Jump to content

IE, history - hidden folders/files

atomizer

By atomizer
in Windows XP

 Share

Recommended Posts

atomizer

atomizer

Posted
Posted

ever stick your foot in the water before commiting? well, that's what i'm doing here... figured i'd test the "Get help on everything to do with Windows XP", right in the middle of a MS pond, and see if i drown :)

why oh why does MS/IE hide files and folders, even after asking it NOT to? even after you ask IE to DELETE your history? what is the reason? why go to the trouble of hiding a users internet history so well, that even "show hidden files" is meaningless?

example: un-hide the OS's hidden files. open IE and delete your history. gone, right? WRONG! in XP, r-click your /history folder, then properties, and you'll see what i mean. now try to delete them, much less trying to get them to show (a related little adventure is continued below). i forget how, or if, the hidden stuff even shows in 95/98 (using that process), but i know for a fact that those OS's do the same thing. i'll assume the same for all end-user MS OS's as well. i was told by a computer tech/builder that "corporate" editions do not do this, but i have evidence to the contrary.

some time back, when my anger over this was peaking, i started researching it. i found an article written by someone going by the name "the riddler" (do a search, i'll be nice and won't link here) that explained what was going on, but not why. i contacted him and started asking questions. then i asked a law enforcement (LE) friend of mine if he knew anyone in the forensics department. he did. i contacted that guy and we began a session of developing a trust (mostly him trusting me, police are funny that way :) ) through email and, i think, a phone call or two. he started mentioning terms i was unfamilier with, including "mirror imagimg", amoung others. i began to see where this was headed; that there's a real good possibility that MS hides these files in the event you commit a crime for which there may be evidence stored on your box. the forensics guy would never come out and admit it, but when i tried to pin him with a direct question along the lines of "is this stuff used by LE?", the best i could get was "what do you think?". i knew exactly what that meant.

is all this speculation? no way. i cannot say i have proof, or even hard evidence, but i can say that i have input from one LE officer, first hand (more, second hand), one alleged ex-MS employee and "the riddler".

if anyone is interested i will try and get permission from the LE guy i know to quote some of his emails.

---

let's play :) (works for me on XP (probably all NT's), may very well not work for you):

go to your /history folder AFTER you've deleted everything you possibly can from within IE (cache, history, etc.).

send it to a CMD prompt.

CMD> dir

nothing, right?

CMD> attrib -s -h -r *.*

ewww! what have we here?!? i get 1 file (desktop.ini) and 1 directory.

ok, so it's ALL unhidden now, right? sorry charlie...

back to explorer /history. you see "desktop.ini"?

CMD> edit desktop.ini

AH! there it is! it's contents will provide a key as to why you can't see this stuff.

now it gets really wierd...

CMD> edit desktop.ini

delete the entire 2nd line (begins with "CLSID"), save changes.

now back to explorer, refresh the view. HUH? hmmm... see some new directorys maybe?

now this is where it gets really wierd...

in explorer, expand "History.IE5" (mine is IE5, i guess, because i'm running an nLite build with IE "removed" (but not its core) -- yea Firefox!

see some more directories and strange files appear? files with no name? try to manipulate them (view, copy, properties, etc.).

now back to the original "History" directory...

just to be safe...

CMD> attrib -h -r -s *.*

CMD> del *.*

now back to explorer. WHAT!!!

it gets better. just keep playing :)


atomizer

atomizer

Posted
  • Author
Posted

ah, i forgot to mention, and you can play for yourself as well...

after you're done, go back to explorer and close the /history directory. refresh the view. expand it again. rivals some of the best magicians i've seen :)

another thing...

as i mentioned, i DO NOT use IE. ever. i use firefox. my XP was built with nLite (luv ya!) and IE, but not the core, was removed. while poking around in my "history" directory, i happened to find some log files. these files were generated by a NON-MS application i run -- with a .txt extension. they were never opened in IE. i did open them in notepad. funny thing is, in my "history" directory, they were copied exactly, except they now had an .htm (or .html, don't remember) extension.

what is going on here, i ask?

DigeratiPrime

DigeratiPrime

Posted
Posted (edited)

Desktop.ini tells Explorer.exe how to display the folder, I bet that 'CLSID' tells it to hide the folder despite having view hidden files/folders checked in folder options. Also you dont need to delete the line, just comment it out using a semi-colon ";".

I apoligize for not understanding the exact behavior you see happening when you clear the History. Is the folder and Desktop.ini being recreated when you refresh Explorer?

Check out this program, ExplorerXP (freeware), those files don't hide from this.

Glad to hear your using Firefox btw :yes:

Edited by DigeratiPrime
atomizer

atomizer

Posted
  • Author
Posted

thanks for that link!

however... i'm not so sure ExplorerXP is showing ALL the files. if you play around with CMD> in /history and go back and forth between that and explorer, you may see what i mean. it's hard to explain. after deleting everything Bill will let you delete, keep refreshing the view in explorer.

atomizer

atomizer

Posted
  • Author
Posted
Desktop.ini tells Explorer.exe how to display the folder, I bet that 'CLSID' tells it to hide the folder despite having view hidden files/folders checked in folder options.  Also you dont need to delete the line, just comment it out using a semi-colon (;).  I apoligize for not understanding the exact behavior you see happening when you clear the History.  Is the folder and Desktop.ini being recreated when you refresh Explorer?

yes, the CLSID is what hides everything i believe (maybe that key can be looked at in the reg? never tried it yet).

as for your question, it's difficult to answer because i keep going through so many steps that i lose track of exactly what's going on. i know this; if you delete the CLSID line, it will regenerate itself and try to hide everythig again. whether the history dir's/files are regenerating, to be honest, i don't know. i have reason to believe that at least some of them are, mainly a dir named "today".

EDITED...

hehe, you were editing while i was as well :)

thanks for the link (image hosting). i will make available some images tommorow if i get time.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...