29

On a Windows 2019 Server the drive D: is 100% full (500 Gb used):

enter image description here

I'm trying to understand why the disk is full but I can't because both File Explorer and Total Commander reports no more than 33 Gb used:

enter image description here

enter image description here

It's also strange that WinDirStat reports 100% (500 Gb) used in the start summary, but only 33 Gb used after the analysis:

enter image description here

enter image description here

Please note that:

  • I'm logged in as Administrator
  • I started WinDirStat with Administrator privileges
  • I tried with both local Administrator and Active Directory Domain Admin
  • I enabled hidden and system files in File Explorer and Total Commander
  • I ran chkdsk on the D: drive without finding any issue

I found 33 Gb of data. Where are other 467 Gb?

Mat
  • 1,783
  • 4
  • 22
  • 39
  • What is the result when you run vssadmin list shadowstorage ? – user5870571 Aug 29 '20 at 20:05
  • @user5870571: No items found that satisfy the query. – Mat Aug 29 '20 at 20:10
  • What Services are your running? Do you have automatic backups of the servers content? What are you using Windows Server 2019 for? Please give us some other information. Also were you doing anything out of the ordinary earlier in the week or weeks messing with system settings that may have caused this? – Arkest Must Aug 30 '20 at 07:45

4 Answers4

58

You could try WizTree (wiztreefree.com), which is similar to WinDirStat but it bypasses the filesystem driver and reads the MFT directly if run as an administrator. It will show space taken by alternate data streams, metadata files ($MFT, $Secure, $BadClus, etc.), and directories you don't have access to. It doesn't appear to show space allocated for directory indexes, and it may miss some other things, but I wouldn't be surprised if the culprit does show up.

benrg
  • 636
  • 4
  • 4
  • 27
    Thanks! I used WizTree instead of WinDirStat and I found that there was a directory which I had not access to, and it contains all of hidden data! Now I'm fixing permissions, thank you very much! – Mat Aug 30 '20 at 07:53
15

I couldn't edit my comment any longer so I post it as an answer.

I've met once such an incident: It was due to Alternate Data Streams, a feature of NTFS for classic MacOS compatibility in shared folders. Unfortunately this ill-fated feature can be used for malicious purposes. In simple terms, it can be used to fill up your disk but the reserved space cannot be located, as in your case. If you want to check on this, I suggest MS sysinternals tool, streams.

Just beware that there are used in some legitimate cases, for example MS SQL server prior to 2014 uses them.

Krackout
  • 1,559
  • 6
  • 17
  • 1
    I did not find any ADS, fortunately! Thanks! – Mat Aug 30 '20 at 07:51
  • 3
    Alternate data streams are widely used for tainting files downloaded from the Internet (`:Zone.Identifier`), for the new NTFS compression methods in Windows 10, and probably for other purposes. I wouldn't call it an ill-fated feature. The problem is that directory-traversing functions don't return any information about the alternate streams, so you have to open every file to check for them (as far as I know). – benrg Aug 30 '20 at 17:11
  • I called them ill-fated because they are not obvious, needing special tools to locate them and thus used for malicious purposes. Also have in mind that on ReFS, MS's new file system, ADS are no longer available. Probably that's why SQL 2014 and newer stopped using them, in order to be able to be installed on ReFS formatted volumes. – Krackout Aug 30 '20 at 22:07
  • 1
    @Krackout alternate data streams were initially not implemented in refs, but they were added later. Ill-fated implies that there was some untimely demise or infamous misuse, which isn't really true – PC Luddite Aug 31 '20 at 06:48
  • But there are infamous misuses :) I've faced one in a client of mine. It was a DoS attack, hindering Windows servers by leaving no space left on their disks. – Krackout Aug 31 '20 at 06:51
  • 1
    @Krackout it may just be a matter of semantics, but when I say infamous, I mean prevalent to the point that its misuse outweighs the actual usefulness. This is not something I had even heard of happening before, I had only known about its intended use, which is why I hesitate to call it "infamous". It's more of an edge case in my eyes, but I could be wrong. – PC Luddite Aug 31 '20 at 14:34
  • @Krackout I believe a better word to use than "ill-fated" would be "ill-conceived." – jayce Aug 31 '20 at 16:35
  • Interesting discussion, thanx to my depiction of ADS as "ill-fated"! @PCLuddite, you are right, ADS are now supported in ReFS, I missed that. But fortunately, stream size is limited to 128k only on ReFS, apparently to avoid malicious uses. – Krackout Aug 31 '20 at 17:14
  • @jayce, probably I preferred ill-fated due to bad personal experience! – Krackout Aug 31 '20 at 17:14
7

The default permissions on C:\System Volume Information are NT AUTHORITY\SYSTEM:(OI)(CI)F. This means that even when you Run as Administrator you can't normally see files in it. You can use e.g. psexec to launch an application under the Local System account, which will then allow WinDirStat et. al. to display everything, or you can use it to add Administrators to the ACL. In particular, if you are using Previous Versions then the volume shadow copies are stored within this directory, and these can get quite large.

Neil
  • 248
  • 3
  • 11
1

This was very useful. I've found that Windows Server 2019 has set the default size of the Failover Clustering Diagnostic log to 18014398507384832Kb (!) so server disk was filling up. WinDirStat did not show this .EVTX file but WizTree identified it. Saved the day.

Mark Underhill
  • 56
  • 5
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/502994) – Dave M Nov 16 '21 at 22:23