Find the recycle bin

[jaclaz]

jaclaz my script did not pick up these 3 folders name in a test I did.

You need to put *something* in them.

Your script on my machine, bolded the relevant parts:

Scan Date : dicembre/giovedì,01/2011

Scan Time : 19:47:54

-----------------------------------

c:\$recyclable\testwmi

-----------------------------------

c:\recycler\s-1-5-21-436374069-261903793-839522115-1003

-----------------------------------

c:\recycler\s-1-5-21-436374069-261903793-839522115-1003\dc53

-----------------------------------

c:\recycler\s-1-5-21-436374069-261903793-839522115-1003\dc62

-----------------------------------

c:\recycler\s-1-5-21-436374069-261903793-839522115-1004

-----------------------------------

c:\recycler\s-1-5-21-436374069-261903793-839522115-1004\dc6.0

-----------------------------------

c:\secrecy\testrer

-----------------------------------

d:\recycler\s-1-5-18

-----------------------------------

d:\recycler\s-1-5-21-436374069-261903793-839522115-1003

-----------------------------------

d:\recycler\s-1-5-21-436374069-261903793-839522115-1004

-----------------------------------

d:\recycler\s-1-5-21-436374069-261903793-839522115-500

-----------------------------------

jaclaz

Edited December 1, 2011 by jaclaz

[gunsmokingman]

I added a png and a hta to C:\IRecyleMyBin_1 and only png to C:\Users\Gunsmokingman\Desktop\IRecyleMyBin

The results was that it did not list those 2 folders in the text file output.

Scan Date : December/Thursday,01/2011

Scan Time : 11:03:40

-----------------------------------

c:\$recycle.bin\s-1-5-20

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1001

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1004

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1005

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1006

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1007

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1008

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1009

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1011

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1012

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1013

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1014

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1015

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1016

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1017

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1018

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1019

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1020

-----------------------------------

c:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1021

-----------------------------------

c:\recycler\s-1-5-18

-----------------------------------

d:\$recycle.bin\s-1-5-21-3143941714-1751930184-2774033846-1001

-----------------------------------

d:\$recycle.bin\s-1-5-21-659968422-3981163177-1457963359-1001

As to why it pick up those folders on your computer I do know why.

[Glenn9999]

Thanks, I think I got figured out what I need. As for the first link, he hard-codes it, too (to "Recycled"). I guess that'll probably be the best way, to sweep the folders of the root directory and then match what is found against the routine in the second link.

The second routine ended up not working on XP (it kept complaining of an invalid / not found token in GetLastError when I pointed it at C:\Recycler) I so I ended up hard-coding those three strings anyway and got what I wanted to do done. I guess it works on Vista or Seven fine?

[CoffeeFiend]

Coffee it sound the method you posted uses the same brute force as a VBS script.

Not at all. He meant "brute forcing" as in "checking if it sounds like a recycle bin folder", or other obvious ways (checking hardcoded, commonly used folder names). Using the API I linked to, Windows tells you authoritatively (not guessing based on how the name sounds) if it's used for that or not, no matter what it may be called (in any language or locale, also regardless of the OS version). If a MS empoyee on MSDN tells me it's the way, then it's good enough for me.

I added a png and a hta to C:\IRecyleMyBin_1 and only png to C:\Users\Gunsmokingman\Desktop\IRecyleMyBin

The results was that it did not list those 2 folders in the text file output.

It doesn't pick them up because using WMI like that doesn't produce the results you'd expect. That specific query won't tell you those folders you just created even exist (yet, many others are returned several times over), so you're never even given the chance to guess if they are used for that or not. Add a subfolder to them and now they will be seen, and indeed it will say they're recycle bins, because they have "recy" in them. Either ways, even disregarding all that, he didn't want to "brute force" check folders this way (even if it worked, that's not what he was looking for).

TL;DR: he was not looking for a port of dir *recy* /ad or variants of it (I mean, just who actually needs help to figure this out? Seriously?) to some other language he almost certainly isn't using but an actual way to detect it. You're basically ignoring his actual question altogether.

Either ways, it looks like he picked something that works for him now.

[gunsmokingman]

Perhaps this is better, you can add as many name tto the querry, and in theroy

can run on a remote machine.

Demo_RecycleBin.vbs

'-> Objects For Runtime
Dim Act :Set Act = CreateObject("Wscript.Shell")
Dim Fso :Set Fso = CreateObject("Scripting.FileSystemObject")
Dim Wmi :Set Wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Dim Col :Set Col = Wmi.ExecQuery("Select * From Win32_Directory Where Path =" & _
                                 " '\\$Recycle.Bin\\' Or Path = '\\RECYCLER\\'")

  If Col.Count < 1 Then
   MsgBox "Could Not Find Any Path With " & _
          "\\$Recycle.Bin\\ Or \\RECYCLER\\"
  Else
'-> Confirm Found At Least One Folder Name
  Dim Obj,Ts, Txt 
  Txt = Act.SpecialFolders("Desktop") & "\RecyleBinRpt.txt"
  Set Ts = Fso.CreateTextFile(Txt)
   For Each Obj in Col
    Ts.WriteLine Obj.caption
   Next
   Ts.Close
   Act.Run(Chr(34) & Txt & Chr(34)),1,True 
   If MsgBox("Would You Like To Keep This File?" & vbCrLf & _
            "Yes To Keep File, No To Delete File" & vbCrLf & _
            Txt,4132,"Keep Or Delete") = 7 Then
     Fso.DeleteFile(Txt)
   End If 
  End If

Rename Demo_RecycleBin.vbs.txt to Demo_RecycleBin.vbs to make active

Demo_RecycleBin.vbs.txt

You can also use some thing like this, but I dont have much experience using this object.

I choose to use Wmi I understand it a little better then using what below.

Const RECYCLE_BIN = &Ha&
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.NameSpace(RECYCLE_BIN) 

[jaclaz]

Yes, there must be asubdirectory in the *recy* named folder for it to appear.

The &hA AFAIK was good until 9x/Me and changed with XP, it was connected to the (whatever it was "BITBUCKET" or something like that.

But still, just like the mentioned "::{645FF040-5081-101B-9F08-00AA002F954E}" it pointed to the "virtual folder".

Conversely the approach pointed out by Coffefiend is "OS agnostic", or, if you prefer, in your approach you assumed that you boot to the OS and you want to look at the Recycle Bin of that OS.

A procedure like:

1. "bruteforcing" the names <-(Glenn9999) can be executed also from another booted OS (BUT it won't work if the Recycle Bin folder has been renamed *somehow* to a different name from the three known ones)
   
2. finding *recy* <-(Gunsmokingman) can be executed also from another booted OS (BUT it won't work if the Recycle Bin folder has been renamed *somehow* to a different name from the three known ones AND it may provide "false positives)
   
3. checking contents of the folder <-(jaclaz) will ONLY remove the possibility of "false positives")
   
4. checking folder attribute <-(Coffefiend) will MAKE SURE that the folder is a Recycle Bin (used at least once by at least once of the OS ever booted on that machine) BUT won't cover the *somehow* renamed form the known three names
   

I would think that the most comprehensive procedure could be "mixing" all these approaches:

1. find all files called INFO2 (and "take note" of their parent folders)
   
2. find all files called $I*, verify that in the same folder exists an identically named file but with $I replaced with $R (and "take note" of their parrent folders)
   
3. process each of the found parent folders with the SHDESCRIPTIONID as per the "The Old New Thing" post, to verify that they are not a (rather sophisticated) "false positive"
   

jaclaz