The recycle bin is often one of the most useful features of windows and many other operating systems. You can recover files you accidentally delete and it helps to make deleting files easy for the end-user.
But what most people don't know is how the recycle bin stores files and that is what we are going to look into today.
NOTE: This is a pretty hefty read.
What some of you may not know is the recycle bin can store multiple files with the same name and file type as shown in the image below this is merely an example as I'm going to mess about with this in more depth by changing the file size displayed in the recycle bin
In order for this to work, we are going to have to set a few things up. Firstly we have to make sure windows shuts down fully as Windows comes with a feature called fast boot. In a nutshell, Fastboot moves some system process/services to the HDD/SSD so Windows can boot faster and load what you may have previously been doing. Restarting skips this process this is why we advise on restarting rather than shutting down if Windows is messing about.
Anyway, I'm starting to ramble so let's get this show on the road. To start off open command prompt as admin do this by pressing the Windows key on your keyboard then typing cmd in. After that right-click command prompt the click run as administrator
Now, this part is where I think a lot of you will just give up and stop copying what I do but continue to read through anyway because you are slightly interested in what's going on.
Anyway, you are going to need a bootable version of Ubuntu/Debian/Linux Mint there is a ton of tutorials online showing how to flash a Linux .img/.iso to a USB so you can install the os so I won't go into that.
NOTE: I'm not sure if this will work on a live install or not as I have the OS installed onto my SSD bud I don't see why it won't work
Once you have opened command prompt as an administrator type "powercfg /h off" and press enter command prompt should something like what's in the image below
after that don't close command prompt as we will be needing it.
Now we have to find out our profile SID as our recycle bin folder is named after our profile SID in that command windows I told you not to close type this command "wmic useraccount get name,sid" the press enter the output should look something like whats below.
Take note of your SID in this case mine is the one for patri.
You can take note of your SID any way you like but the easiest way will be to write it down in a .txt document on your desktop so you can open it in Linux later.
For my Linux installation, I chose Lubuntu as it's lightweight and simple to use also because my 10-year-old laptop struggles with anything other OS. To begin we will need to download some software to do this open terminal by pressing ctrl + alt + t and type this command "sudo apt-get update && sudo apt-get install ghex" press enter and it will ask for your password type in your password (it won't show any symbols on most Linux distros) then hit enter a ton of text will fly by if it prompts you to either press y or n then press enter press y then press enter and ghex will be installed.
The Output will be something similar to what's below
To Find your recycle bin folder you are going to have to mount your windows partition with read-write access to do this open terminal and type gnome-disks a window that looks like what's below will open
Using Gnome Disks find the partition Windows is installed on. The easiest way is to look for a partition that is NTFS formatted and is the size your C: drive is when you open explorer. In my case, my Windows partition is Partition 2 on my 240 GB Disk. Once you have found your partition click it once and then look below where it says Device it should look something like /dev/sdaX X being a number. For me, mine is /dev/sda2
Using this information download this zip file and extract it
Once downloaded go to your downloads folder and double-click drive.zip file within it. The drive.zip file should open up with another program. Drag the "Mount C: Drive.sh" file inside of the zip into your downloads folder then close the program that opened upon double-clicking the zip file. Delete the zip file as we won't be needing it anymore and then right-click the "Mount C: Drive.sh" file and open it with the text editor the code should look exactly like what's in the image below if not don't continue as someone has somehow replaced the file with something potentially malicious.
A basic rundown of the code works like this
Now for this to work for you we are going to have to make one little edit to this file. Remembering back to when I told you to find your Windows partition we need to change /dev/sda2 in the "Mount C: Drive.sh" file to what your Windows partitions device location is. Example: If your windows partition device location is /dev/dsa3 change /dev/sda2 to /dev/sda3.
Once the amendments have been made save the file then close the text editor.
Now, the chances of this file not working after editing it are high so we are going to have to fix this right-click the "Mount C: Drive.sh" file and click properties.
Now go to the permissions tab and tick allow executing as file if this tickbox isn't there then change execute to anyone and then click ok.
Now double click "Mount C: Drive.sh" and click execute. This will run those commands mentioned in the previous paragraph once 5 seconds have gone by everything should be ready to mess about with.
On your desktop, there should be a new folder called mounts open this folder and your C: drive contents should be inside. Navigate to $Recycle.Bin and then open the folder that is named after your SID. Inside there should be at least 2 files there may be more but that doesn't matter.
In the image below is the contents of my recycle bin.
As you can see in the image above I have 2 files one called $IY9SRB4 and one called $RY9SRB4 as you may have noticed thay have the same name after the $R or $I prefix. As the name is randomly assigned upon deletion this is how we can have multiple files with the same name and file type.
The file that starts with $R contains the file contents of whatever was deleted. For example, if the file you deleted had the word "lol" inside the file $RY9SRB4 would contain the word "lol".
The file beginning with $I contains metadata for the file that was deleted this includes the original name of the file. Windows also uses this file to store the size of the file deleted and due to the power of hex editors, we can trick Windows into displaying an over-exaggerated file size.
So now let's move onto a kinda bonus section if you will this bit isn't important to follow but if you want to follow it then you can.
To begin right-click the file beginning $I and click open with go to the custom command line tab and then in the command line to execute box type ghex then click ok.
Once done a window that looks like what's in the image below should open up
The area underlined red is the file header it is always 02 00 00 00 00 00 00 00.
The area underlined blue contains the file size displayed in the recycle bin.
The area underlined green contains the deletion date of the file.
The area underlined yellow contains the file name length.
The area underlined magenta contains the filename and where it was originally located so it can be restored to the location it was deleted from.
I decided that I wanted to set the file size to the maximum possibly allowed. To do this I changed the numbers underlined blue from 00 00 00 00 00 00 00 00 to ff ff ff ff ff ff ff 7f this can't go any higher. Once I finished changing the values to what I wanted I closed the program and clicked save on the dialogue box that opened up.
Now that we are done we can reboot into Windows and see the result for ourselves.
As you can see in the image above I have set the file to the biggest file size displayable 7.99 EB (Exabytes) to put that into perspective it goes from Kilobyte - Megabyte - Gigabyte - Terabyte - Petabyte - Exabyte
This was a little dive into how the recycle bin works on Windows.
In about a year when I'm bothered to spend a whole day typing up an article due to restarts and image editing there will be another article about how to get multiple files of the same name contents and file name extension on the desktop.
And most importantly
Thanks for reading
