the need to know how the file system works anymore than they know what is inside their washing machine. However, the abuse of ADS by malware has not gone away just because most AVs scan ADSes. Even if they cannot get their caller program past an AV's scanner to access malicious code in an ADS doesn't mean they cannot cajole the user into accessing or running code in an ADS. https://www.deepinstinct.com/2018/06...t-disappeared/ |
#27
|
|||
|
|||
Windows folder excessively large
Paul wrote:
Ant wrote: VanguardLH wrote: MJP wrote: Run something like sequiaview to give a graphic representation, large folders/files are easy to distinguish. I use TreeSize Free. While handy to find the obviously huge files or folders, they query the file system using standard system file calls. That means they cannot show you more than what Windows Explorer is willing to show you (except hidden- and system-attributed files will be seen by the file size tools rather than hidden as in Windows Explorer). These tools are useful but not complete. The problem with those type of utilities is they use the queries from the file system API to determine file size. You could have a file that looks like 10KB in size but when you copy or transfer it the actual size is 10GB. Alternate Data Streams, availble only NTFS, are not accounted for in a normal file size query. ... What free utilities can handle that API then? Streams https://docs.microsoft.com/en-us/sys...nloads/streams And NFI should be able to dump info (requires interpretation). It's possible there is a structure to hold a stream which is visible in the output of "nfi C: all_fs_info.txt". https://web.archive.org/web/20150329...us/oem3sr2.zip The thing is, nfi.exe shows all the cluster LBAs with each construct in the file system. (You can figure out if a file is fragmented, by looking at that info.) So it should come pretty close to showing space consumption. But it still has "access denied" problems, and things like VSS Shadow copies in C:\System Volume Information may not be there. No pretty GUI softwares like the other programs to visualize? -- Quote of the Week: "One day he sprained an ankle rather than crush an ant." --Les Miserables Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly. /\___/\Ant(Dude) @ http://antfarm.home.dhs.org / http://antfarm.ma.cx / /\ /\ \ Please nuke ANT if replying by e-mail privately. If credit- | |o o| | ing, then please kindly use Ant nickname and URL/link. \ _ / ( ) |
#28
|
|||
|
|||
Windows folder excessively large
Ant wrote:
No pretty GUI softwares like the other programs to visualize? When it comes to this sort of software, you take what you can get. I don't know how I'd design a GUI for forensic purposes in any case. You have to think about all the problems people are trying to solve, before designing a GUI. Paul |
#29
|
|||
|
|||
Windows folder excessively large
Ant wrote:
Paul wrote: ... What free utilities can handle that API then? Streams https://docs.microsoft.com/en-us/sys...nloads/streams .... No pretty GUI softwares like the other programs to visualize? For kicks, I tried Streams, but I don't get any results in cmd.exe even with run as admin. -- Quote of the Week: "One day he sprained an ankle rather than crush an ant." --Les Miserables Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly. /\___/\Ant(Dude) @ http://antfarm.home.dhs.org / http://antfarm.ma.cx / /\ /\ \ Please nuke ANT if replying by e-mail privately. If credit- | |o o| | ing, then please kindly use Ant nickname and URL/link. \ _ / ( ) |
#30
|
|||
|
|||
Windows folder excessively large
Ant wrote:
Paul wrote: Streams https://docs.microsoft.com/en-us/sys...nloads/streams For kicks, I tried Streams, but I don't get any results in cmd.exe even with run as admin. Without any arguments, streams will just return its help output. You did not mention what arguments you used. You also did not mention what was the home directory in the shell that you opened since that would be the default for recursing into subfolders unless you specified a different starting path as an argument. Unlike some programs that don't care about the order of switches and sometimes not even for the arguments, streams does care about order of its arguments. Run streams (no args) to see its syntax. Because streams shows all the files it errors on trying to open along with all files that have ADSes, you'll want to pipe its output to 'more' so it pauses, like: streams -s c:\* | more Since there can be a lot of output, you'll end up hitting the Enter a lot to get through every page of output. Or redirect its stdout to a text file and open with Notepad, like: streams -s c:\* c:\ads.log & notepad c:\ads.log You'll have to wait perhaps a very long time for streams.exe to interrogate every file before Notepad can open the log file. BTW, I did give an example (twice) of a GUI tool to find ADSes. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|