Glenn9999 Posted November 29, 2011 Posted November 29, 2011 (edited) Does anyone know where or how you determine where the recycle bin(s) are physically in the machine? I know you can brute force all the names ("Recycler", "Recycled", "$Recycle.Bin", I believe), but is there a more elegant way to find this out for each of the drives in the machine eligible for one? I'm not finding a way when I search. Edited November 29, 2011 by Glenn9999
jaclaz Posted November 29, 2011 Posted November 29, 2011 Does anyone know where or how you determine where the recycle bin(s) are physically in the machine? I know you can brute force all the names ("Recycler", "Recycled", "$Recycle.Bin", I believe), but is there a more elegant way to find this out for each of the drives in the machine eligible for one? I'm not finding a way when I search.Well, IMHO three possibilities seems not very like anything "brute", let alone "force".It also depends on filesystems and actual OS involved, if I recall correctly.Care to narrow (or widen) the scope of the question?And maybe, if you provide some background it may be useful....jaclaz
Glenn9999 Posted November 29, 2011 Author Posted November 29, 2011 Well, IMHO three possibilities seems not very like anything "brute", let alone "force".There might be more than three now or in the future, so I'm thinking it might be good to find a way to get what the string is.It also depends on filesystems and actual OS involved, if I recall correctly.Yes, my research is where I found those three strings. Different for each operating system (98/ME, 2000/XP, Vista/Seven).And maybe, if you provide some background it may be useful....Just looking to write something that will return the Recycle Bin directory on a drive if it exists. Most of what I find in searching involves more "basic computing" kind of answers than what I'm looking for.RecyclerPath = RecycleBinPath("C:\") should have "C:\RECYCLER" as a function return in other words.But if the information as to what the specific string is isn't stored, I can always test for all of them and do it that way.
jaclaz Posted November 29, 2011 Posted November 29, 2011 Yes, but for example, if you type in the "Start->Run":::{645FF040-5081-101B-9F08-00AA002F954E}it opens the actual "user" "recycle bin", whilst (say XP) C:\Recycler contains the various S-1-5-21-..... and in it/them the INFO2 file.Somehow the interface must "know" where the actual path is.I don't think that there is anything in the Registry, maybe checking the windows explorer files (shell32.dll?) for a "hardcoded" name?BTW HOW is called the Recycle Bin in Vista on FAT32? Still "$Recycle.bin" ?Here there is the reference to the "canonical ones":http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdfjaclaz
Glenn9999 Posted November 30, 2011 Author Posted November 30, 2011 Perhaps, this wil help you.ThisThanks, I think I got figured out what I need. As for the first link, he hard-codes it, too (to "Recycled"). I guess that'll probably be the best way, to sweep the folders of the root directory and then match what is found against the routine in the second link.Thanks again!
gunsmokingman Posted November 30, 2011 Posted November 30, 2011 I do not know if this will help but here is a VBS script that should list all Various Recycle Bin on the local computer.Save As Find_RecyleBin.vbs'-> Objects For RuntimeDim Act :Set Act = CreateObject("Wscript.Shell")Dim Fso :Set Fso = CreateObject("Scripting.FileSystemObject")Dim Wmi :Set Wmi = GetObject("winmgmts:\\.\root\CIMV2") '-> Varibles For RuntimeDim D1, Ln, Obj, Ts, Txt, T1, T2, T3 Ln = "-----------------------------------"'-> Path To User Desktop And Text Report Txt = Act.SpecialFolders("Desktop") & "\RecyleBinRpt.txt"'-> Create Text File To Log Results Set Ts = Fso.CreateTextFile(Txt)'-> Date Time Varibles D1 = Day(Date) T1 = Hour(Time) T2 = Minute(Time) T3 = Second(Time)'-> Adds Zero To Number EG 1 Would Become 01 If Len(D1) = 1 Then D1 = "0" & D1 If Len(T1) = 1 Then T1 = "0" & T1 If Len(T2) = 1 Then T2 = "0" & T2 If Len(T3) = 1 Then T3 = "0" & T3'-> Write Date Time To Text File Ts.WriteLine "Scan Date : " & MonthName(Month(Now),False) & "/" & _ WeekdayName(Weekday(Now),False) & "," & D1 & "/" & Year(Now) Ts.WriteLine "Scan Time : " & T1 & ":" & T2 & ":" & T3 & vbCrLf & Ln'-> Loop Threw All Folders And Sub Folder On Local Computer For Each Obj In Wmi.ExecQuery("SELECT * FROM Win32_Directory")'-> Filter Out Various Recycle Bin Paths If Instr(1,Obj.Path,"recy",1) Then Ts.WriteLine Obj.Caption & vbCrLf & Ln End If Next '-> Close Text File Ts.Close'-> Read The Text File Chr(34) = " Act.Run(Chr(34) & Txt & Chr(34)),1,True '-> After Closing Text Files Msgbox Ask To Keep Or Delete If MsgBox("Would You Like To Keep This File?" & vbCrLf & _ "Yes To Keep File, No To Delete File" & vbCrLf & _ Txt,4132,"Keep Or Delete") = 7 Then Fso.DeleteFile(Txt) End If Rename Find_RecyleBin.vbs.txt to Find_RecyleBin.vbs to make active.Find_RecyleBin.vbs.txt
jaclaz Posted November 30, 2011 Posted November 30, 2011 '-> Loop Threw All Folders And Sub Folder On Local Computer For Each Obj In Wmi.ExecQuery("SELECT * FROM Win32_Directory")'-> Filter Out Various Recycle Bin Paths If Instr(1,Obj.Path,"recy",1) Then Ts.WriteLine Obj.Caption & vbCrLf & Ln End If Next Pardon me, but would it not include any of folders named as:http://www.morewords.com/contains/recy/jaclaz
gunsmokingman Posted November 30, 2011 Posted November 30, 2011 list all Various Recycle Bin I guess that was not clear enough for you to readThe Script ment to list Folder recy in it path case insensitive.Some Of The Resultsc:\$recycle.bin\s-1-5-20c:\recycler\s-1-5-18
jaclaz Posted November 30, 2011 Posted November 30, 2011 I don't get it. I am failing (but not being expert in VBS it is very possible that I overlooked it) which part finds the recycle bin.I mean, if I have these 6 folders in a drive (say C:\):c:\$recycle.bin\s-1-5-20c:\recycler\s-1-5-18C:\secrecy\s-1-5-20C:\recyclables\s-1-5-18C:\recycling\goofyC:\unrecyclable\minnieWould ONLY the first two be listed? jaclaz
gunsmokingman Posted November 30, 2011 Posted November 30, 2011 I don't get it. I am failing (but not being expert in VBS it is very possible that I overlooked it) which part finds the recycle bin.I mean, if I have these 6 folders in a drive (say C:\):c:\$recycle.bin\s-1-5-20c:\recycler\s-1-5-18C:\secrecy\s-1-5-20C:\recyclables\s-1-5-18C:\recycling\goofyC:\unrecyclable\minnieWould ONLY the first two be listed? jaclazOk the script looks for recy in it pathExample Wmi Path and what it filteringstrComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") Set colItems = objWMIService.ExecQuery( _ "SELECT * FROM Win32_Directory",,48) For Each objItem in colItems If Instr(1,objItem.Path,"recy",1) Then Wscript.Echo "-----------------------------------" Wscript.Echo "Path: " & objItem.Path end IfNextWhat It Filter Out-------------------------Path: \$recycle.bin\-------------------------Path: \$recycle.bin\-------------------------Path: \$recycle.bin\-------------------------Path: \$recycle.bin\-------------------------Path: \recycler\When used with caption return the path to the folderIf there where any names in the path they would get listedc:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1001-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1004-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1005-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1006-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1007
jaclaz Posted December 1, 2011 Posted December 1, 2011 (edited) I really hate these dialogs between deaf people .From what I understand (as said very little) of VBS, you make a WMI query on the whole Win32_directory space and find in it (in column "Path") strings containing "recy".Is the above correct?I can seemingly replicate the behaviour in my "dinosaur's" command line approach with this one-.liner :wmic path win32_directory where(Path like '%recy%') get PathBUT, if I create directories like:$recyclablerecycling1recyand put some contents in them, I get them listed allright, even if they have nothing to do with the actual recycle bin.Doesn't your VBS do the same?IMHO one should add additional code to check whether a file "INFO2" exists (which would cover up to XP/2003) OR BOTH a file $Ixxxxx.xxx AND a file $Rxxxxx.xxx (where xxxxx.xxx means "same string") to cover Vista and later (BTW does Windows 7 behave as Vista ? ) or maybe find a folder name pattern like the S-1-5-2* FOR /F "USEBACKQ tokens=1 delims=\" %A IN (`wmic path win32_directory where^(Path like '%S-1-5-2%'^) get Path`) DO @ECHO %Ajaclaz Edited December 1, 2011 by jaclaz
CoffeeFiend Posted December 1, 2011 Posted December 1, 2011 Doesn't your VBS do the same?Yes. It asks WMI to get all folders' names, then it checks if they contain "recy" -- which Glen9999 called "brute forcing" and doesn't care for. That was precisely his question: how NOT to do it this way.Like I linked to, the "official" (from MSDN) way to do it is to enumerate folders the good ol' fashioned way (not using WMI, and on local hard drives only). Then on the folders found, you call the GetFolderDescriptionId API, which will set the CLSID_RecycleBin bit in the filled SHDESCRIPTIONID struct if it's actually used by the recycle bin (and not "it kind of sounds like recycle in english", like "local recycling program" on a mapped network drive...)
gunsmokingman Posted December 1, 2011 Posted December 1, 2011 jaclaz my script did not pick up these 3 folders name in a test I did.Test Folders Name1\IRecyleMyBin located on my desktopPath C:\Users\Gunsmokingman\Desktop\IRecyleMyBin2\IRecyleMyBin_1 located on C DrivePath C:\IRecyleMyBin_13\TestRecycle located on C DrivePath C:\TestRecyclePartial Scan ResultsScan Date : December/Thursday,01/2011Scan Time : 10:19:49-----------------------------------c:\$recycle.bin\s-1-5-20-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1001-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1004-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1005-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1006-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1007-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1008-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1009-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1011-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1012-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1013-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1014-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1015-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1016-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1017-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1018-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1019-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1020-----------------------------------c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1021-----------------------------------c:\recycler\s-1-5-18-----------------------------------d:\$recycle.bin\s-1-5-21-3143941714-1751930184-2774033846-1001From the list above it did not list those 3 folders for the test.Using WMI Code Creator And Results Not Showing The Test FoldersCoffee it sound the method you posted uses the same brute force as a VBS script.enumerate folders the good ol' fashioned way
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now