Large Unspecified Backup sector

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a small harddisk containing a backup paritioned that I have only used
of backups created by Vista.

The parition is now full, containing 200 MB of zipped backup files and 19
GBs of space filled with something that windows explore cannot see. Is this
normal ? Is there anyway around this problem that does not require periodic
reformating of the partition?

System Vista Ultimate 32 bit.

Kuey
 
On Thu, 26 Apr 2007 09:38:09 -0700, KueyBozis
I have a small harddisk containing a backup paritioned that I have only used
of backups created by Vista.

The parition is now full, containing 200 MB of zipped backup files and 19
GBs of space filled with something that windows explore cannot see. Is this
normal ? Is there anyway around this problem that does not require periodic
reformating of the partition?

Several possibilities:

1) Shadow copies

These include both system (System Restore) and data (Previous
Versions) scopes; even if your edition of Vista doesn't support the
latter, it WILL waste time and space maintaining shadow copies of your
data that you can access only if you upgrade (but you're Ultimate
already, so that's not a problem, heh).

Shadow copies will use up to 15% or any volumes where they are
enabled, which defaults to C: only in the case of Vista (unlike SR in
XP or WinME, where all visible volumes get SR'd).

There is command line syntax you can use to limit this amount below
15%, though you cannot manage SR vs. Previous Versions behaviour (or
capacity limits) separately.

2) ADS

These don't show up in the shell UI at all, but Vista has a particular
Dir syntax (Dir /R) that can show them, or you can use something like
the ADS Spy facility in HiJackThis to find them.

AFAIK, Vista doesn't normally store much in ADS, but malware can use
them; you could have an entire malware FTP host running there with the
goodies tucked away as invisible ADS.

3) Normal "hidden" files

I assume you've turned on all the abilities to un-hide system and
hidden files? Else there is much you won't see.

The best tool to quickly and intuitively view space usage, is a
freebie called WinDirStat - I would call it the best utility I've seen
this year, or possibly the last couple of years...

http://windirstat.info/

4) Actively protected files

Malware that is active can actively hide files and folders, by
"censoring" information passing from the system to the UI. Malware
that does this is referred to as "rootkit" in nature.

There are two ways to tackle rootkits; by attempting to detect their
behavior (like poking a stick into a rock to see if it's a sleeping
lion or not) or by scanning for file or registry signature matches
when the rootkit is not active (like pumping a cave full of
anaesthetic gas before going inside to look for lions).

The first method may be less advisable, but it's the most commonly
used. Free rootkit behaviour testers are available from AVG, Sophos,
F-Secure, Rootkit Revealer, Trend etc. and for these to work, you must
be in the most malware-active mode possible, i.e. normal Windows as
opposed to Safe Mode etc.

The second method's trickier, as it requires booting and running all
scanning code independently of your hard drive. Unlike XP, where Bart
was the only game in town, the Vista DVD itself can be uses as the mOS
(maintenance OS) to host such scanning, or you can use WinPE, but
neither thee OSs nor Bart can run scanners relative to the HD
installation's registry the way the RunScanner Bart plugin does in XP.

5) File system corruption

A barfed file system can lose data in this way, such that it is
chained (FATxx) or bitmapped (NTFS) out of the free space and yet
"belongs" to no file, hidden or otherwise.

As this is > 137G, you shouldn't use DOS Mode Scandisk even if the
file system is FAT32. You're pretty much forced to trust ChkDsk.

6) Partition size

Space may be excluded from your volume because it lies outside of it,
i.e. the volume and/or partition doesn't fill the space available.

This can happen if you reduced the size of the partition, as you can
now do without 3rd-party tools or leaving Windows (new in Vista).


------------ ----- ---- --- -- - - - -
The most accurate diagnostic instrument
in medicine is the Retrospectoscope
 
Thanks cquirke for your very thorough reply !!

I tried the following:
-locating ADS files using the HiJackThis utility - none found

- locating hidden files using windirstat. Windirstat labels the unavailable
19 Gb's as unknown. PS I already had and used this prog. Yep it is a good one.

- check disk using windows utility. No problems found.

As the "space" was being "lost" each time Vista was backing up, I guess the
cause must be related to the creation of shadow copies. The only thing that
does not make sense is that the unknown space is occupying 99% of the
parition rather than just 15%.

I will try reformating the parition and reinitiating backup and see if it
happens again.

Kuey
 
Back
Top