Mystery file

  • Thread starter Thread starter jason
  • Start date Start date
J

jason

I'm not sure this is the right place to ask; if not please point me
elsewhere...

When I run disk defragmentation on the C: partition, there is one
gigantic section of the disk flagged as a system file(s?). It is larger
than the paging or hibernation files. The defragmenter has a "cluster
explorer" feature that lists the files, or portions of them, in a
selected block. The blocks in this huge file(s?) show up as "$Secure;
$SDS; $DATA" I am wondering what this is. Also, chkdsk spends about
forever in Phase 3, "verifying security descriptors" when I run it; I
suspect that has something to do with this very large file as well.


TIA

Jason
 
NTFS metadata files
From http://www.windowsnetworking.com/nt/atips/atips164.shtml:

The metadata files and description
$MFT - Master File Table
$MFTMIRR - Copy of the first 16 records of the MFT
$LOGFILE - Transactional logging file
$VOLUME - Volume serial number, creation time, and dirty flag
$ATTRDEF - Attribute definitions
.. - Root directory of the disk
$BITMAP - Contains drive's cluster map (in-use vs. free)
$BOOT - Boot record of the drive
$BADCLUS - Lists bad clusters on the drive
$QUOTA - Contains user quota information (implemented in W2k as $Secure)
$UPCASE - Maps lowercase characters to their uppercase version

I have no clue of $SDS or $SDATA: you might have made a typo since those
files are not part of the standard NTFS metadata. Try your luck google-ing
(didn't work for me)

These files are hidden by the filesystem API (if you want to analyze them,
write a driver because userspace APIs will not allow you to view or modify
those files; kernel mode = freedom!!!!
or use WinHex for raw disk/partition mode)
 
NTFS metadata files
From http://www.windowsnetworking.com/nt/atips/atips164.shtml:

The metadata files and description
$MFT - Master File Table
-snip-

I have no clue of $SDS or $SDATA: you might have made a typo since those
files are not part of the standard NTFS metadata. Try your luck google-ing
(didn't work for me)
Click to expand...

No typo... those are what shows. I also tried google searches and MS KB
searches that turned up nothing. That's why I asked.

I'll just drink some anti-paranoia elixir and keep looking.

Thanks,

Jason
 
You might consider running a rootkit detection app:

f-secure's blacklight or Sysinternal's rootkit revealer.

Knowing something about what apps you run might help as well.

I hesitate to post this, because I don't get here very often, but checking
for rootkits would be one way of differentiating "good" metadata from
something else.
 
You might consider running a rootkit detection app:

f-secure's blacklight or Sysinternal's rootkit revealer.

Knowing something about what apps you run might help as well.

I hesitate to post this, because I don't get here very often, but checking
for rootkits would be one way of differentiating "good" metadata from
something else.
Click to expand...
Thanks for the pointers, Bill. I did run a rootkit finder, though not
either of those you mention. I took a look at the Sysinternals rootkit
revealer page and it lists $Secure as a Win Server 2003 NTFS metadata
file, but no mention of $SDS or $DATA. I'll try out those you suggested.

Jason
 
Knowing something about what apps you run might help as well.
Click to expand...

I forgot to address that. I don't think there's a clue to be had - it's
a tired old Thinkpad that I use almost exclusively for Web browsing
(Firefox) and Outlook email. Security software is McAfee Security Center
that's up to date, and I have a couple of spyware finders that I run
occasionally. The system is clean in terms of spyware and viruses as far
as I know.

Jason
 
I tried the Sysinternals root kit finder and it didn't find anything. I
guess that's positive : )


Jason
 
I guess I'd say this is more of a curiosity than something I'd see as
worriesome at this point--these seem like normal system metadata--we just
don't seem to have a complete list. Have you run a scandisk lately? (just
wondering if anything about the time to scan issues you mentioned might
relate to a physical disk issue.)
 
I guess I'd say this is more of a curiosity than something I'd see as
worriesome at this point--these seem like normal system metadata--we just
don't seem to have a complete list. Have you run a scandisk lately? (just
wondering if anything about the time to scan issues you mentioned might
relate to a physical disk issue.)
Click to expand...
I think the disk hardware is ok. As I mentioned, phase 3 of chkdsk takes
forever, but it finishes. When I run a boot-time chkdsk, including the
phases to scan for/repair bad sectors all is ok.

I'm not really worried about this after running every checking utility I
can find, but the fact that this hunk of invisible storage consumes
about 25% of the entire partition made me wonder what's going on...

Jason
 
Back
Top