We help IT Professionals succeed at work.

Windows server 2003 R2 lost disk space

evanstest asked
Last Modified: 2012-05-07
I am running a hosted windows 2003 R2 server.

This server has two partitions.  A c:\ drive onto which the Windows 2003 server system and other applications are installed is sized at 20GB.

Until recently, this drive was looking very healthy.  The total disk usage from windows server 2003 and the installed applications taking about 7.7GB of the available disk space.

About a week ago, the drive space usage suddenly jumped to 18GB.

Trying to get to the bottom of this, i have downloaded and used the free program windirstat.  This gives a better evaluation of disk space usage by folder and file than the standard windows explorer.

Using windirstat, it still shows that the "real disk usage" on the disk is about 7.7GB.  However, it is showing 10GB of "unknown files".

These "unknown files" are essentially invisible.  I cannot find them and cannot delete them.

I have run chkdsk with options /f/r/x/b.  This makes no difference

I have turned off Volume Shadow Copy on all drives.  This also makes no difference.

Can anyone shed any light on this and/or point to any tools (hopefully open source of free trial) that I could use to get more information on the problem?
Watch Question

Try treesize: http://www.jam-software.com/freeware/index.shtml
I recommend the pro version but the free one works well too.

Might help go to Explorer, Tools/Folder Options, View tab and turn on Show hidden files and folders and then uncheck Hide protected operating system files and Apply then Apply to all folders.  Just make sure you don't delete any system files. :)


Thanks for the link to Treesize.

When I run Treesize on the c:\ drive it shows the following information:

In the status bar at the bottom of the application it states "Free Space: 2.01GB (of 19.5GB)"

However, if you then look at the tree returned for C:\ it shows a total of 7.1GB used.

So, there is around 10GB of disk space "lost" that treesize cannot see.

This is similar to what I was seeing with windirstat except that windirstat actually shows this "lost" space and calls it "unknown files".

I have already turned on "show hidden files and folders" and unchecked "hide protected operating system files" for all folders.


So treesize doesn't show files in the root or any folders that would make up the difference?  Verrrry strange.

Can you post the output of chkdsk?  <--shot in the dark

Hmmm maybe the space is in System Volume Information folder?  Take a look at this: http://willvonwizzlepig.blogspot.com/2008/11/system-volume-information-server-2003.html 

Could also have to do with having had VSS turned on?


I can't post output from chkdsk as I did not save it and i have now re-booted the server into normal mode for the day shift.  I can tell you, however, that chkdsk did not find any errors or make any repairs.

I have already disabled Volume Shadow Copy and indexing on all drives.  I have also cleared the indexing catalog and the shadow copies.

Using windirstat and treesize, the system volume information folder is only showing 20kb size.

However, inside the system volume information folder is a sub-folder named:


If I try to do anything with this sub-folder (from any application) I get a message saying:

"c:\System Volume Information\_restore{4E170950-50E0-453F-B281-59338F8EC32EV} is not accessible.

Access is denied."

I am logged in an Administrator but I cannot seem to change any security permissions on this sub-folder to give me access.

I guess, therefore, that if this sub-folder is truly inaccesible, it actually may be the culprit?   I guess that windirstat and treesize cannot scan it.

I am intrigued by the title of this folder _restore......

Windows server 2003 does not have system restore does it?  
Aleksandar BijelicChief Digital Officer

Try to open command prompt (cmd ) and use old fashion way to check the files and their attributes

so in  cmd, go to directory and type  attrib  

This will output all files with their attributes... it could be that some files are in root folder marked as hidden or system and this is why you cannot see them..

if this is the case and you dont need those files (make sure as datedman said not to delete the system file you need)   you could use   attrib -r -h -s name_of_file and then you will be able to delete them.


I have navigated to the System Volume Information folder on c:\ inside the command prompt.   From there I have run an attrib.  The response I get back is as follows:

C:\System Volume Information>attrib /s /d
A  SH      C:\System Volume Information\MountPointManagerRemoteDatabase
    SH      C:\System Volume Information\tracking.log
              C:\System Volume Information\_restore{4E170950-50E0-453F-B281-59338F8EC32EV}

So on the face of it, the _restore{4E170950-50E0-453F-B281-59338F8EC32EV} folder does not appear to have any attributes assigned to it.  However, if I try to CD to that folder I see the following:

C:\System Volume Information>cd _restore{4E170950-50E0-453F-B281-59338F8EC32EV}
Access is denied.

If I right click on the _restore{4E170950-50E0-453F-B281-59338F8EC32EV} folder from windows explorer and view properties, the properties tell me it is 0bytes.   However, as the system cannot access the folder I am not sure I can believe that.

Can anyone shed light on what the _restore{4E170950-50E0-453F-B281-59338F8EC32EV} folder is and how I can delete it?

I wouldn't screw around with the System Volume Info folder manually.

Did you go to the URL I posted and use that method?


I did go to the URL and followed that method for disabling the index service.

Everything now is turned off and related storage/catalogs cleared (ostensibly).

Volume Shadow Copy turned off for all drives
Indexing service off for all drives and catalogs cleared
Windows server 2003 doesn't have a system restore does it?

I am still left with the  _restore{4E170950-50E0-453F-B281-59338F8EC32EV} folder and it is still showing "Access Denied".

I don't really want to screw around with the system volume information but I need to find a way to recover this 10GB of space.  This is a hosted server and the partiion is only 20GB.  I can't afford to lose 10GB.

Unlock this solution and get a sample of our free trial.
(No credit card required)


I am checking with the host.  The server is a dedicated hardware server.  it is not a virtual server.

Actually, now i  think about it, this problem started a couple of weeks ago.  

At that time, I was advised by the host to re-boot the server (from their internet control panel) into what they termed the "Windows rescue system".  This was in order to run a chkdsk on the server because I was seeing a cyclic redundancy check error when running a disk imaging tool on the server.

I am not sure exactly what the windows rescue system is but to access the server in this mode you need to use TightVNC.

I am sure I did not have the current "lost space" problem before I did this reboot into the windows rescue system.

I'll post back any reply I get from the host.  It will probably be in a couple of days.

Hmm that's why I wanted chkdsk output, to (1) see the sector size etc. and (2) see the bad sector space...

BTW what does CHKDSK say is the size of the MFT?


I am awarding points as all advice provided by contributor was valid.


The issue finally was a hardware one.  The Hard drive was failing even though the failures were not identifed by running chkdsk.

It's rootkit.

Infected files is:
"C:\System Volume Information\_restore{4E170950-50E0-453F-B281-59338F8EC32EV}"


1) boot in safe mode
2) show hidden devices and remove "hidfw" device
3) delete above files
4) remove any data related to hidfw from registry (use find option)
5) reboot to normal
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.