Get 7 Free Tools for Managing Disks and File Systems Manage disk usage, delete files permanently, monitor streams, and more. Here are 7 free tools every administrator should download.
Microsoft provides several free tools that are very useful for managing disks and file systems. Here are 7 free tools every administrator should download.
Disk UsagePerhaps the biggest challenge of managing file systems is managing disk usage. Quotas can help, but often you will still need to manually identify folders and files that are consuming large amounts of disk space.
The Disk Usage (Du) tool, available as a
free download, can identify the amount of disk space a folder and its subfolders consume. Run Du.exe with the folder you want to analyze. For example:
Du C:\users\
Du v1.33 - report directory disk usage
Copyright (C) 2005-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
Files: 96459
Directories: 19696
Size: 51,641,352,816 bytes
Size on disk: 47,647,077,498 bytes
EFSDump Users can share EFS-encrypted files by adding other user certificates to a file. However, auditing the users who have rights to files would be very time-consuming using the Windows Explorer graphical interface. To list users who have access to encrypted files more easily, use EFSDump, which is available as a
free download.
For example, to list the users who have access to files in the encrypted subfolder, run the following command:
Efsdump -s encrypted
EFS Information Dumper v1.02
Copyright (C) 1999 Mark Russinovich
Systems Internals - http://www.sysinternals.com
C:\Users\User1\Documents\Encrypted\MyFile.txt:
DDF Entry:
COMPUTER\User1:
User1(User1@COMPUTER)
DDF Entry:
COMPUTER\User2:
User2(User2@COMPUTER)
DRF Entry:
SDelete When you delete a file, Windows removes the index for the file and prevents the operating system from accessing the file’s contents. However, an attacker with direct access to the disk can still recover the file’s contents until it has been overwritten by another file—which might never happen. Similarly, files that have been EFS-encrypted leave behind the unencrypted contents of the file on the disk.
With the SDelete tool, available as a
free download, you can overwrite the contents of free space on your disk to prevent deleted or encrypted files from being recovered.
To use SDelete to overwrite deleted files on the C drive, run the following command:
Sdelete -z C:
SDelete - Secure Delete v1.51
Copyright (C) 1999-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
SDelete is set for 1 pass.
Free space cleaned on C:
Streams NTFS files can contain multiple streams of data. Each stream resembles a separate file but is listed within a single filename. Streams are accessed using the syntax file:stream, and by default, the main stream is unnamed (and hence is accessed when you simply specify the filename).
For example, you can use the echo command to create a file or a specific stream. To create a stream named Data for the file named Text.txt, run the following command:
Echo Hello, world > text.txt:data
Directory listings will show that the Text.txt file is zero bytes long, and opening the file in a text editor will show nothing. However, it does contain data in the Data stream, which you can demonstrate by running the following command:
More < text.txt:data Hello, world
Legitimate programs often use streams. However, malicious software also uses streams to hide data. You can use the Streams program, available as a
free download, to list streams. For example, to list all files with streams within the Windows directory, run the following command:
Streams -s %windir%
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Windows\Thumbs.db:
:encryptable:$DATA 0
C:\Windows\PLA\System\LAN Diagnostics.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 2524
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0
C:\Windows\PLA\System\System Diagnostics.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 5384
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0
C:\Windows\PLA\System\System Performance.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 500
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0
C:\Windows\PLA\System\Wireless Diagnostics.xml:
:0v1ieca3Feahez0jAwxjjk5uRh:$DATA 3240
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0
C:\Windows\ShellNew\Thumbs.db:
:encryptable:$DATA 0
C:\Windows\System32\Thumbs.db:
:encryptable:$DATA 0
As you can see from this output, several files in subdirectories within the C:\Windows\ directory have a stream named $DATA.
SyncIn some cases, Windows might cache data before writing it to the disk. When a computer is shut down normally, all cached data is written to the disk. If you plan to shut down a computer forcibly (by initiating a Stop error or disconnecting the power), you can run the Sync command to flush all file system data to the disk. Sync, which is available as a
free download, is also useful to ensure that all data is written to removable disks.
The simplest way to use Sync is to run it with no parameters and with administrative privileges, which flushes data for all disks:
sync
Sync 2.2: Disk Flusher for Windows 9x/Me/NT/2K/XP
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com
Flushing: C E F
To flush data for the F drive removable disk and then eject it, run the following command:
Sync -r -e F:
Sync 2.2: Disk Flusher for Windows 9x/Me/NT/2K/XP
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com
Flushing: F
MoveFile Files can’t be moved when they’re in use by the operating system or an application. If a file is constantly in use, you can schedule Windows to move the file during startup using the MoveFile tool, available as a
free download.
Use MoveFile exactly as you would use the move command as in the following example:
Movefile file.txt test\file.txt
Movefile v1.0 - copies over an in-use file at boot time
Move successfully scheduled.
The file will not be moved immediately. However, the next time the computer is restarted, Windows will move the file. If you want to delete a file that is constantly in use (a common requirement for removing malicious software), provide "" as the destination as in the following example:
Movefile file2.txt ""
Movefile v1.0 - copies over an in-use file at boot time
Move successfully scheduled.
PendMoves The same
free download that includes MoveFile also includes the PendMoves tool. This tool displays moves and deletions that have been scheduled. You can simply run the command without parameters, as the following example demonstrates:
pendmoves
PendMove v1.1
Copyright (C) 2004 Mark Russinovich
Sysinternals - wwww.sysinternals.com
Source: C:\Users\User1\Documents\file.txt
Target: C:\Users\User1\Documents\dest\file.txt
Source: C:\Users\User1\Documents\file2.txt
Target: DELETE
Time of last update to pending moves key: 2/27/2008 10:08 AM
From the Microsoft Press book The Windows 7 Resource Kit by Mitch Tulloch, Tony Northrup, Jerry Honeycutt, Ed Wilson, and the Windows 7 Team at Microsoft.
credit: technet.microsoft.com