evanstest
asked on
Windows server 2003 R2 lost disk space
I am running a hosted windows 2003 R2 server.
This server has two partitions. A c:\ drive onto which the Windows 2003 server system and other applications are installed is sized at 20GB.
Until recently, this drive was looking very healthy. The total disk usage from windows server 2003 and the installed applications taking about 7.7GB of the available disk space.
About a week ago, the drive space usage suddenly jumped to 18GB.
Trying to get to the bottom of this, i have downloaded and used the free program windirstat. This gives a better evaluation of disk space usage by folder and file than the standard windows explorer.
Using windirstat, it still shows that the "real disk usage" on the disk is about 7.7GB. However, it is showing 10GB of "unknown files".
These "unknown files" are essentially invisible. I cannot find them and cannot delete them.
I have run chkdsk with options /f/r/x/b. This makes no difference
I have turned off Volume Shadow Copy on all drives. This also makes no difference.
Can anyone shed any light on this and/or point to any tools (hopefully open source of free trial) that I could use to get more information on the problem?
This server has two partitions. A c:\ drive onto which the Windows 2003 server system and other applications are installed is sized at 20GB.
Until recently, this drive was looking very healthy. The total disk usage from windows server 2003 and the installed applications taking about 7.7GB of the available disk space.
About a week ago, the drive space usage suddenly jumped to 18GB.
Trying to get to the bottom of this, i have downloaded and used the free program windirstat. This gives a better evaluation of disk space usage by folder and file than the standard windows explorer.
Using windirstat, it still shows that the "real disk usage" on the disk is about 7.7GB. However, it is showing 10GB of "unknown files".
These "unknown files" are essentially invisible. I cannot find them and cannot delete them.
I have run chkdsk with options /f/r/x/b. This makes no difference
I have turned off Volume Shadow Copy on all drives. This also makes no difference.
Can anyone shed any light on this and/or point to any tools (hopefully open source of free trial) that I could use to get more information on the problem?
ASKER
Thanks for the link to Treesize.
When I run Treesize on the c:\ drive it shows the following information:
In the status bar at the bottom of the application it states "Free Space: 2.01GB (of 19.5GB)"
However, if you then look at the tree returned for C:\ it shows a total of 7.1GB used.
So, there is around 10GB of disk space "lost" that treesize cannot see.
This is similar to what I was seeing with windirstat except that windirstat actually shows this "lost" space and calls it "unknown files".
I have already turned on "show hidden files and folders" and unchecked "hide protected operating system files" for all folders.
Thanks
When I run Treesize on the c:\ drive it shows the following information:
In the status bar at the bottom of the application it states "Free Space: 2.01GB (of 19.5GB)"
However, if you then look at the tree returned for C:\ it shows a total of 7.1GB used.
So, there is around 10GB of disk space "lost" that treesize cannot see.
This is similar to what I was seeing with windirstat except that windirstat actually shows this "lost" space and calls it "unknown files".
I have already turned on "show hidden files and folders" and unchecked "hide protected operating system files" for all folders.
Thanks
So treesize doesn't show files in the root or any folders that would make up the difference? Verrrry strange.
Can you post the output of chkdsk? <--shot in the dark
Hmmm maybe the space is in System Volume Information folder? Take a look at this: http://willvonwizzlepig.blogspot.com/2008/11/system-volume-information-server-2003.html
Could also have to do with having had VSS turned on?
Can you post the output of chkdsk? <--shot in the dark
Hmmm maybe the space is in System Volume Information folder? Take a look at this: http://willvonwizzlepig.blogspot.com/2008/11/system-volume-information-server-2003.html
Could also have to do with having had VSS turned on?
ASKER
I can't post output from chkdsk as I did not save it and i have now re-booted the server into normal mode for the day shift. I can tell you, however, that chkdsk did not find any errors or make any repairs.
I have already disabled Volume Shadow Copy and indexing on all drives. I have also cleared the indexing catalog and the shadow copies.
Using windirstat and treesize, the system volume information folder is only showing 20kb size.
However, inside the system volume information folder is a sub-folder named:
_restore{4E170950-50E0-453
If I try to do anything with this sub-folder (from any application) I get a message saying:
"c:\System Volume Information\_restore{4E170
Access is denied."
I am logged in an Administrator but I cannot seem to change any security permissions on this sub-folder to give me access.
I guess, therefore, that if this sub-folder is truly inaccesible, it actually may be the culprit? I guess that windirstat and treesize cannot scan it.
I am intrigued by the title of this folder _restore......
Windows server 2003 does not have system restore does it?
I have already disabled Volume Shadow Copy and indexing on all drives. I have also cleared the indexing catalog and the shadow copies.
Using windirstat and treesize, the system volume information folder is only showing 20kb size.
However, inside the system volume information folder is a sub-folder named:
_restore{4E170950-50E0-453
If I try to do anything with this sub-folder (from any application) I get a message saying:
"c:\System Volume Information\_restore{4E170
Access is denied."
I am logged in an Administrator but I cannot seem to change any security permissions on this sub-folder to give me access.
I guess, therefore, that if this sub-folder is truly inaccesible, it actually may be the culprit? I guess that windirstat and treesize cannot scan it.
I am intrigued by the title of this folder _restore......
Windows server 2003 does not have system restore does it?
Try to open command prompt (cmd ) and use old fashion way to check the files and their attributes
so in cmd, go to directory and type attrib
This will output all files with their attributes... it could be that some files are in root folder marked as hidden or system and this is why you cannot see them..
if this is the case and you dont need those files (make sure as datedman said not to delete the system file you need) you could use attrib -r -h -s name_of_file and then you will be able to delete them.
so in cmd, go to directory and type attrib
This will output all files with their attributes... it could be that some files are in root folder marked as hidden or system and this is why you cannot see them..
if this is the case and you dont need those files (make sure as datedman said not to delete the system file you need) you could use attrib -r -h -s name_of_file and then you will be able to delete them.
ASKER
I have navigated to the System Volume Information folder on c:\ inside the command prompt. From there I have run an attrib. The response I get back is as follows:
C:\System Volume Information>attrib /s /d
A SH C:\System Volume Information\MountPointMana
SH C:\System Volume Information\tracking.log
C:\System Volume Information\_restore{4E170
So on the face of it, the _restore{4E170950-50E0-453
C:\System Volume Information>cd _restore{4E170950-50E0-453
Access is denied.
If I right click on the _restore{4E170950-50E0-453
Can anyone shed light on what the _restore{4E170950-50E0-453
C:\System Volume Information>attrib /s /d
A SH C:\System Volume Information\MountPointMana
SH C:\System Volume Information\tracking.log
C:\System Volume Information\_restore{4E170
So on the face of it, the _restore{4E170950-50E0-453
C:\System Volume Information>cd _restore{4E170950-50E0-453
Access is denied.
If I right click on the _restore{4E170950-50E0-453
Can anyone shed light on what the _restore{4E170950-50E0-453
I wouldn't screw around with the System Volume Info folder manually.
Did you go to the URL I posted and use that method?
Did you go to the URL I posted and use that method?
ASKER
I did go to the URL and followed that method for disabling the index service.
Everything now is turned off and related storage/catalogs cleared (ostensibly).
Volume Shadow Copy turned off for all drives
Indexing service off for all drives and catalogs cleared
Windows server 2003 doesn't have a system restore does it?
I am still left with the _restore{4E170950-50E0-453
I don't really want to screw around with the system volume information but I need to find a way to recover this 10GB of space. This is a hosted server and the partiion is only 20GB. I can't afford to lose 10GB.
Everything now is turned off and related storage/catalogs cleared (ostensibly).
Volume Shadow Copy turned off for all drives
Indexing service off for all drives and catalogs cleared
Windows server 2003 doesn't have a system restore does it?
I am still left with the _restore{4E170950-50E0-453
I don't really want to screw around with the system volume information but I need to find a way to recover this 10GB of space. This is a hosted server and the partiion is only 20GB. I can't afford to lose 10GB.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am checking with the host. The server is a dedicated hardware server. it is not a virtual server.
Actually, now i think about it, this problem started a couple of weeks ago.
At that time, I was advised by the host to re-boot the server (from their internet control panel) into what they termed the "Windows rescue system". This was in order to run a chkdsk on the server because I was seeing a cyclic redundancy check error when running a disk imaging tool on the server.
I am not sure exactly what the windows rescue system is but to access the server in this mode you need to use TightVNC.
I am sure I did not have the current "lost space" problem before I did this reboot into the windows rescue system.
I'll post back any reply I get from the host. It will probably be in a couple of days.
Actually, now i think about it, this problem started a couple of weeks ago.
At that time, I was advised by the host to re-boot the server (from their internet control panel) into what they termed the "Windows rescue system". This was in order to run a chkdsk on the server because I was seeing a cyclic redundancy check error when running a disk imaging tool on the server.
I am not sure exactly what the windows rescue system is but to access the server in this mode you need to use TightVNC.
I am sure I did not have the current "lost space" problem before I did this reboot into the windows rescue system.
I'll post back any reply I get from the host. It will probably be in a couple of days.
Hmm that's why I wanted chkdsk output, to (1) see the sector size etc. and (2) see the bad sector space...
BTW what does CHKDSK say is the size of the MFT?
ASKER
I am awarding points as all advice provided by contributor was valid.
ASKER
The issue finally was a hardware one. The Hard drive was failing even though the failures were not identifed by running chkdsk.
It's rootkit.
Infected files is:
c:\windows\system32\driver
c:\windows\system32\winevt
c:\windows\system32\mwuclt
"C:\System Volume Information\_restore{4E170
HKLM\SOFTWARE\Microsoft\Cr
1) boot in safe mode
2) show hidden devices and remove "hidfw" device
3) delete above files
4) remove any data related to hidfw from registry (use find option)
5) reboot to normal
Infected files is:
c:\windows\system32\driver
c:\windows\system32\winevt
c:\windows\system32\mwuclt
"C:\System Volume Information\_restore{4E170
HKLM\SOFTWARE\Microsoft\Cr
1) boot in safe mode
2) show hidden devices and remove "hidfw" device
3) delete above files
4) remove any data related to hidfw from registry (use find option)
5) reboot to normal
I recommend the pro version but the free one works well too.
Might help go to Explorer, Tools/Folder Options, View tab and turn on Show hidden files and folders and then uncheck Hide protected operating system files and Apply then Apply to all folders. Just make sure you don't delete any system files. :)