How i do to overrite the slack file space?

Posted on 2003-10-28
Last Modified: 2010-04-16
I wan't to sweep the unused file space from a drive.
I tied to create a file bigger as diskfree space. I write in this file random bytes and then i delete them, but is a very slow opperation, in my HDD drive with 20 GB free space.

I need a new solution or some ideeas. Thanks.
Question by:PhotonX
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 9633813
I think it's rather difficult.
The code will be differ for different file systems (FAT, NTFS, ...)

Accepted Solution

GloomyFriar earned 25 total points
ID: 9633831
Here is some information that can help.

A file is stored on a disk drive (and other media) in one or more clusters. Clusters are the atomic unit of data allocation, made up of one or more sectors. Sectors, in turn, are physical storage units.

As a file is written to the disk, the file may not be written in contiguous clusters. Noncontiguous clusters slow down the process of reading and writing the file. The farther apart on the disk the noncontiguous clusters are, the worse the problem because of the time it takes to move the hard drive's read/write head. A file with noncontiguous clusters is said to be fragmented. To optimize files for fast access, a volume may be defragmented.

Defragmentation is the process of moving portions of files around on the disk in order to defragment files; that is, the process of moving a file's clusters on the disk to make them contiguous.

In a simple single-tasking operating system, defragmentation is straightforward: the defragmentation software is the sole task, and there are no other processes to read from or write to the disk. However, in a multitasking operating system, some processes may be reading from and writing to the hard drive while another process is trying to defragment that hard drive. The trick is to avoid writes to the file being defragmented without stopping the writing process for very long. Solving this problem is not trivial, but it is possible.

Some file systems are publicly documented, such as the FAT16 and FAT32 file systems. This allows programmers to manipulate on-disk data structures (such as file allocation tables, or FAT) directly. However, NTFS is deliberately opaque. To allow defragmentation of NTFS without requiring detailed knowledge of the disk structure of NTFS, a set of three DeviceIoControl operations is provided. The three operations allow applications to locate empty clusters, determine the disk location of file clusters, and move clusters on the disk. The DeviceIoControl operations transparently handle the problem of inhibiting and allowing other processes to read from and write to files during moves.

These same DeviceIoControl operations also work with FAT volumes.

These operations can be performed without inhibiting other processes from running. However, the other processes will have slower response times while a disk drive is being defragmented.

Clusters may be referred to from two different perspectives: within the file and on the volume. Any cluster in a file has a virtual cluster number (VCN), which is its relative offset from the beginning of the file. For example, a seek to twice the size of a cluster, followed by a read, will return data beginning at the third VCN. A logical cluster number (LCN) describes the offset of a cluster from some arbitrary point within the volume. LCNs should be treated only as ordinal, or relative, numbers. There is no guaranteed mapping of logical clusters to physical hard drive sectors.

An extent is a run of contiguous clusters. For example, suppose a file consisting of thirty clusters is recorded in two extents. The first extent might consist of five contiguous clusters, the other of the remaining 25 clusters.

There is no guarantee of any relationship on the disk of any extent to any other extent. For example, the first extent may be at a higher LCN than a subsequent extent.

To defragment a file, use the following steps:

Use the FSCTL_GET_VOLUME_BITMAP control code to find a place on the volume large enough to accept the entire file. If necessary, move other files to make a place that's large enough. Ideally, there will be enough unallocated clusters after the first extent of the file that you can simply move subsequent extents into the space after the first extent.
Use the FSCTL_GET_RETRIEVAL_POINTERS control code to get a map of the current layout of the file on the disk.
Walk the RETRIEVAL_POINTERS_BUFFER structure returned by FSCTL_GET_RETRIEVAL_POINTERS. Use the FSCTL_MOVE_FILE control code to move each cluster as you walk the structure. You may need to renew either the bitmap or the retrieval structure, or both, from time to time as other processes write to the disk.
Two of the operations used in the defragmentation process require handles to volumes. Only administrators can open volumes to handles, so only administrators can defragment volumes. Your program should check the privileges of the user attempting to run defragmentation software, and it should not execute if the user does not have the appropriate security credentials.

In Windows 2000 and earlier versions of Windows, the FSCTL_MOVE_FILE control code operated only on NTFS volumes with a cluster size of less than 4K. In Windows XP, NTFS volumes with a cluster size of greater than 4K can be accommodated. NTFS format defaults to cluster sizes of 4K or less, so volumes with cluster sizes larger than 4K are rare. The following is a table of defragmentation structures and the associated control codes.

Defragmentation structures Control code

When using CreateFile to open a directory during defragmentation of a FAT or FAT32 volume, do not specify the MAXIMUM_ALLOWED access mask value. Access to the directory will be denied if this is done. Specify the GENERIC_READ access mask value instead.

Do not attempt to move allocated clusters in an NTFS file system that extend beyond the cluster rounded file size. If attempted, this will result in an error condition.

Reparse points, bitmaps, and attribute lists in NTFS volumes can be defragmented under Windows XP. Each of these can be opened for reading and synchronization, and are named using the file:name:type syntax—for example, $i30:$INDEX_ALLOCATION, mrp::$DATA, mrp::$REPARSE_POINT, and mrp::$ATTRIBUTE_LIST.

Under Windows XP, NTFS defragments uncompressed files at the cluster boundary. Under Windows 2000, this was done at the page boundary.

Under Windows 2000, an attempt to defragment the space between the file size and the allocation size will fail. However, you can do this under Windows XP.

When defragmenting NTFS volumes, defragmenting a virtual cluster beyond the file's allocation size is allowed.

The MFT could not be used for defragmentation under Windows 2000, but under Windows XP this restriction is removed. Also, the MFT itself can be defragmented. For a description of the Master File Table and the MFT Zone, refer to The Master File Table and the MFT Zone .

We recommend that you leave as much space at the beginning of the MFT Zone as possible before defragmenting the volume to reduce the chance of the MFT Zone becoming fully allocated before the defragmentation process is complete. If the MFT Zone becomes fully allocated before defragmentation has completed, it is important that unallocated space be available outside of the MFT Zone.


Assisted Solution

ttd earned 25 total points
ID: 9640235

To fully solve your problem, we have to investigate two cases:

1. If you just want to sweep the spaces not used by files, the simplest way is the one you had tried: continuously write a random data to a file until you get a 'disk full' error, then of course, delete it. The only way to speed up this process is to bypass the OS and access the disk directly. In this case, you have to learn the format of FAT or NTFS file system, then write, for example, a DOS application, boot the computer from a floppy, then run it.
But why do you want to write it yourself when there is a lot of free programs on the Internet? Take a look at and you will find the right one for your OS you are using. (Any PGP has a 'sweep free space' functionality)

2. If you want to sweep the spaces include those ones that are beyond a file (explanation later), I think, you don't have too much choices: direct access to the disk. The space beyond a file is the space that takes place from the end of file to the next boundary of a cluster. As you can know, a 1000-bytes file will take at least 1 cluster on the disk, and if the cluster size is, for example, 8192 bytes, the bytes from 1001 to 8192 can be called the bytes beyond the file. Some intelligent viruses can hide themself in this space, and foolish anti-virus program will never found them.

So, if the speed is important for you or if you want to fully sweep spaces, direct access the disk is recommended. Prepare yourself and dig into the soul of FAT and NTFS file systems. If not, use PGP and relax!

Hope this helps.


LVL 26

Expert Comment

ID: 9647565
If I were you, I'd check out the sdelete at

It has the functionality you require and comes with C sourcecode that you
can convert.
LVL 26

Expert Comment

ID: 12583935
Personally, if he'd had checked out he would have fround that the sdelete utility has the capability
he requires and then he could run it from a shellexecute.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Objective: - This article will help user in how to convert their numeric value become words. How to use 1. You can copy this code in your Unit as function 2. than you can perform your function by type this code The Code   (CODE) The Im…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question