User RECYCLER folders have thousands of hidden files
We have a "Users" folder that is the root of all user files and network profiles.
Using a directory size utility (WinDirStat), I stumbled upon a strange and worrisome problem - thousands of files effectively hidden in the Windows Recycle Bin interface. Each user's folder has a RECYCLER folder directly under My Documents
, such as:
\\server1\Users\smithj\smithj's Documents\RECYCLER\S-1-5-21-nnnnnn
Very few of our users have PCs, as most users login to a Citrix Application server from a simple Wyse terminal. Because most of their file activity is on network shares, the users (and we admins) have always understood there is no "Network Recycle Bin."
However, the hidden RECYCLER folder for most users has thousands of files. Several things stand out:
- In most cases, none of the files are visible using the Recycle Bin interface
- The naming convention for the individual files should include a drive letter such as
DC
orDD
, but instead they all start withD@
- for example,[email protected]
. - I believe the
@
symbol is preventing Windows from dereferencing the original files, so they are simply suppressed in the user interface. - The files together consume tens of Gigabytes. They are not ghosts. Deleting some files does increase the free space on the drive.
- It seems we actually do have a "Network Recycle Bin." By accident. Without real file names.
We have already decided we will delete all files older than X
days. I can do that with a PowerShell script. Unlike this similar case, we are going to delete individual files instead of the entire folder.
So, my questions:
- Has anyone seen these
@
symbols in Recycle Bin files? - All network drive access is through mapped drives. Could this explain why the files are recycled? And hidden?
- Although we run daily backups, I only want to tap this resource for last-resort file recovery. Any suggestions or warnings?
What you are seeing is the recycle bin for redirected "My Documents" folders.
The problem is well described in the article My Documents Folder Redirection / Recycle Bin :
When using folder redirection to redirect users My Documents folders, items deleted from the user's My Documents folder are stored in a Recycle Bin in the user's My Documents folder [which lives on a server]. Unfortunately the maximum size of the Recycle Bin is based on the size of the drive the My Documents folder has been redirected too. The default size is 10%. Using the Policy maker registry client and Group Policy I have pushed the necessary settings to make the maximum size of the Recycle Bin for the My Documents folder 1%.
The problem is that 1% is still way to big. The drive being used to store redirected My Documents is currently 500GB. 1% of that is 5GB, compound that with about 2000 users and it's clear that over the years we could be potentially storing a lot of unnecessary files. Teaching or instructing 2000 users to purge their My Documents folder on a regular basis simply isn't possible.
The article Folder Redirection & Recycle Bin says this :
If you redirect "My Documents" Recycle Bin can become an issue (wasting tons of expensive server disk space).
You can control Recycle Bin behavior with this registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
,NukeOnDelete=1
would disable usage of Recycle Bin for Redirected Folders.
There is another item called UseGlobalSettings
that has the value 1
if these parameters are used for all disks. With the value 0
,
the recycle bin parameters for each disk are found as sub-keys having the
drive-letter of the disk.
There is however another problem raised in that article :
This NukeOnDelete key is really nice. However, I bring forth another conundrum... After redirecting My Documents, the user will have two Recycle Bins - one for local files, the other for redirected files. When the user browses to the Recycle Bin it automatically loads the redirected My Documents, but I can't find out how to access the local Recycle Bin. I understand that the local Recycle Bin is C:\Recycler, but it directory always appears empty. I know in the ideal environment, users shouldn't have access to delete files from the local system. There must be a way to allow the user to access the local Recycle Bin after redirecting My Documents (other than disabling the redirection and log out/in)...
More information from the above article about controlling recycle bin sizes :
- The MaxCapacity value is located at
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\KnownFolder\<GUID>
- In our environment, we only redirect the Desktop and Documents folders to the server. The GUIDs for these are (the others are located at http://msdn.microsoft.com/en-us/library/bb882665.aspx):
- Desktop: B4BFCC3A-DB2C-424C-B029-7FE99A87C641
- Documents: FDD39AD0-238F-46AF-ADB4-6C85480369C7
- As an example, to set the redirected Desktop folder to only use up to 200mb, apply the following registry value:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\KnownFolder\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\MaxCapacity=0xC8
(0xC8 is 200 in hex)- I used Group Policy Preferences to push these changes out to our environment.
- In my testing, this did not immediately purge items in the Recycle Bin that were larger. However, when I deleted a new item after this registry setting had been applied, the older items were immediately deleted from the Recycle Bin.
As for deleting these files: Doing this will in effect erase deleted documents from the recycle bin of the user, so might not be too big a problem. Except that it could louse up recycle bin settings specifying files that no-longer exist. It might be better to empty the general recycle bin immediately after deleting all these files.
Frankly, redirected My Documents seem to have been royally messed-up by Microsoft. You will have to step delicately in-between the gotchas.
WTF? Has anyone seen these @ symbols in Recycle Bin files?
Yes, I've seen this on Windows environments going back as far as I can remember. Both at home, in single user environments and Windows client OSes, and at work/school in multi-user environments on Windows server OSes with many users.
All network drive access is through Mapped Drives. Could this explain why the files are recycled? And hidden?
No. What you're seeing is a function of the way the Recycle Bin works.
When you delete a file, the complete path and file name is stored in a hidden file called Info or Info2 (Windows 98) in the Recycled folder. The deleted file is renamed, using the following syntax:
D<original drive letter of file><#>.<original extension>
As to "explaining" why this happens to a Windows Recycle Bin, I've never seen a more authoritative explanation than "shrug ... corruption." The summary in the linked article tells you what part of the process goes wrong, but doesn't dig into the type of detail about the process that you'd need to properly explain what's actually breaking down, and where. Presumably, if they had, someone would have fixed this issue by now.
Although we run daily backups, I plan to tap this resource for last-resort file recovery. Any suggestions or warnings?
No, nuke away. The files can't be restored to their original names (as they're not in that INFO file manifest of the Recycle Bin contents anymore), and the users can't see them/don't know they're there anymore, so it's just wasted space.