29
7
What does the Recycle Bin in Windows actually do? Is it just a glorified folder and a holding place for soon to be deleted files, or does it do something specific? Specifically, are files that are "moved" to the Recycle Bin actually moved on the hard disc, or are just the pointers to the files moved? I am a fairly experienced user, I just wanted a more depth explanation of the Recycle Bin.
Jonathon
Posted 2011-12-17T05:39:01.257
Reputation: 392
32
The reference is removed, a metadata file is kept in the Recycle Bin to know the original location.
In the early days, on Windows 95 and 98 this was located in \RECYCLED. On Windows 2000 and later it was renamed to \RECYCLER. Since Windows Vista it is now a special folder called \$Recycle.Bin.
Use Process Monitor to see the I/O under the hood, put a filter on Recycle.Bin and visit it. :)
For example, when I do this:
notepad \$RECYCLE.BIN\S-1-5-21-0192837465-987654321-0123456789-1000\$EXAMPL5
Note: The long folder name is a User SID. The last folder name is a hash based on the metadata.
I get a file that contains metadata information like this:
Ö¸ÌC : \ P a t h \ T o \ S o m e \ E x a m p l e . t x t
The reason that the file path has spaces in between is because it is stored in wide byte chars, to support special characters for certain languages as well as unicode and what else. The earlier symbols are binary and contain information like the file size and permissions, as well as a pointer to the file data. In essence, it contains enough information to reconstruct the original reference...
It's sad that the Windows Internals book doesn't cover this, or else I would've had more reference. I haven't found any articles that go into detail on this, neither by Microsoft or by third party people. They probably do exist but I found it easier to go and reverse engineer the main concept...
Tamara Wijsman
Posted 2011-12-17T05:39:01.257
Reputation: 54 163
Nice, I just find out the hard way exactly what you've posted. Do you have any idea how to find your Example.txt from the command prompt? My use case is to search the entire drive for a misplaced file using dir c:\*.doc* /a/s but it doesn't find any docs in the recycle bin because of the renaming and the real name being kept in this metadata file. – Lieven Keersmaekers – 2015-02-26T07:12:27.333
That will probably involve findstr to grep the recycle bin contents. Dunno how though. – Tamara Wijsman – 2015-02-26T08:27:56.153
Probably easier to update my expectations of dir /a/s :). tx Tom. – Lieven Keersmaekers – 2015-02-26T08:59:36.103
@TomWijsman, Weird, I can actually rename C:\$Recycle.Bin (tried on win8)! Is it safe to do so? – Pacerier – 2015-07-09T05:04:59.273
1
The best info is always from the folks who actually write recovery software: http://www.pandorarecovery.com/knowledge_base/general/recycler.php . And also see http://dereknewton.com/2010/06/recycle-bin-forensics-in-windows-7-and-vista/ and http://linuxsleuthing.blogspot.sg/2009/10/processing-vista-recyclebin.html and http://www.cybersecurityinstitute.biz/INFO2.htm
– Pacerier – 2015-07-09T07:04:33.6473This is actually an interesting question. If the recycle bin were simple, it wouldn't take forever to add a folder with a few thousand files to it. – Daniel Beck – 2011-12-17T05:45:39.453
3
Start with the Wikipedia article.
– William Jackson – 2011-12-17T05:47:55.790http://www.tomshardware.com/forum/95622-45-recycle-work – OG Chuck Low – 2011-12-17T05:49:07.150