Part 1: The basic concept of the recycle bin
1. Recycle Bin naming rules:
A recycle bin is created for each user on each partition, with the following naming rules:
Win 95/98/ME x:\Recycled\
Win NT/2K/XP x:\Recycler\SD\
Win Vista/7/8 x:\$Recycle.Bin\SID\ (system partition)
x:\$RECYCLE.BIN\SID\(Non-system partition)
When the system is running, open each recycles bin and you will find that the content displayed is the same. This is because there is a desktop.ini file in its directory, and desktop.ini is a hidden system file that can personalize the contents of the directory. Common things like a desktop directory, recycle bin directory, etc.
2. About SID:
When we delete a file, it is moved to the recycle bin directory and automatically renamed. The original file that was deleted is named "$R+ a series of random characters + the original suffix name", and a file with a "$I" beginning with the exact same file is created. All $I files are 544 bytes in size. When the recycle bin is emptied, both files are deleted at the same time.
The $I file holds the following:
1. The original file name of the deleted file
2, the full path of the deleted file
3, the size of the deleted file
4, the time of deletion
Open the $I file with the hex view tool (this process is too complicated, I won't say it), you can find:
1, the first 8 bytes is the head of the $I file
2, the second 8 bytes save the size of the deleted file
3, the third 8 bytes save the time to delete files
4, the latter 520 bytes content is the full path before the file is deleted and the original file name
SID is a string of characters used by WINDOWS to mark a unique OBJECT (such as a user or a group). Take S-1-5-21-1858328346-1692621842-485598107-500 as an example.
s: Identifies the string as a security identifier.
1: The version number, usually 1.
5: Permissions, 5 means NT permissions.
1-1858328346-1692621842-485598107: Computer identifier. Uniquely identifies a computer.
500: User ID
Therefore, when a mobile hard disk accesses multiple systems, the number of recycle bin directories increases.
3. WIN VISTA/7/8 Recycle Bin Mechanism:
When deleting a file, the system creates a file $IXXXXXX.EXT in the recycle bin of the current user's current partition, and renames the deleted file to $RXXXXXX.EXT and moves to the recycle bin. Where XXXXXX is a random string generated by the system, and EXT is the file extension. Deleting a folder is similar to deleting a file, the only difference being that there is no extension.
The $I file stores information about the deleted file, such as file name, file size, and deletion time. I stands for Information.
The $R file is the deleted file (folder). R stands for Recovery or Rename.
4. WIN NT/2K/XP Recycle Bin Mechanism:
When a file is deleted, a delete record (structure) is written to the structure file INFO2 file in the recycle bin, and the deleted file is renamed according to a certain rule and moved to the recycle bin. Deleting a folder is similar to deleting a file, the only difference being that there is no extension.
INFO2 file format
Delete file rename rule
D (Driver Name) (Index). (EXT), where D stands for DISK, Driver Name is the drive letter, Index is the deleted file number, which can be obtained from the INFO2 file, and EXT is the file extension (the deleted folder has no such item).
If the data in the recycle bin is lost, Recycle bin on windows 7 is required.