What are the Vista $Recycle.bin subfolders "S-1-5-21-....-1000, 1001"

[phkhgh]

I 1st noticed these protected subfolders when doing a defrag & it showed one still fragmented w/ 500 - 600 MB in it. I always empty the recycle bin - main one at bottom of L pane list in Explorer. Obviously, some weren't being emptied.

What is the purpose of these numbered folders? Even logged on as Admin, access was denied, so I changed permissions & looked in them.
There were 2 of those folders on my D:\. If I delete a file from D:, it shows up in ALL of them - the recycle bin w/ trash can icon on D:, and in both of those numbered subfolders under $Recycle.bin on D:, and in the recycle bin at bottom of Explorer left pane.

Every partition on each of my 2 HDDs has 1, 2 or 3 of these as subfolders of $recycle.bin.
Then each partition has it's own "regular" recycle bin w/ trash can icon.

Thanks.

[Paul Komski]

There is one Recycler/Recycle-bin/$Recycle.bin folder per drive. The "S-....." folders inside it have an ID that references each particular user so that each user can undelete their own material from any particular drive. Its just the same under WinXP.

[phkhgh]

Thanks Paul,

As a test, I deleted a file from C: under one user acct. Deleted file shows up in ALL the unique SID folders under $recycle.bin on C:, AND in every recycle bin & every unique SID folder on every partition, even on other HDDs.

So, if deleted files from a user acct are supposed to show up ONLY in the SID folder created for that acct, that's not what I'm seeing.

What happens if the SID folders are deleted (the S-.....1000, 1001, etc.)?

I'll test further by deleting a file under one acct, then switching to another & see if can empty or restore the other user's deleted file.
Unless I misunderstood you, I should not be able to.

[Paul Komski]

"Special" folders such as the recycle bin and others such as Temprorary Internet Files and Fonts and a host of other special Windows folders (including the Desktop itself) are not normal folders and their contents (as viewed from within Windows) are often virtual and commonly composite collections of files from more than one source.

In addition, when files are "deleted" into the recycle bin they are actually renamed in their true underlying locations. Here is a link to such a forensic analysis in pdf format http://www.forensicfocus.com/downloa...ecycle-bin.pdf

Though there have been some variations on a theme the SIDs used have referred to individual users from WinNT, Win2000, WinXP and onto Vista.

Using a hex editor such as WinHex or by accessing the file system from outside Windows (say from a Linux Live CD) can help in understanding the file hierachy infrastructures better.

Quote:

What happens if the SID folders are deleted

I think they will be recreated as soon as they are next needed.

[Paul Komski]

Found a more easily navigable page at http://www.docstoc.com/docs/2363303/...ta-Recycle-Bin

Note on the last page: In Vista, if one navigates to the $Recycle.Bin directory from a GUI (Explorer), he will not see the file pairs. Vista displays the file with its original name (as XP does). Right-clicking on the file will show the file creation date and the deletion time. The only way to see the file pairs is to navigate to the appropriate directory via the command prompt. A user doing that will only have access to their own SID directory unless they started the command prompt using the “run as” option.