As before, the
As you know, the
As a driver developer and antivirus researcher and developer I have certain methods to try and find out things. I tend to use out-of-the-box software for a first diagnosis. Since the user gave me temporary access to his machine via UltraVNC after a long chat session, I got the chance to look at it by myself. Mostly the user got to control his machine by himself, and we kept talking via chat. The first suggestion was to have certain tools downloaded from Sysinternals (now Microsoft Technet). Among them was the well-known Rootkit Revealer, Process Explorer and AutoRuns. Amazingly the Rootkit Revealer spotted the culprit quickly. Several files and folders were hidden from normal enumeration with Windows functions and suggested (by name and size) to be backups. Also the number of these files and their size matched the
The culprit – revealed through the folders named “RRestore” – was a program called “Rapid Restore” delivered with many IBM/Lenovo notebooks, as it seems. This program, for whatever reason, hides its backups from the user by means reminiscent of kernel mode rootkits and allows restoration of backups through some tool also delivered in the software bundle of the notebooks. So this is yet another software causing
I personally prefer backup software which I control, not the benevolent vendor of the machine I have bought.
// Oliver
Hi Oliver, I guess I was another one wondering what to do with the , I downloaded the rootkit revealer but it refuses to run on vista premium 64, also got the other two programs you suggested but they are way above my comprehension…any suggestions.
Thanks 😕
MY computer lists the drive as using 79GB and windirstat is listing it as 32.4. Rootkit does not work on vista 64. Any ideas?
I should point out that this is not the unknown issue. That is only 1.6 GB
Hi Oliver,
I have a similar problem. Lately I’ve noticed that space is disappearing from drive C, and I think some program is causing this.
My partition C is 5 Gb, and all files and folders are all together 2.5 Gb. Still there is only 300 Mb left, and the space becomes smaller and smaller.
About 8 months ago the remaining space was about 2.5 Gb.
My recycle bin is empty, and I can see all system/hidden files.
Your program now shows about 2.3 Gb unknown space.
I’ve tried to run Rootkit. It shows nothing related to the problem.
It must be that some program reserves space withought returning it when done.
The same procedure is used when there are errors on the disk. The bad space is blocked. But this disk has no errors. Maybe some hd tool can release that space back?
It’s 2 dynamic disks that are mirrored. Running w2k server.
I’ve tried Checkdisk from within System properties with no luck.
Do you think a chkdsk /f c: with restart could do it, even if it is blocked like bad space?
I was able to fix my problem. I am not sure exactly what worked because it didn’t happen until I restarted. I didn’t have windows back up enabled but I ran some command line I found on the web to limit the size to 2 GB and that might be what worked.
your explanation has helped me greatly. i am running win7 64bit. and i have always run the program normally. so for a 60gb ssd, i get 40% unknown & 30% windows. reading this i decided to run it as administrator, and was happy to see quite a few differences: windows 66% & NOTHING under unknown.
in other words, nothing was the matter. from now on i will always run the program as admin.
before arriving at your post ,trying to find the ‘unknown’
i stopped windows restore, delete hyberfile.sys and stopped that nasty wmpnetwk process (it had built a database of about 1.2Gigs)- i have no backups set up.
thus freeing quite a bit of the drive-
regardless, its nice to see that the supposed unknown are just windows files.
thanks again. danka.
by the way i agreee 100% about the english language only version being a terribly silly idea.
This worked for me to reclaim “Unknown” usage in WinDirStat
My Windows Vista “C” drive showed 39gb “Unknown” out of 68gb used. Here’s how I solved the problem:
1. Using Windows Explorer, right click “C” drive.
2. Click ‘Properties’.
3. Click ‘Disk Cleanup’.
4. In the small window that pops up choose ‘Files from all users….’
5. After disk cleanup calculates how much space you will be able to free up, a new
small window pops up. On this window, click ‘More Options’ tab.
6. In the ‘System Restore and Shadow Copies section, click ‘Clean Up’.
7. Then you can delete all old copies of the system restore data, leaving the most current.
This procedure cleaned up the “Unknown” 39gb and left me with 29gb used.
Got Lenovo-Doze with 80 GB unknown. But I couldn’t figure out what it was.
All hints above (running WDS in admin mode; switching restore points on&off; running chkdsk /f) didn’t free up those 80 GB.
The hint from whbecker finally helped:
You might try spacesniffer. Here?s a link: http://download.cnet.com/SpaceSniffer/3000-18512_4-10913555.html
Run as administrator and you can see into those ?black holes? of WinDirStat. Once you know what?s in that space you can sort out how to free it up.
It was Rescue & Recovery from Lenovo. Went to C:\RRbackups\SZ and deleted the file.
Apart from the unknown-topic, WDS is a great tool, thanks a lot guys!!!
Watch out!! VIRUS!!!
Don’t visit the site. Right now they have virus on their site.
It’s from an adverticement.
Lennart, please be more precise. Which site? download.cnet.com?
I think they are bundling their downloads with some spyware lately. At least that was reported in the UltraVNC forums, which I host. But I doubt it’s truly a virus. Could you point to an exact file? If possible, use the contact form and send me a link straight away.
Thanks.
Yes Oliver, it’s http://download.cnet.com (the whole)
because of their advertisement with links to:
adlog.com.com/adlog/ etc….
download.cnet.com/SpaceSniffer/3000 etc…
i.i.com.com/cnwk.1d/Ads/ etd…
IP-address: 64.30.224.114
ESET NOD32 says: The address has been blocked.