User RECYCLER folders have thousands of hidden files

11

7

We have a "Users" folder that is the root of all user files and network profiles.

Using a directory size utility (WinDirStat), I stumbled upon a strange and worrisome problem - thousands of files effectively hidden in the Windows Recycle Bin interface. Each user's folder has a RECYCLER folder directly under My Documents, such as:

\\server1\Users\smithj\smithj's Documents\RECYCLER\S-1-5-21-nnnnnn

Very few of our users have PCs, as most users login to a Citrix Application server from a simple Wyse terminal. Because most of their file activity is on network shares, the users (and we admins) have always understood there is no "Network Recycle Bin."

However, the hidden RECYCLER folder for most users has thousands of files. Several things stand out:

  1. In most cases, none of the files are visible using the Recycle Bin interface
  2. The naming convention for the individual files should include a drive letter such as DC or DD, but instead they all start with D@ - for example, D@1234.doc.
  3. I believe the @ symbol is preventing Windows from dereferencing the original files, so they are simply suppressed in the user interface.
  4. The files together consume tens of Gigabytes. They are not ghosts. Deleting some files does increase the free space on the drive.
  5. It seems we actually do have a "Network Recycle Bin." By accident. Without real file names.

We have already decided we will delete all files older than X days. I can do that with a PowerShell script. Unlike this similar case, we are going to delete individual files instead of the entire folder.

So, my questions:

  • Has anyone seen these @ symbols in Recycle Bin files?
  • All network drive access is through mapped drives. Could this explain why the files are recycled? And hidden?
  • Although we run daily backups, I only want to tap this resource for last-resort file recovery. Any suggestions or warnings?

jswanson

Posted 2013-06-18T21:25:01.267

Reputation: 113

Not sure if you're still around, given the age of this question, but are you redirecting My Documents to a network path? – Patrick Seymour – 2014-04-22T00:34:58.347

These two articles contain instructions on how to create a Network Recycle bin on mapped network drives. You could check if either of them applies to your case : article 1 and article 2.

– harrymc – 2014-04-22T06:03:05.697

Answers

3

What you are seeing is the recycle bin for redirected "My Documents" folders.

The problem is well described in the article My Documents Folder Redirection / Recycle Bin :

When using folder redirection to redirect users My Documents folders, items deleted from the user's My Documents folder are stored in a Recycle Bin in the user's My Documents folder [which lives on a server]. Unfortunately the maximum size of the Recycle Bin is based on the size of the drive the My Documents folder has been redirected too. The default size is 10%. Using the Policy maker registry client and Group Policy I have pushed the necessary settings to make the maximum size of the Recycle Bin for the My Documents folder 1%.

The problem is that 1% is still way to big. The drive being used to store redirected My Documents is currently 500GB. 1% of that is 5GB, compound that with about 2000 users and it's clear that over the years we could be potentially storing a lot of unnecessary files. Teaching or instructing 2000 users to purge their My Documents folder on a regular basis simply isn't possible.

The article Folder Redirection & Recycle Bin says this :

If you redirect "My Documents" Recycle Bin can become an issue (wasting tons of expensive server disk space).

You can control Recycle Bin behavior with this registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket, NukeOnDelete=1 would disable usage of Recycle Bin for Redirected Folders.

There is another item called UseGlobalSettings that has the value 1 if these parameters are used for all disks. With the value 0, the recycle bin parameters for each disk are found as sub-keys having the drive-letter of the disk.

There is however another problem raised in that article :

This NukeOnDelete key is really nice. However, I bring forth another conundrum... After redirecting My Documents, the user will have two Recycle Bins - one for local files, the other for redirected files. When the user browses to the Recycle Bin it automatically loads the redirected My Documents, but I can't find out how to access the local Recycle Bin. I understand that the local Recycle Bin is C:\Recycler, but it directory always appears empty. I know in the ideal environment, users shouldn't have access to delete files from the local system. There must be a way to allow the user to access the local Recycle Bin after redirecting My Documents (other than disabling the redirection and log out/in)...

More information from the above article about controlling recycle bin sizes :

  1. The MaxCapacity value is located at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\KnownFolder\<GUID>
  2. In our environment, we only redirect the Desktop and Documents folders to the server. The GUIDs for these are (the others are located at http://msdn.microsoft.com/en-us/library/bb882665.aspx):
    1. Desktop: B4BFCC3A-DB2C-424C-B029-7FE99A87C641
    2. Documents: FDD39AD0-238F-46AF-ADB4-6C85480369C7
  3. As an example, to set the redirected Desktop folder to only use up to 200mb, apply the following registry value:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\KnownFolder\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\MaxCapacity=0xC8 (0xC8 is 200 in hex)
  4. I used Group Policy Preferences to push these changes out to our environment.
  5. In my testing, this did not immediately purge items in the Recycle Bin that were larger. However, when I deleted a new item after this registry setting had been applied, the older items were immediately deleted from the Recycle Bin.

As for deleting these files: Doing this will in effect erase deleted documents from the recycle bin of the user, so might not be too big a problem. Except that it could louse up recycle bin settings specifying files that no-longer exist. It might be better to empty the general recycle bin immediately after deleting all these files.

Frankly, redirected My Documents seem to have been royally messed-up by Microsoft. You will have to step delicately in-between the gotchas.

harrymc

Posted 2013-06-18T21:25:01.267

Reputation: 306 093

A good article, but note that the problem of hidden files in the Recycle Bin can and will still exist, even if you disable the maximum size setting for the Recycle Bin. – HopelessN00b – 2014-04-22T21:03:58.827

3

WTF? Has anyone seen these @ symbols in Recycle Bin files?

Yes, I've seen this on Windows environments going back as far as I can remember. Both at home, in single user environments and Windows client OSes, and at work/school in multi-user environments on Windows server OSes with many users.

All network drive access is through Mapped Drives. Could this explain why the files are recycled? And hidden?

No. What you're seeing is a function of the way the Recycle Bin works.

When you delete a file, the complete path and file name is stored in a hidden file called Info or Info2 (Windows 98) in the Recycled folder. The deleted file is renamed, using the following syntax:

D<original drive letter of file><#>.<original extension>

As to "explaining" why this happens to a Windows Recycle Bin, I've never seen a more authoritative explanation than "shrug ... corruption." The summary in the linked article tells you what part of the process goes wrong, but doesn't dig into the type of detail about the process that you'd need to properly explain what's actually breaking down, and where. Presumably, if they had, someone would have fixed this issue by now.

Although we run daily backups, I plan to tap this resource for last-resort file recovery. Any suggestions or warnings?

No, nuke away. The files can't be restored to their original names (as they're not in that INFO file manifest of the Recycle Bin contents anymore), and the users can't see them/don't know they're there anymore, so it's just wasted space.

HopelessN00b

Posted 2013-06-18T21:25:01.267

Reputation: 1 869

In the article you quote, the files have #, while the poster has @. Also, many things have changed since Windows 98, so the article doesn't really apply. – harrymc – 2014-04-22T19:53:21.163

@harrymc I'm positive. The @ exists because the file originally "came from" a network share or path, rather than a drive with a letter. So instead of DC[#].[whatever] if it had originally come from the C drive, you get D@[#].[whatever] ... because a network share or UNC path doesn't have a "drive letter" to go into that second character position. (So it uses the @ symbol instead of the drive letter... for whatever reason.) – HopelessN00b – 2014-04-22T19:59:04.950

He says that access is thru mapped shares, so they do have a drive letter. I have been trying to duplicate his problem and I cannot manage it, mapped or not : the files are just deleted. Weird. Can you duplicate it? See wikipedia for the new naming convention using $, not @ or #.

– harrymc – 2014-04-22T20:07:04.177

@harrymc I can't duplicate it on command, but I administer dozens of fileservers with these kinds of files on them, in the users' redirected profile path. A mapped drive is not the same as a locally attached drives, since network mappings (and the drive letter mappings that come with them) are a per-user setting, not a system-wide setting. This means that when the system writes the original location of the file to the recycle bin manifest, it uses the actual path, such as \\server1\Users\smithj\smithj's Documents\somefile rather than the path the user sees, such as Y:\somefile. – HopelessN00b – 2014-04-22T20:26:32.197

I did some more research on this curious problem, and found more info that I put in a separate answer. – harrymc – 2014-04-22T21:00:30.167

Asked: 2013-06-18T21:25:01.267

Viewed: 5 056 times

Active: 2014-10-17T10:20:48.060