Windows server 2003 R2 lost disk space

I am running a hosted windows 2003 R2 server.

This server has two partitions.  A c:\ drive onto which the Windows 2003 server system and other applications are installed is sized at 20GB.

Until recently, this drive was looking very healthy.  The total disk usage from windows server 2003 and the installed applications taking about 7.7GB of the available disk space.

About a week ago, the drive space usage suddenly jumped to 18GB.

Trying to get to the bottom of this, i have downloaded and used the free program windirstat.  This gives a better evaluation of disk space usage by folder and file than the standard windows explorer.

Using windirstat, it still shows that the "real disk usage" on the disk is about 7.7GB.  However, it is showing 10GB of "unknown files".

These "unknown files" are essentially invisible.  I cannot find them and cannot delete them.

I have run chkdsk with options /f/r/x/b.  This makes no difference

I have turned off Volume Shadow Copy on all drives.  This also makes no difference.

Can anyone shed any light on this and/or point to any tools (hopefully open source of free trial) that I could use to get more information on the problem?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Try treesize:
I recommend the pro version but the free one works well too.

Might help go to Explorer, Tools/Folder Options, View tab and turn on Show hidden files and folders and then uncheck Hide protected operating system files and Apply then Apply to all folders.  Just make sure you don't delete any system files. :)
evanstestAuthor Commented:
Thanks for the link to Treesize.

When I run Treesize on the c:\ drive it shows the following information:

In the status bar at the bottom of the application it states "Free Space: 2.01GB (of 19.5GB)"

However, if you then look at the tree returned for C:\ it shows a total of 7.1GB used.

So, there is around 10GB of disk space "lost" that treesize cannot see.

This is similar to what I was seeing with windirstat except that windirstat actually shows this "lost" space and calls it "unknown files".

I have already turned on "show hidden files and folders" and unchecked "hide protected operating system files" for all folders.

So treesize doesn't show files in the root or any folders that would make up the difference?  Verrrry strange.

Can you post the output of chkdsk?  <--shot in the dark

Hmmm maybe the space is in System Volume Information folder?  Take a look at this: 

Could also have to do with having had VSS turned on?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

evanstestAuthor Commented:
I can't post output from chkdsk as I did not save it and i have now re-booted the server into normal mode for the day shift.  I can tell you, however, that chkdsk did not find any errors or make any repairs.

I have already disabled Volume Shadow Copy and indexing on all drives.  I have also cleared the indexing catalog and the shadow copies.

Using windirstat and treesize, the system volume information folder is only showing 20kb size.

However, inside the system volume information folder is a sub-folder named:


If I try to do anything with this sub-folder (from any application) I get a message saying:

"c:\System Volume Information\_restore{4E170950-50E0-453F-B281-59338F8EC32EV} is not accessible.

Access is denied."

I am logged in an Administrator but I cannot seem to change any security permissions on this sub-folder to give me access.

I guess, therefore, that if this sub-folder is truly inaccesible, it actually may be the culprit?   I guess that windirstat and treesize cannot scan it.

I am intrigued by the title of this folder _restore......

Windows server 2003 does not have system restore does it?  
Try to open command prompt (cmd ) and use old fashion way to check the files and their attributes

so in  cmd, go to directory and type  attrib  

This will output all files with their attributes... it could be that some files are in root folder marked as hidden or system and this is why you cannot see them..

if this is the case and you dont need those files (make sure as datedman said not to delete the system file you need)   you could use   attrib -r -h -s name_of_file and then you will be able to delete them.

evanstestAuthor Commented:
I have navigated to the System Volume Information folder on c:\ inside the command prompt.   From there I have run an attrib.  The response I get back is as follows:

C:\System Volume Information>attrib /s /d
A  SH      C:\System Volume Information\MountPointManagerRemoteDatabase
    SH      C:\System Volume Information\tracking.log
              C:\System Volume Information\_restore{4E170950-50E0-453F-B281-59338F8EC32EV}

So on the face of it, the _restore{4E170950-50E0-453F-B281-59338F8EC32EV} folder does not appear to have any attributes assigned to it.  However, if I try to CD to that folder I see the following:

C:\System Volume Information>cd _restore{4E170950-50E0-453F-B281-59338F8EC32EV}
Access is denied.

If I right click on the _restore{4E170950-50E0-453F-B281-59338F8EC32EV} folder from windows explorer and view properties, the properties tell me it is 0bytes.   However, as the system cannot access the folder I am not sure I can believe that.

Can anyone shed light on what the _restore{4E170950-50E0-453F-B281-59338F8EC32EV} folder is and how I can delete it?
I wouldn't screw around with the System Volume Info folder manually.

Did you go to the URL I posted and use that method?

evanstestAuthor Commented:
I did go to the URL and followed that method for disabling the index service.

Everything now is turned off and related storage/catalogs cleared (ostensibly).

Volume Shadow Copy turned off for all drives
Indexing service off for all drives and catalogs cleared
Windows server 2003 doesn't have a system restore does it?

I am still left with the  _restore{4E170950-50E0-453F-B281-59338F8EC32EV} folder and it is still showing "Access Denied".

I don't really want to screw around with the system volume information but I need to find a way to recover this 10GB of space.  This is a hosted server and the partiion is only 20GB.  I can't afford to lose 10GB.

Ah....hosted server?  Call the host.  They may well have something going on that you can't see.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
evanstestAuthor Commented:
I am checking with the host.  The server is a dedicated hardware server.  it is not a virtual server.

Actually, now i  think about it, this problem started a couple of weeks ago.  

At that time, I was advised by the host to re-boot the server (from their internet control panel) into what they termed the "Windows rescue system".  This was in order to run a chkdsk on the server because I was seeing a cyclic redundancy check error when running a disk imaging tool on the server.

I am not sure exactly what the windows rescue system is but to access the server in this mode you need to use TightVNC.

I am sure I did not have the current "lost space" problem before I did this reboot into the windows rescue system.

I'll post back any reply I get from the host.  It will probably be in a couple of days.
Hmm that's why I wanted chkdsk output, to (1) see the sector size etc. and (2) see the bad sector space...
BTW what does CHKDSK say is the size of the MFT?
evanstestAuthor Commented:
I am awarding points as all advice provided by contributor was valid.
evanstestAuthor Commented:
The issue finally was a hardware one.  The Hard drive was failing even though the failures were not identifed by running chkdsk.
It's rootkit.

Infected files is:
"C:\System Volume Information\_restore{4E170950-50E0-453F-B281-59338F8EC32EV}"


1) boot in safe mode
2) show hidden devices and remove "hidfw" device
3) delete above files
4) remove any data related to hidfw from registry (use find option)
5) reboot to normal
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.