Windows XP shows low disk space - WinDirStat shows 50GB <Unknown> entry

disk-space-utilization windows-xp

We run 12 Dell Optiplex 755 desktop computers. All of them have the exact same hardware and softawre, configured exactly the same. As such, they are all:

  • running Windows XP
  • on the same network
  • denied access to the internet
  • running with Windows updates up to as recently as November 2011
  • running with virus definitions up to as recently as November 2011

One computer today reported that it was running low on disk space - indeed it reported that it had less than 6GB remaining of an 80GB drive. All of the other computers are sitting in the realm of 64 GB free on their hard drives.

I ran a check through the file system and could only account for maybe 6-7 GB on the file system, so I ran WinDirStat and it reported that there was a 50 GB block of data labled as "Unknown".

I did my research and did the following things:

  • Ran WinDirStat as an administrator, so the app had access to everything
  • I checked System Restore - It is configured to only use up to 9GB for it's restore points.
  • The Volume Shadow Copy service is not running, and is set to be manually run.
  • Chkdsk completed with no errors.

The only difference between this computer and the rest in production is that this machine was recently one of two that were deployed (several months ago) to replace a couple that failed for unrelated reasons. The other computer has not exhibited any symptoms.

We cannot figure out what this massive inaccessible block of hard drive space is, and we would like it back. Any help would be greatly appreciated.


As I read this 3 obvious causes come to mind:

  1. root-kit: You're best bet is to boot from clean media (like a Linux live-cd) and scan the disk from there using one of the online virusscanners. Even if the scanner doesn't see anything suspicious you might see some very large files or weirdly named folders on the disk that would otherwise be invisible from the infected system.
  2. Some sort of disk-corruption that chkdsk misses. Did you ran chkdsk during boot instead of on the online file-system already ? If not try that first. (Run chkdsk c: /X from a cmd prompt to force it into a boot-time chkdsk.) If that is clean too a disk-corruption issue seems unlikely.
  3. Some sort of hidden file (like an ADS stream) that got completely out of hand. Try clearing the Internet Explorer cache. This is full of ADS streams that are completely invisible and sometimes get 'run away'. There is a tools to hunt ADS files down in the SysInternals Suite. You can give that a try too.

Related

Cisco ASA Config for PCI Compliant Office
CPU load inhibits interrupts on Linux
simple and reliable centralized logging inside Amazon VPC
SAN booting Oracle VM from a UCS blade
Equivalent for the "pid file" stanza in newer versions of upstart
Does having a load balancer allow you to re-use socket connections?
How to set the default source (src) ip address when you have mulitple IP's on a virtual interface
Making ssh easier for our Windows user community
Which events specifically cause Windows 2008 to mark a SAN volume offline?
How can I run an application from a network share without prompting for Admin password?
OpenVPN failing on self-signed certificate over udp, works over tcp
How to make a variable in a parameterized Puppet class default to the value of another parameter?