Find the recycle bin

[Glenn9999]

Does anyone know where or how you determine where the recycle bin(s) are physically in the machine? I know you can brute force all the names ("Recycler", "Recycled", "$Recycle.Bin", I believe), but is there a more elegant way to find this out for each of the drives in the machine eligible for one? I'm not finding a way when I search.

Edited November 29, 2011 by Glenn9999

[jaclaz]

Does anyone know where or how you determine where the recycle bin(s) are physically in the machine? I know you can brute force all the names ("Recycler", "Recycled", "$Recycle.Bin", I believe), but is there a more elegant way to find this out for each of the drives in the machine eligible for one? I'm not finding a way when I search.

Well, IMHO three possibilities seems not very like anything "brute", let alone "force".

It also depends on filesystems and actual OS involved, if I recall correctly.

Care to narrow (or widen) the scope of the question?

And maybe, if you provide some background it may be useful....

jaclaz

[Glenn9999]

Well, IMHO three possibilities seems not very like anything "brute", let alone "force".

There might be more than three now or in the future, so I'm thinking it might be good to find a way to get what the string is.

It also depends on filesystems and actual OS involved, if I recall correctly.

Yes, my research is where I found those three strings. Different for each operating system (98/ME, 2000/XP, Vista/Seven).

And maybe, if you provide some background it may be useful....

Just looking to write something that will return the Recycle Bin directory on a drive if it exists. Most of what I find in searching involves more "basic computing" kind of answers than what I'm looking for.

RecyclerPath = RecycleBinPath("C:\") should have "C:\RECYCLER" as a function return in other words.

But if the information as to what the specific string is isn't stored, I can always test for all of them and do it that way.

[jaclaz]

Yes, but for example, if you type in the "Start->Run":

::{645FF040-5081-101B-9F08-00AA002F954E}

it opens the actual "user" "recycle bin", whilst (say XP) C:\Recycler contains the various S-1-5-21-..... and in it/them the INFO2 file.

Somehow the interface must "know" where the actual path is.

I don't think that there is anything in the Registry, maybe checking the windows explorer files (shell32.dll?) for a "hardcoded" name?

BTW HOW is called the Recycle Bin in Vista on FAT32? Still "$Recycle.bin" ?

Here there is the reference to the "canonical ones":

http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf

jaclaz

[allen2]

Perhaps, this wil help you.

[CoffeeFiend]

This

[Glenn9999]

Perhaps, this wil help you.

This

Thanks, I think I got figured out what I need. As for the first link, he hard-codes it, too (to "Recycled"). I guess that'll probably be the best way, to sweep the folders of the root directory and then match what is found against the routine in the second link.

Thanks again!

[gunsmokingman]

I do not know if this will help but here is a VBS script that should list all Various Recycle Bin on the local computer.

Save As Find_RecyleBin.vbs

'-> Objects For Runtime
Dim Act :Set Act = CreateObject("Wscript.Shell")
Dim Fso :Set Fso = CreateObject("Scripting.FileSystemObject")
Dim Wmi :Set Wmi = GetObject("winmgmts:\\.\root\CIMV2") 
'-> Varibles For Runtime
Dim D1, Ln, Obj, Ts, Txt, T1, T2, T3
 Ln = "-----------------------------------"
'-> Path To User Desktop And Text Report
 Txt = Act.SpecialFolders("Desktop") & "\RecyleBinRpt.txt"
'-> Create Text File To Log Results
 Set Ts = Fso.CreateTextFile(Txt)
'-> Date Time Varibles
 D1 = Day(Date)
 T1 = Hour(Time)
 T2 = Minute(Time)
 T3 = Second(Time)
'-> Adds Zero To Number EG 1 Would Become 01
 If Len(D1) = 1 Then D1 = "0" & D1
 If Len(T1) = 1 Then T1 = "0" & T1
 If Len(T2) = 1 Then T2 = "0" & T2
 If Len(T3) = 1 Then T3 = "0" & T3
'-> Write Date Time To Text File
  Ts.WriteLine "Scan Date : " & MonthName(Month(Now),False) & "/" & _
  WeekdayName(Weekday(Now),False) & "," & D1 & "/" & Year(Now)
  Ts.WriteLine "Scan Time : " & T1 & ":" & T2 & ":" & T3 & vbCrLf & Ln
'-> Loop Threw All Folders And Sub Folder On Local Computer
  For Each Obj In Wmi.ExecQuery("SELECT * FROM Win32_Directory")
'-> Filter Out Various Recycle Bin Paths
    If Instr(1,Obj.Path,"recy",1) Then
     Ts.WriteLine Obj.Caption & vbCrLf & Ln 
    End If 
  Next 
'-> Close Text File
 Ts.Close
'-> Read The Text File Chr(34) = "
 Act.Run(Chr(34) & Txt & Chr(34)),1,True 
'-> After Closing Text Files Msgbox Ask To Keep Or Delete
  If MsgBox("Would You Like To Keep This File?" & vbCrLf & _
            "Yes To Keep File, No To Delete File" & vbCrLf & _
            Txt,4132,"Keep Or Delete") = 7 Then
     Fso.DeleteFile(Txt)
  End If 

Rename Find_RecyleBin.vbs.txt to Find_RecyleBin.vbs to make active.

Find_RecyleBin.vbs.txt

[jaclaz]

'-> Loop Threw All Folders And Sub Folder On Local Computer

For Each Obj In Wmi.ExecQuery("SELECT * FROM Win32_Directory")

'-> Filter Out Various Recycle Bin Paths

If Instr(1,Obj.Path,"recy",1) Then

Ts.WriteLine Obj.Caption & vbCrLf & Ln

End If

Next

Pardon me, but would it not include any of folders named as:

http://www.morewords.com/contains/recy/

jaclaz

[gunsmokingman]

list all Various Recycle Bin

I guess that was not clear enough for you to read

The Script ment to list Folder recy in it path case insensitive.

Some Of The Results

c:\$recycle.bin\s-1-5-20

c:\recycler\s-1-5-18

[jaclaz]

I don't get it.

I am failing (but not being expert in VBS it is very possible that I overlooked it) which part finds the recycle bin.

I mean, if I have these 6 folders in a drive (say C:\):

1. c:\$recycle.bin\s-1-5-20
   
2. c:\recycler\s-1-5-18
   
3. C:\secrecy\s-1-5-20
   
4. C:\recyclables\s-1-5-18
   
5. C:\recycling\goofy
   
6. C:\unrecyclable\minnie
   

Would ONLY the first two be listed?

jaclaz

[gunsmokingman]

I don't get it.

I am failing (but not being expert in VBS it is very possible that I overlooked it) which part finds the recycle bin.

I mean, if I have these 6 folders in a drive (say C:\):

1. c:\$recycle.bin\s-1-5-20
   
2. c:\recycler\s-1-5-18
   
3. C:\secrecy\s-1-5-20
   
4. C:\recyclables\s-1-5-18
   
5. C:\recycling\goofy
   
6. C:\unrecyclable\minnie
   

Would ONLY the first two be listed?

jaclaz

Ok the script looks for recy in it path

Example Wmi Path and what it filtering

strComputer = "." 
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") 
Set colItems = objWMIService.ExecQuery( _
    "SELECT * FROM Win32_Directory",,48) 
For Each objItem in colItems 
    If Instr(1,objItem.Path,"recy",1) Then
    Wscript.Echo "-----------------------------------"
    Wscript.Echo "Path: " & objItem.Path
   end If
Next

What It Filter Out

-------------------------

Path: \$recycle.bin\

-------------------------

Path: \$recycle.bin\

-------------------------

Path: \$recycle.bin\

-------------------------

Path: \$recycle.bin\

-------------------------

Path: \recycler\

When used with caption return the path to the folder

If there where any names in the path they would get listed

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1001

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1004

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1005

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1006

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1007

[jaclaz]

I really hate these dialogs between deaf people .

From what I understand (as said very little) of VBS, you make a WMI query on the whole Win32_directory space and find in it (in column "Path") strings containing "recy".

Is the above correct?

I can seemingly replicate the behaviour in my "dinosaur's" command line approach with this one-.liner :

wmic path win32_directory where(Path like '%recy%') get Path

BUT, if I create directories like:

• $recyclable
  
• recycling
  
• 1recy
  

and put some contents in them, I get them listed allright, even if they have nothing to do with the actual recycle bin.

Doesn't your VBS do the same?

IMHO one should add additional code to check whether a file "INFO2" exists (which would cover up to XP/2003) OR BOTH a file $Ixxxxx.xxx AND a file $Rxxxxx.xxx (where xxxxx.xxx means "same string") to cover Vista and later (BTW does Windows 7 behave as Vista ? ) or maybe find a folder name pattern like the S-1-5-2*

FOR /F "USEBACKQ tokens=1 delims=\" %A IN (`wmic path win32_directory where^(Path like '%S-1-5-2%'^) get Path`) DO @ECHO %A

jaclaz

Edited December 1, 2011 by jaclaz

[CoffeeFiend]

Doesn't your VBS do the same?

Yes. It asks WMI to get all folders' names, then it checks if they contain "recy" -- which Glen9999 called "brute forcing" and doesn't care for. That was precisely his question: how NOT to do it this way.

Like I linked to, the "official" (from MSDN) way to do it is to enumerate folders the good ol' fashioned way (not using WMI, and on local hard drives only). Then on the folders found, you call the GetFolderDescriptionId API, which will set the CLSID_RecycleBin bit in the filled SHDESCRIPTIONID struct if it's actually used by the recycle bin (and not "it kind of sounds like recycle in english", like "local recycling program" on a mapped network drive...)

[gunsmokingman]

jaclaz my script did not pick up these 3 folders name in a test I did.

Test Folders Name

1\IRecyleMyBin located on my desktop

Path C:\Users\Gunsmokingman\Desktop\IRecyleMyBin

2\IRecyleMyBin_1 located on C Drive

Path C:\IRecyleMyBin_1

3\TestRecycle located on C Drive

Path C:\TestRecycle

Partial Scan Results

Scan Date : December/Thursday,01/2011

Scan Time : 10:19:49

-----------------------------------

c:\$recycle.bin\s-1-5-20

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1001

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1004

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1005

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1006

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1007

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1008

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1009

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1011

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1012

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1013

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1014

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1015

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1016

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1017

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1018

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1019

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1020

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1021

-----------------------------------

c:\recycler\s-1-5-18

-----------------------------------

d:\$recycle.bin\s-1-5-21-3143941714-1751930184-2774033846-1001

From the list above it did not list those 3 folders for the test.

Using WMI Code Creator And Results Not Showing The Test Folders

Coffee it sound the method you posted uses the same brute force as a VBS script.

enumerate folders the good ol' fashioned way