Tip: Get 7 Free Tools for Managing Disks and File Systems

Follow Our Daily Tips

RSS | Twitter | Blog | Facebook

Tell Us Your Tips

Share your tips and tweaks.

Microsoft provides several free tools that are very useful for managing disks and file systems. Here are 7 free tools every administrator should download.

Disk Usage
Perhaps the biggest challenge of managing file systems is managing disk usage. Quotas can help, but often you will still need to manually identify folders and files that are consuming large amounts of disk space.

The Disk Usage (Du) tool, available as a free download, can identify the amount of disk space a folder and its subfolders consume. Run Du.exe with the folder you want to analyze. For example:

 

Du C:\users\ 

  Du v1.33 - report directory disk usage 
  Copyright (C) 2005-2007 Mark Russinovich 
  Sysinternals - www.sysinternals.com 

  Files: 96459 
  Directories: 19696 
  Size: 51,641,352,816 bytes 
  Size on disk: 47,647,077,498 bytes

EFSDump
Users can share EFS-encrypted files by adding other user certificates to a file. However, auditing the users who have rights to files would be very time-consuming using the Windows Explorer graphical interface. To list users who have access to encrypted files more easily, use EFSDump, which is available as a free download.

For example, to list the users who have access to files in the encrypted subfolder, run the following command:

Efsdump -s encrypted 

  EFS Information Dumper v1.02 
  Copyright (C) 1999 Mark Russinovich 
  Systems Internals - https://www.sysinternals.com 

  C:\Users\User1\Documents\Encrypted\MyFile.txt: 
  DDF Entry:
      COMPUTER\User1: 
          User1(User1@COMPUTER) 
  DDF Entry: 
      COMPUTER\User2: 
          User2(User2@COMPUTER) 
  DRF Entry:

SDelete
When you delete a file, Windows removes the index for the file and prevents the operating system from accessing the file’s contents. However, an attacker with direct access to the disk can still recover the file’s contents until it has been overwritten by another file—which might never happen. Similarly, files that have been EFS-encrypted leave behind the unencrypted contents of the file on the disk.

With the SDelete tool, available as a free download, you can overwrite the contents of free space on your disk to prevent deleted or encrypted files from being recovered.

To use SDelete to overwrite deleted files on the C drive, run the following command:

Sdelete -z C: 

  SDelete - Secure Delete v1.51 
  Copyright (C) 1999-2005 Mark Russinovich 
  Sysinternals - www.sysinternals.com 

  SDelete is set for 1 pass. 
  Free space cleaned on C:

Streams
NTFS files can contain multiple streams of data. Each stream resembles a separate file but is listed within a single filename. Streams are accessed using the syntax file:stream, and by default, the main stream is unnamed (and hence is accessed when you simply specify the filename).

For example, you can use the echo command to create a file or a specific stream. To create a stream named Data for the file named Text.txt, run the following command:
Echo Hello, world > text.txt:data

Directory listings will show that the Text.txt file is zero bytes long, and opening the file in a text editor will show nothing. However, it does contain data in the Data stream, which you can demonstrate by running the following command:
More < text.txt:data Hello, world

Legitimate programs often use streams. However, malicious software also uses streams to hide data. You can use the Streams program, available as a free download, to list streams. For example, to list all files with streams within the Windows directory, run the following command:

Streams -s %windir% 

  Streams v1.56 - Enumerate alternate NTFS data streams 
  Copyright (C) 1999-2007 Mark Russinovich 
  Sysinternals - www.sysinternals.com 
  
  C:\Windows\Thumbs.db: 
    :encryptable:$DATA 0 
  C:\Windows\PLA\System\LAN Diagnostics.xml: 
    :0v1ieca3Feahez0jAwxjjk5uRh:$DATA 2524 
    :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0 
  C:\Windows\PLA\System\System Diagnostics.xml: 
    :0v1ieca3Feahez0jAwxjjk5uRh:$DATA 5384 
    :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0 
  C:\Windows\PLA\System\System Performance.xml: 
    :0v1ieca3Feahez0jAwxjjk5uRh:$DATA 500 
    :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0 
  C:\Windows\PLA\System\Wireless Diagnostics.xml: 
    :0v1ieca3Feahez0jAwxjjk5uRh:$DATA 3240 
    :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0 
  C:\Windows\ShellNew\Thumbs.db: 
    :encryptable:$DATA 0 
  C:\Windows\System32\Thumbs.db: 
    :encryptable:$DATA 0

As you can see from this output, several files in subdirectories within the C:\Windows\ directory have a stream named $DATA.

Sync
In some cases, Windows might cache data before writing it to the disk. When a computer is shut down normally, all cached data is written to the disk. If you plan to shut down a computer forcibly (by initiating a Stop error or disconnecting the power), you can run the Sync command to flush all file system data to the disk. Sync, which is available as a free download, is also useful to ensure that all data is written to removable disks.

The simplest way to use Sync is to run it with no parameters and with administrative privileges, which flushes data for all disks:

sync 

  Sync 2.2: Disk Flusher for Windows 9x/Me/NT/2K/XP 
  Copyright (C) 1997-2004 Mark Russinovich 
  Sysinternals - www.sysinternals.com 

  Flushing: C E F

To flush data for the F drive removable disk and then eject it, run the following command:

Sync -r -e F: 

  Sync 2.2: Disk Flusher for Windows 9x/Me/NT/2K/XP 
  Copyright (C) 1997-2004 Mark Russinovich 
  Sysinternals - www.sysinternals.com 

  Flushing: F

MoveFile
Files can’t be moved when they’re in use by the operating system or an application. If a file is constantly in use, you can schedule Windows to move the file during startup using the MoveFile tool, available as a free download.

Use MoveFile exactly as you would use the move command as in the following example:

Movefile file.txt test\file.txt 

  Movefile v1.0 - copies over an in-use file at boot time 
  Move successfully scheduled.

The file will not be moved immediately. However, the next time the computer is restarted, Windows will move the file. If you want to delete a file that is constantly in use (a common requirement for removing malicious software), provide "" as the destination as in the following example:

Movefile file2.txt "" 
  
  Movefile v1.0 - copies over an in-use file at boot time 
  Move successfully scheduled.

PendMoves
The same free download that includes MoveFile also includes the PendMoves tool. This tool displays moves and deletions that have been scheduled. You can simply run the command without parameters, as the following example demonstrates:

pendmoves

  PendMove v1.1 
  Copyright (C) 2004 Mark Russinovich 
  Sysinternals - wwww.sysinternals.com 

  Source: C:\Users\User1\Documents\file.txt 
  Target: C:\Users\User1\Documents\dest\file.txt 

  Source: C:\Users\User1\Documents\file2.txt 
  Target: DELETE 

  Time of last update to pending moves key: 2/27/2008 10:08 AM

From the Microsoft Press book The Windows 7 Resource Kit by Mitch Tulloch, Tony Northrup, Jerry Honeycutt, Ed Wilson, and the Windows 7 Team at Microsoft.

Looking for More Tips?

For more tips on Windows 7 and other Microsoft technologies, visit the TechNet Magazine Tips library.