Rev 99 | Go to most recent revision | Details | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 98 | daniel-mar | 1 | |
| 2 | # Windows Recycle Bin internal format |
||
| 3 | |||
| 4 | ## Locations |
||
| 5 | |||
| 6 | ### FAT drives: |
||
| 7 | |||
| 8 | - Windows 95 native: C:\RECYCLED\INFO (with ANSI records, folder deletion is NOT possible, format `00 00 00 00`) |
||
| 9 | - Windows 95+IE4, 98SE: C:\RECYCLED\INFO2 (with ANSI records, folder deletion is possible, format `04 00 00 00`) |
||
| 10 | - Windows Me: C:\RECYCLED\INFO2 (with ANSI records, folder deletion is possible, format `05 00 00 00`) |
||
| 11 | - Windows Vista+: C:\$RECYCLE.BIN\$I... |
||
| 12 | |||
| 13 | ### NTFS drives: |
||
| 14 | |||
| 15 | - Windows NT4: C:\RECYCLER\<UserSID>\INFO (with Unicode records, folder deletion is possible, format `02 00 00 00`) |
||
| 16 | - Windows 2000, XP: C:\RECYCLER\<UserSID>\INFO2 (with Unicode records, folder deletion is possible, format `05 00 00 00`) |
||
| 17 | - Windows Vista+: C:\$RECYCLE.BIN\<UserSID>\$I... |
||
| 18 | |||
| 19 | ## INFO and INFO2 files |
||
| 20 | |||
| 21 | INFO is written by Win95 without IE4 (with ANSI records), and WinNT4 (with Unicode records). |
||
| 22 | |||
| 23 | INFO2 is written by Win95 with Internet Explorer 4 shell extensions, Win98, WinMe (with ANSI records), Win2000, and WinXP (with Unicode records). |
||
| 24 | |||
| 25 | Since some Windows versions combinations mix up ANSI records and Unicode records (e.g. Win95+IE4 and Win2000), these Windows versions break the recycle bin information file of each other. |
||
| 26 | |||
| 27 | INFO and INFO2 is the index file containing all information about the deleted files. The data files are renamed to `Dxy.ext` (`x` replaced with the drive letter, `y` being a dynamic length integer, `ext` being replaced with the file name extension). |
||
| 28 | |||
| 29 | ### Header |
||
| 30 | |||
| 31 | type |
||
| 32 | PRbInfoHeader = ^TRbInfoHeader; |
||
| 33 | TRbInfoHeader = record |
||
| 34 | format: DWORD; // Unsure if this is just a version field or some unknown flags...! |
||
| 35 | // Win95 (without IE4): 00 00 00 00 |
||
| 36 | // Win95 (with IE4): 04 00 00 00 |
||
| 37 | // Win NT4: 02 00 00 00 |
||
| 38 | // Win Me, 2000, XP: 05 00 00 00 |
||
| 39 | totalEntries: DWORD; // Only Win95 (without IE4) and Win NT4, unknown purpose for other OS versions |
||
| 40 | nextPossibleID: DWORD; // Only Win95 (without IE4) and Win NT4, unknown purpose for other OS versions |
||
| 41 | recordLength: DWORD; // 0x181 = INFO structure (without Unicode) |
||
| 42 | // 0x320 = INFO2 structure (with Unicode) |
||
| 43 | totalSize: DWORD; // sum of all "originalSize" values; |
||
| 44 | // Only Win95 (without IE4) and Win NT4, unknown purpose for other OS versions |
||
| 45 | end; |
||
| 46 | |||
| 47 | ### ANSI record (Win95, 98, Me) |
||
| 48 | |||
| 49 | type |
||
| 50 | // Windows 95: INFO file with TRbInfoRecordA; Folder deletion NOT possible |
||
| 51 | // Windows 95 +IE4: INFO2 file with TRbInfoRecordA; Folder deletion possible |
||
| 52 | PRbInfoRecordA = ^TRbInfoRecordA; |
||
| 53 | TRbInfoRecordA = record |
||
| 54 | sourceAnsi: array[0..MAX_PATH-3] of AnsiChar; // 258 elements |
||
| 55 | recordNumber: DWORD; |
||
| 56 | sourceDrive: DWORD; |
||
| 57 | deletionTime: FILETIME; |
||
| 58 | originalSize: DWORD; // Size occupied on disk. Not the actual file size. |
||
| 59 | // INFO2, for folders: The whole folder size with contents |
||
| 60 | end; |
||
| 61 | |||
| 62 | ### Unicode record (NT4, 2000, XP) |
||
| 63 | |||
| 64 | type |
||
| 65 | // Windows NT4: INFO file with TRbInfoRecordW; Folder deletion possible |
||
| 66 | // Windows 2000+: INFO2 file with TRbInfoRecordW; Folder deletion possible |
||
| 67 | PRbInfoRecordW = ^TRbInfoRecordW; |
||
| 68 | TRbInfoRecordW = record |
||
| 69 | sourceAnsi: array[0..MAX_PATH-3] of AnsiChar; // 258 elements |
||
| 70 | recordNumber: DWORD; |
||
| 71 | sourceDrive: DWORD; |
||
| 72 | deletionTime: FILETIME; |
||
| 73 | originalSize: DWORD; |
||
| 74 | sourceUnicode: array[0..MAX_PATH-3] of WideChar; // 258 elements |
||
| 75 | unknown1: DWORD; // Dummy? |
||
| 76 | end; |
||
| 77 | |||
| 78 | ## $I... files of Windows Vista and above |
||
| 79 | |||
| 80 | Beginning with Windows Vista, each deleted file gets its own information record. The information record ("index file") has the name `$Ixxxxxx.ext` while the data file is renamed to `$Rxxxxxx.ext` (`xxxxxx` replaced with a random `[0-9A-Z]` string and ext replaced with the file name extension). |
||
| 81 | |||
| 82 | ### Version 1 (Introduced in Windows Vista) |
||
| 83 | |||
| 84 | type |
||
| 85 | // Introduced in Windows Vista |
||
| 86 | PRbVistaRecord1 = ^TRbVistaRecord1; |
||
| 87 | TRbVistaRecord1 = record |
||
| 88 | version: int64; // Always 01 00 00 00 00 00 00 00 |
||
| 89 | originalSize: int64; |
||
| 90 | deletionTime: FILETIME; |
||
| 91 | sourceUnicode: array[0..MAX_PATH-1] of WideChar; |
||
| 92 | end; |
||
| 93 | |||
| 94 | ### Version 2 (Introduced somewhere in a Windows 10 release) |
||
| 95 | |||
| 96 | type |
||
| 97 | // Introduced somewhere in a Win10 release |
||
| 98 | PRbVistaRecord2Head = ^TRbVistaRecord2Head; |
||
| 99 | TRbVistaRecord2Head = record |
||
| 100 | version: int64; // Always 02 00 00 00 00 00 00 00 |
||
| 101 | originalSize: int64; |
||
| 102 | deletionTime: FILETIME; |
||
| 103 | (* sourceUnicode: BSTR; *) |
||
| 104 | sourceCountChars: DWORD; // including NUL |
||
| 105 | //sourceUnicode: array[0..sourceCountChars+1] of WideChar; |
||
| 106 | end; |