[WinXP] C:\ fills itself miraculously

zodiac · **Posted:** Sat Jun 04, 2011 8:55 am

Hey everyone,

I just did a fresh install of WinXP up to SP3 on my X60.

Now my problem is, that the system drive C: fills itself up by about 1 MB per second without any visible cause, even when the computer is totally idle. This rate goes even higher, when its under load.

The free space on C: is about 4 gigs. The space taken is never getting cleared up, causing the system drive to reach 0 KB of free space eventually and making the system crash. Only after a reboot all the disappeared space is suddenly freely avaible again - of course getting eaten up by at least 1 MB per second once more.

I cant find any file, hidden or nonhidden, that is growing in size and neither can find my storage analyzing programs.

I've ran chkdsk which keeps telling me, that something with the data system is wrong and needs to be repaired. I do so during reboot, but the diagnosis stays.

I checked for viruses.

I also removed all programs possibly interfering with file structure, like Acronis True Image, PerfectDisk and so. But to no avail.

Now I am left quite clueless. My thoughts at this point are:

1. Since its about 1 MB per second lost and not a static piece of space, it must be some kind of process eating up the space (like a log file constantly getting filled with an error message) rather than a disk error .

2. Are there any files or log files, that are even "more hidden" than standard, so even when the option "display hidden files" is checked, those files stay out of sight? Because as I said - Windows and all the other folders on the system drive dont grow in size as the space gets eaten up.

3. Are there any Windows processes responsible for constantly cleaning up "working files" (not just Temp), that programs and processes leave on the system drive? I might have disabled such a process by accident during Windows tune-up causing the system drive to constantly fill up with trash.

4. Which file is responsible for correct space allocation on drives? It might have gone corrupt during setup of the service packs or any other programs. How may it be repaired? But would it really cause a rate of "space eat up" or rather a constant misallocation of space?

Hey thanks for reading that far! Hope somebody has a clue for me.

All the best and enjoy your weekend,
Martin

Harryc · **Posted:** Sat Jun 04, 2011 9:14 am

Are you running Thinkvantage Rescue and Recovery? If yes, try turning off scheduled backups, and check the size of the hidden folder C:\RRbackups

zodiac · **Posted:** Sat Jun 04, 2011 9:54 am

Thanks for the quick answer. But I took RR of the machine completely straight after I bought it in 2008.

emeraldgirl08 · **Posted:** Sat Jun 04, 2011 10:04 am

It may be the system restore files that are huge. I usually clean mine out to the last restore point and I usually regain a couple of gigabytes of storage.

zodiac · **Posted:** Sat Jun 04, 2011 10:24 am

But they would show up as measurable files, wouldnt they?

My problem is, that the space seems to disappear into nowhere...

rkawakami · **Posted:** Sat Jun 04, 2011 2:28 pm

Process Monitor is a tool that might point you in the right direction:

http://ask-leo.com/i_have_constant_disk ... ng_it.html

zodiac · **Posted:** Mon Jun 20, 2011 7:05 pm

Back again and hello!

I was busy over the last two weeks so I got to try out Process Monitor just tonight. The results are rather awkward:I could not really make out any particular process. But opening and then closing Process Monitor seems to stop the fill-up of C:/ until the next reboot.

Any idea why it is that way? Does that give you a hint what might be causing the fill-up?

All the best,
Martin

ozzymud · **Posted:** Tue Jun 21, 2011 1:28 am

Not a clue, as it's name implies, Process Monitor only monitors apps... doesn't end any of their processes...

Me being the parinoid type... An app could watch memory to see if it is being spied on, then end itself...

Think a virus... watches for processes that could find it to start... ends itself to hide.... just thinking way out the box here

Try renaming the process monitor's EXE then run it after a reboot and run it... find any line whose operation is "WriteFile", right click on the word WriteFile and choose Include 'WriteFile'

This will narrow what all is shown to only writes (i.e. stuff that can fill a hard disk)... the machine I'm currently on shows: AvastSvc, uTorrent, Thunderbird, and a svchost for PROCMON.EXE... nothing out of the ordinary there (uTorrent could fill a drive, but I know it is running and why

)

Once you have a list of apps that are writing to the drive, task manager can be used to kill them one at a time till the drive stops filling.

Also, just out of curiosity... click start-->run-->type in cmd and hit enter, then type tasklist... copy/paste that output here... like so:

C:\>tasklist

Code:

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         28 K
System                         4 Console                 0        268 K
smss.exe                     864 Console                 0        392 K
csrss.exe                    916 Console                 0      6,180 K
winlogon.exe                 944 Console                 0      4,572 K
services.exe                 988 Console                 0      5,872 K
lsass.exe                   1000 Console                 0      1,636 K
svchost.exe                 1164 Console                 0      5,180 K
svchost.exe                 1264 Console                 0      4,820 K
svchost.exe                 1412 Console                 0     67,252 K
svchost.exe                 1528 Console                 0      7,752 K
AvastSvc.exe                1800 Console                 0     27,016 K
spoolsv.exe                  360 Console                 0      7,044 K
svchost.exe                  432 Console                 0     15,368 K
svchost.exe                  512 Console                 0      4,488 K
alg.exe                     1732 Console                 0      3,820 K
svchost.exe                 1672 Console                 0      3,700 K
palemoon.exe                2948 Console                 0    214,284 K
thunderbird.exe             2856 Console                 0     74,452 K
explorer.exe                3952 Console                 0     49,180 K
uTorrent.exe                4736 Console                 0      6,856 K
Procmon.exe                 5464 Console                 0     11,620 K
cmd.exe                     5076 Console                 0      2,832 K
wmiprvse.exe                2144 Console                 0      6,040 K
tasklist.exe                2228 Console                 0      4,400 

We can take a look at it and possibly see something more.

Majestic · **Posted:** Tue Jun 21, 2011 7:58 am

In addition to Ozzy's suggestion, if you have difficulty with the copy and paste then type this from the DOS Command Prompt.....

tasklist > c:\tasklist.txt

That command will redirect the Tasklist listing to a text file called "tasklist" which can be found in the C:\ folder.

zodiac · **Posted:** Tue Jun 21, 2011 7:45 pm

Hello again,

followed Ozzy's suggestions and renamed the Process Monitor EXE. Changed little and I didnt find anything particulary interesting. The only processes causing disk write during idle are svchost.exe and services.exe, mainly prefetch stuff. And their overall amount of writing never accounts for a loss of 1 Mbyte per second!

My task list before starting and ending procmon is:

Code:

System Idle Process           0 Console                   0            16 K
System                        4 Console                   0           224 K
smss.exe                    588 Console                   0           412 K
csrss.exe                   644 Console                   0         4.156 K
winlogon.exe                668 Console                   0         1.700 K
services.exe                712 Console                   0         3.496 K
lsass.exe                   724 Console                   0         1.568 K
ibmpmsvc.exe                912 Console                   0         1.420 K
svchost.exe                 960 Console                   0         4.944 K
svchost.exe                1044 Console                   0         4.340 K
svchost.exe                1124 Console                   0        23.692 K
svchost.exe                1180 Console                   0         3.568 K
svchost.exe                1212 Console                   0         5.192 K
explorer.exe               1528 Console                   0        24.312 K
spoolsv.exe                1596 Console                   0         5.408 K
sched.exe                  1660 Console                   0           940 K
svchost.exe                1712 Console                   0         3.780 K
avgnt.exe                  1824 Console                   0         2.932 K
rundll32.exe               1832 Console                   0        35.380 K
hkcmd.exe                  1852 Console                   0         3.332 K
TpShocks.exe               1860 Console                   0         2.440 K
FirewallGUI.exe            1884 Console                   0         2.196 K
igfxsrvc.exe               1900 Console                   0         2.948 K
ctfmon.exe                 1944 Console                   0         3.040 K
ONENOTEM.EXE                276 Console                   0           344 K
igfxext.exe                 424 Console                   0         2.760 K
tphkload.exe                544 Console                   0         2.648 K
TPHKSVC.exe                 560 Console                   0         4.248 K
avguard.exe                 636 Console                   0        76.444 K
mscorsvw.exe                648 Console                   0         3.848 K
DOZESVC.EXE                 860 Console                   0         1.164 K
PresentationFontCache.exe  1088 Console                   0         7.828 K
avshadow.exe               1324 Console                   0         2.624 K
mdm.exe                    1412 Console                   0         2.488 K
FWService.exe              1484 Console                   0         7.568 K
TPOSDSVC.exe               1732 Console                   0         4.724 K
HPZipm12.exe                924 Console                   0         1.728 K
svchost.exe                 236 Console                   0         4.268 K
TPONSCR.exe                 304 Console                   0         2.300 K
TpScrex.exe                 312 Console                   0         2.652 K
PWMDBSVC.exe                852 Console                   0         4.032 K
PWMEWSVC.exe               1456 Console                   0         7.208 K
SCHTASK.EXE                1016 Console                   0         1.852 K
wmiprvse.exe               2880 Console                   0         4.904 K
cmd.exe                    2568 Console                   0         2.736 K
tasklist.exe               2740 Console                   0         4.384 K
wmiprvse.exe               2768 Console  

All the best,
Martin

ozzymud · **Posted:** Tue Jun 21, 2011 8:40 pm

Hrm, not much out of the ordinary... a few things though...

Did you recently install or upgrade MS .NET? As I see mscorsvw.exe running... usually it is gone after like half an hour. Read about that here: http://blogs.msdn.com/b/davidnotario/ar ... 12838.aspx

To see what all the svchost.exe's are running...

Code:

tasklist /fi "Imagename eq svchost.exe"

run in terminal, redirect to .txt with > if desired
do the same for rundll32.exe to see what that is

and also for what scheduler is doing run...

Code:

at

also in the terminal, can also be redirected to a .txt with >

past that, I don't see any process that would do anything like you describe...

And to answer your original question on "more hidden" files... yes, they do exist on NTFS volumes, they are called ADS (Alternate Data Streams)... give this a read...

http://www.bleepingcomputer.com/tutoria ... ial25.html

As you can see from that, an ADS executable, along with an ADS data stream could easily do what your saying... run lads from c:\ with the /s switch... lads /s

Past that, boot to safe mode... open a terminal and run:

Code:

cd \
dir /s > dir1.txt

then reboot normally, wait for the sys to start eating drive space (not too long though, don't wanna crash just yet

) and run the same command except change dir1.txt to dir2.txt... after that finishes... run:

Code:

fc dir1.txt dir2.txt

C:\>fc dir1.txt dir2.txt
Comparing files dir1.txt and dir2.txt
FC: no differences encountered

if there are no ADS streams, and you get the same file compare result... I would be at a total and complete loss... When you reinstalled XP... was it from a trusted/pressed CD? were all drivers freshly downloaded from the manufacturer?

Majestic · **Posted:** Wed Jun 22, 2011 7:17 am

Martin, have you tried disabling your anti-virus software? In your Tasklist I see an entry for avshadow.exe which is a process for shadow coping locked files in Vista & Win 7 for AV scanning. Since you are using Win XP, maybe this Avira feature is running amok on your system.

Colonel O'Neill · **Posted:** Wed Jun 22, 2011 7:29 am

What about one of those spatial file managers? They usually help identify large files or folders.

ozzymud · **Posted:** Wed Jun 22, 2011 11:43 am

Colonel O'Neill wrote:

What about one of those spatial file managers? They usually help identify large files or folders.

That's pretty much why I wanted to see a FC of the before and after... but most definately something like http://windirstat.info/ - WinDirStat could help visually.

EDIT: As an aside and my own parinoia.. i ran lads /s on my c:\

You should pretty much ignore any "Error 32" you get, just look at the names of the files that give this error, they are open, should be mainly NTUSER and .log files (normal in XP)

You might find a lot of ZoneInfo ones... this is a flag that says "I was downloaded", i.e. the warning you get opening a file till you uncheck show this. (See: http://gasanov.net/ZoneIDTrimmer.asp )

and a lot of Thumbs.db attached streams... I normally turn off Thumbs.db creation anyways, but there are some installed with programs here and there. safe to delete all Thumbs.db (see: http://www.annoyances.org/exec/show/article03-204 )

I had ONE wierd one... attached to c:\windows as :A459007298 ... WTF? anyhoo... I got this dll from http://www.wikistc.org/wiki/Alternate_d ... ng_streams , registered it and added the reg entries to add a streams tab to folders/drives per the instructions and deleted that stream. Still have zero clue why it was there to begin with... paranoia rules!

after all was said and done... 0 bytes in 0 ADS listed only thing listed is the normal Error 32 stuff

zodiac · **Posted:** Mon Jun 27, 2011 2:06 pm

Cheers for all the tipps. Finally found the time to work through all of that.

1 - Tasklist of svchost, rundll32 and scheduler

Code:

svchost.exe                1176 Console                   0         4.864 K
svchost.exe                1256 Console                   0         4.360 K
svchost.exe                1312 Console                   0        20.532 K
svchost.exe                1424 Console                   0         3.548 K
svchost.exe                1472 Console                   0         5.212 K
svchost.exe                1956 Console                   0         3.328 K
svchost.exe                 828 Console                   0         4.156 K

rundll32.exe                232 Console                   0        37.040 K

SCHTASK.EXE                3592 Console                   0         1.856 K

2 - lads

Couldnt run it on my system, says the command does not exist...

3 - Comparing directories normal & safe mode

Well, thats a bit embarrasing, but I get an unsolvable bluescreen everytime I try to boot into safe mode. So no results here.

4 - Trusted CD

Yes, the CD is trusted.

5 - AVShadow

Threw AntiVir off the machine, AVShadow went with it. No changes.

6 - WinDirStat

Doesnt show any changes in visible files. Just the partition size shrinks over time.

At this point, it would probably most reasonable to just format C: and reinstall Windows. But the little Sherlock inside of me really wants to know...

All the best,
Martin

Majestic · **Posted:** Mon Jun 27, 2011 3:31 pm

One other suggestion..... have you checked the size of the Page File to see if the size increases? Your pagefile.sys should be located in the C:\ folder. If it is hidden you will have to change your folder options to Show Hidden Files under the View tab of Folder Options.

Speaking of hidden files.... if you previously had your folder options set to hide hidden files, you might want to take a second look at your hard drive after changing the option to show hidden files. The problematic file may have been hidden from view.

ozzymud · **Posted:** Mon Jun 27, 2011 4:14 pm

LADS is a 3rd party freeware program, just extract it to \windows\system32 ...

http://www.heysoft.de/en/software/lads.php

Not being able to boot into safe mode, but being able to boot normally... that is totally weird

smugiri · **Posted:** Tue Jun 28, 2011 9:26 am

Try the scanner tool on this page to see where drive space is being used up. It is very intuitive to use and will lead you right to the folder where the bulk of the space is being used up.

You can click on each of the pie sectors for each directory to drill in to see details for just that folder.

ozzymud · **Posted:** Tue Jun 28, 2011 7:53 pm

zodiac wrote:

1 - Tasklist of svchost, rundll32 and scheduler

My bad on that... forgot a "/m" in my command... shoulda read:

Code:

tasklist /m /fi "Imagename eq svchost.exe"

this shows what the main process is actually doing, a list of "svchost.exe" is not very informative, the /m switch gives better detail on each....

Code:

svchost.exe                 1492 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                 RPCRT4.dll, ShimEng.dll, AcGenral.DLL,
                                 USER32.dll, GDI32.dll, WINMM.dll, ole32.dll,
                                 msvcrt.dll, OLEAUT32.dll, MSACM32.dll,
                                 VERSION.dll, SHELL32.dll, SHLWAPI.dll,
                                 USERENV.dll, UxTheme.dll, imagehlp.dll,
                                 DBGHELP.dll, comctl32.dll, comctl32.dll,
                                 dnsrslvr.dll, DNSAPI.dll, WS2_32.dll,
                                 WS2HELP.dll, iphlpapi.dll, mswsock.dll,
                                 hnetcfg.dll, wshtcpip.dll

i.e. DNS Client service (from dnsrslvr.dll & DNSAPI.dll)

@smugiri: nice little find there, I had another similar app at one point, was open source even, still hunting for it.

zodiac · **Posted:** Sun Jul 03, 2011 1:27 pm

Thanks for your patience - I am really busy most days so I always have to look for a gap to tinker around. Ok, next round.

1 - Page File

Has its own partition.

2 - HD Scanner

Used that before. But as I said, none of the displayed files increases in size, instead the whole partition just decreases in size.

3 - Tasklist of svchost, rundll32 and scheduler

Code:

svchost.exe                1172 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                AcGenral.DLL, USER32.dll, GDI32.dll,
                                WINMM.dll, ole32.dll, msvcrt.dll,
                                OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                UxTheme.dll, IMM32.DLL, comctl32.dll,
                                comctl32.dll, NTMARTA.DLL, SAMLIB.dll,
                                WLDAP32.dll, rpcss.dll, WS2_32.dll,
                                WS2HELP.dll, xpsp2res.dll, CLBCATQ.DLL,
                                COMRes.dll, Apphelp.dll, termsrv.dll,
                                ICAAPI.dll, SETUPAPI.dll, WINTRUST.dll,
                                CRYPT32.dll, MSASN1.dll, IMAGEHLP.dll,
                                AUTHZ.dll, mstlsapi.dll, ACTIVEDS.dll,
                                adsldpc.dll, NETAPI32.dll, ATL.DLL,
                                REGAPI.dll, rsaenh.dll
svchost.exe                1252 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                AcGenral.DLL, USER32.dll, GDI32.dll,
                                WINMM.dll, ole32.dll, msvcrt.dll,
                                OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                UxTheme.dll, IMM32.DLL, comctl32.dll,
                                comctl32.dll, rpcss.dll, WS2_32.dll,
                                WS2HELP.dll, xpsp2res.dll, rsaenh.dll,
                                mswsock.dll, hnetcfg.dll, wshtcpip.dll,
                                DNSAPI.dll, iphlpapi.dll, winrnr.dll,
                                WLDAP32.dll, rasadhlp.dll, CLBCATQ.DLL,
                                COMRes.dll
svchost.exe                1344 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                AcGenral.DLL, USER32.dll, GDI32.dll,
                                WINMM.dll, ole32.dll, msvcrt.dll,
                                OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                UxTheme.dll, IMM32.DLL, comctl32.dll,
                                comctl32.dll, NTMARTA.DLL, SAMLIB.dll,
                                WLDAP32.dll, xpsp2res.dll, dhcpcsvc.dll,
                                DNSAPI.dll, WS2_32.dll, WS2HELP.dll,
                                iphlpapi.dll, wzcsvc.dll, rtutils.dll,
                                WMI.dll, CRYPT32.dll, MSASN1.dll,
                                EapolQec.dll, ATL.DLL, QUtil.dll,
                                MSVCP60.dll, dot3api.dll, WTSAPI32.dll,
                                WINSTA.dll, NETAPI32.dll, ESENT.dll,
                                CLBCATQ.DLL, COMRes.dll, rsaenh.dll,
                                rastls.dll, CRYPTUI.dll, WININET.dll,
                                Normaliz.dll, urlmon.dll, iertutil.dll,
                                WINTRUST.dll, IMAGEHLP.dll, MPRAPI.dll,
                                ACTIVEDS.dll, adsldpc.dll, SETUPAPI.dll,
                                RASAPI32.dll, rasman.dll, TAPI32.dll,
                                SCHANNEL.dll, WinSCard.dll, PSAPI.DLL,
                                raschap.dll, msv1_0.dll, cryptdll.dll,
                                shsvcs.dll, schedsvc.dll, NTDSAPI.dll,
                                MSIDLE.DLL, audiosrv.dll, WZCSAPI.DLL,
                                mswsock.dll, hnetcfg.dll, wshtcpip.dll,
                                cryptsvc.dll, certcli.dll, es.dll,
                                hidserv.dll, HID.DLL, srvsvc.dll,
                                seclogon.dll, sens.dll, srsvc.dll,
                                POWRPROF.dll, SXS.DLL, trkwks.dll,
                                wmisvc.dll, VSSAPI.DLL, comsvcs.dll,
                                colbact.DLL, MTXCLU.DLL, WSOCK32.dll,
                                CLUSAPI.DLL, RESUTILS.DLL, wbemcore.dll,
                                esscli.dll, wbemcomn.dll, FastProx.dll,
                                wbemsvc.dll, wmiutils.dll, repdrvfs.dll,
                                wmiprvsd.dll, NCObjAPI.DLL, wbemess.dll,
                                netman.dll, netshell.dll, credui.dll,
                                dot3dlg.dll, OneX.DLL, eappcfg.dll,
                                eappprxy.dll, upnp.dll, WINHTTP.dll,
                                SSDPAPI.dll, netcfgx.dll, rasmans.dll,
                                WINIPSEC.DLL, tapisrv.dll, rastapi.dll,
                                unimdm.tsp, uniplat.dll, kmddsp.tsp,
                                ndptsp.tsp, ipconf.tsp, h323.tsp,
                                hidphone.tsp, rasppp.dll, ntlsapi.dll,
                                kerberos.dll, RASQEC.DLL, rasadhlp.dll,
                                RASDLG.dll, ncprov.dll, wbemcons.dll
svchost.exe                1428 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                AcGenral.DLL, USER32.dll, GDI32.dll,
                                WINMM.dll, ole32.dll, msvcrt.dll,
                                OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                UxTheme.dll, IMM32.DLL, comctl32.dll,
                                comctl32.dll, dnsrslvr.dll, DNSAPI.dll,
                                WS2_32.dll, WS2HELP.dll, iphlpapi.dll,
                                rsaenh.dll, mswsock.dll, hnetcfg.dll,
                                wshtcpip.dll
svchost.exe                1524 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                AcGenral.DLL, USER32.dll, GDI32.dll,
                                WINMM.dll, ole32.dll, msvcrt.dll,
                                OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                UxTheme.dll, IMM32.DLL, comctl32.dll,
                                comctl32.dll, NTMARTA.DLL, SAMLIB.dll,
                                WLDAP32.dll, xpsp2res.dll, lmhsvc.dll,
                                iphlpapi.dll, WS2_32.dll, WS2HELP.dll,
                                regsvc.dll, ssdpsrv.dll, hnetcfg.dll,
                                CLBCATQ.DLL, COMRes.dll, mswsock.dll,
                                wshtcpip.dll, upnphost.dll, WINHTTP.dll,
                                SSDPAPI.dll, netapi32.dll
svchost.exe                1960 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                AcGenral.DLL, USER32.dll, GDI32.dll,
                                WINMM.dll, ole32.dll, msvcrt.dll,
                                OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                UxTheme.dll, IMM32.DLL, comctl32.dll,
                                comctl32.dll, NTMARTA.DLL, SAMLIB.dll,
                                WLDAP32.dll, xpsp2res.dll, webclnt.dll,
                                WININET.dll, Normaliz.dll, urlmon.dll,
                                iertutil.dll, WS2_32.dll, WS2HELP.dll
svchost.exe                1376 ntdll.dll, kernel32.dll, ADVAPI32.dll,
                                RPCRT4.dll, Secur32.dll, ShimEng.dll,
                                AcGenral.DLL, USER32.dll, GDI32.dll,
                                WINMM.dll, ole32.dll, msvcrt.dll,
                                OLEAUT32.dll, MSACM32.dll, VERSION.dll,
                                SHELL32.dll, SHLWAPI.dll, USERENV.dll,
                                UxTheme.dll, IMM32.DLL, comctl32.dll,
                                comctl32.dll, wiaservc.dll, CFGMGR32.dll,
                                setupapi.DLL, mscms.dll, WINSPOOL.DRV,
                                WINSTA.dll, NETAPI32.dll, xpsp2res.dll,
                                CLBCATQ.DLL, COMRes.dll, WINTRUST.dll,
                                CRYPT32.dll, MSASN1.dll, IMAGEHLP.dll,
                                hpgwiamd.dll, actxprxy.dll

rundll32.exe                224 ntdll.dll, kernel32.dll, msvcrt.dll,
                                GDI32.dll, USER32.dll, IMAGEHLP.dll,
                                ShimEng.dll, AcGenral.DLL, ADVAPI32.dll,
                                RPCRT4.dll, Secur32.dll, WINMM.dll,
                                ole32.dll, OLEAUT32.dll, MSACM32.dll,
                                VERSION.dll, SHELL32.dll, SHLWAPI.dll,
                                USERENV.dll, UxTheme.dll, IMM32.DLL,
                                comctl32.dll, comctl32.dll, PWRMGRTR.DLL,
                                MSVCR80.dll, MFC80U.DLL, MSIMG32.dll,
                                COMDLG32.dll, gdiplus.dll, SETUPAPI.dll,
                                mscoree.dll, MFC80DEU.DLL, PWRMGRRT.DLL,
                                msctfime.ime, PWRMGRIF.DLL, WINTRUST.dll,
                                CRYPT32.dll, MSASN1.dll, Sensor.dll,
                                NTMARTA.DLL, SAMLIB.dll, WLDAP32.dll,
                                POWRPROF.DLL, CLBCATQ.DLL, COMRes.dll,
                                xpsp2res.dll, IGFXEXPS.DLL, MSCTF.dll,
                                wdmaud.drv, msacm32.drv, midimap.dll,
                                mstask.dll, MPR.dll, NTDSAPI.dll,
                                DNSAPI.dll, WS2_32.dll, WS2HELP.dll,
                                NETAPI32.dll, DOZE.DLL, wbemprox.dll,
                                wbemcomn.dll, wbemsvc.dll, fastprox.dll,
                                MSVCP60.dll, Apphelp.dll, mscoreei.dll,
                                mscorwks.dll, mscorlib.ni.dll, rsaenh.dll,
                                mscorsec.dll, cryptnet.dll, PSAPI.DLL,
                                SensApi.dll, WINHTTP.dll, mswsock.dll,
                                hnetcfg.dll, wshtcpip.dll, RASAPI32.DLL,
                                rasman.dll, TAPI32.dll, rtutils.dll,
                                msv1_0.dll, cryptdll.dll, iphlpapi.dll,
                                rasadhlp.dll, mscorjit.dll, PWMUICtl.dll,
                                msvcm80.dll, PWRMGRRO.DLL,
                                PresentationFramework.dll, System.ni.dll,
                                WindowsBase.ni.dll, PresentationCore.ni.dll,
                                wpfgfx_v0300.dll, System.Drawing.ni.dll,
                                PWMUIAux.resources.dll, d3d9.dll,
                                d3d8thk.dll,
                                PresentationFramework.Classic.ni.dll,
                                WindowsCodecs.dll,
                                PresentationFramework.Luna.ni.dll,
                                UIAutomationProvider.ni.dll, urlmon.dll,
                                iertutil.dll, WtsApi32.dll, WINSTA.dll,
                                ATM.DLL

SCHTASK.EXE                3224 ntdll.dll, kernel32.dll, MSVCR80.dll,
                                msvcrt.dll, USER32.dll, GDI32.dll,
                                SHELL32.dll, ADVAPI32.dll, RPCRT4.dll,
                                Secur32.dll, SHLWAPI.dll, ole32.dll,
                                OLEAUT32.dll, WTSAPI32.dll, WINSTA.dll,
                                NETAPI32.dll, IMM32.DLL, comctl32.dll,
                                comctl32.dll, MSCTF.dll, CLBCATQ.DLL,
                                COMRes.dll, VERSION.dll, msxml3.dll,
                                msctfime.ime

4 - LADS

This is the result I got in normal mode. As I said, safe mode is broken somehow. I took the download records/zone identifiers out because of privacy.

Code:

Error 32 opening C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira\AntiVir Desktop\TEMP\avguard.tmp
       121  C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP\:C31F31E6
       125  C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP\:D282699C
Error 32 opening C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Error 32 opening C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Error 32 opening C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT
Error 32 opening C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG
       894  C:\Dokumente und Einstellungen\M. Winkelmann\Favoriten\Links\Vorgeschlagene Sites.url:favicon
Error 32 opening C:\Dokumente und Einstellungen\M. Winkelmann\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Error 32 opening C:\Dokumente und Einstellungen\M. Winkelmann\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Error 32 opening C:\Dokumente und Einstellungen\M. Winkelmann\NTUSER.DAT
Error 32 opening C:\Dokumente und Einstellungen\M. Winkelmann\ntuser.dat.LOG
Error 32 opening C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
Error 32 opening C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG
Error 32 opening C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT
Error 32 opening C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG
        23  C:\RECYCLER\S-1-5-21-1004336348-299502267-839522115-1003\Dc4.zip:Zone.Identifier
        23  C:\RECYCLER\S-1-5-21-1004336348-299502267-839522115-1003\Dc5.zip:Zone.Identifier
        23  C:\RECYCLER\S-1-5-21-1004336348-299502267-839522115-1003\Dc6.xlsx:Zone.Identifier
        23  C:\RECYCLER\S-1-5-21-1004336348-299502267-839522115-1003\Dc7.xlsx:Zone.Identifier
Error 32 opening C:\WINDOWS\system32\CatRoot2\edb.log
Error 32 opening C:\WINDOWS\system32\CatRoot2\tmp.edb
Error 32 opening C:\WINDOWS\system32\config\default
Error 32 opening C:\WINDOWS\system32\config\default.LOG
Error 32 opening C:\WINDOWS\system32\config\SAM
Error 32 opening C:\WINDOWS\system32\config\SAM.LOG
Error 32 opening C:\WINDOWS\system32\config\SECURITY
Error 32 opening C:\WINDOWS\system32\config\SECURITY.LOG
Error 32 opening C:\WINDOWS\system32\config\software
Error 32 opening C:\WINDOWS\system32\config\software.LOG
Error 32 opening C:\WINDOWS\system32\config\system
Error 32 opening C:\WINDOWS\system32\config\system.LOG
Error 32 opening C:\WINDOWS\system32\drivers\sptd.sys

The following summary might be incorrect because there was at least one error!

      2006 bytes in 28 ADS listed

Temporary Conclusion

Maybe its really just something with the C: partition's file management that went awry. May this be a reason for the blue screen I get when booting into safe mode? Or do you guys see anything unusual in the lists above?

Thanks alot & all the best!

ozzymud · **Posted:** Sun Jul 03, 2011 4:37 pm

Unfortunately, if you cannot get into safe mode... then something is totally off with this system, and that makes finding the root cause here almost impossible. I would think not being able to boot into safe mode more of an issue then the drive filling

Pavl · **Posted:** Thu Mar 08, 2012 2:11 pm

Just for info - I have just found the same problem. Xp pro SP2 on a Z61p. Have read most of the stuff I could find on the web and everybody mentions Lenovo RR and hibernate and the third party utilities that let you check disc space occupancy and a few other common issues that have already been mentioned.
The only (and sad) result is that no-one has a clear idea - plenty of suggestions.
Yes my Xp is from a legit purchased, licensed, MS activated CD.
However - I do not know when this space loss started so I am in no position to offer help yet.
This is happening on the primary (boot) partition - I have Linux on other partions and the Lenovo Service partion is in "healthy" condition and all partions visible to disk manager.
However I have a second drive in the bay for backup (Acronis) and general storage - frequent access across both drives but the second drive does not lose space - TreeSize matches "properties" exactly.
Norton finds zero on a full scan.
One note - my drive is new and not the original. Had to rebuild machine after a liquid spill. Had backups so nothing lost. Reinstalled from scratch using purchased OEM cd. And it seems that the invisible lost space was already in place - my backups are roughly the size that is shown on disc now (accounting for recent houskeeping)
It is very likely that my lost space may be a permission / access/ file / cock-up on my part and nothing malicious. But as said before - It would be good to know the cause.

#### EDITED with update - (after a power cut here in rural France)
FOUND. Having written the problem I realised that I was missing something simple (brains perhaps) but I downloaded the scanner that SMUGIRI mentioned.
And it does what the others dont - it found that my supposedly empty RRbackup was the largest thing on the drive.
So thank you Steffen Gerlach for that piece of work and smugiri for the suggestion.
So now all I have to do is get into the folder or kill it - not easy at first as permission is denied but I dont have all the Lenovo utilities on my machine as I did not put back the ones I did not want. Ho Hum.
Will post when sorted.

Pavl · **Posted:** Fri Mar 09, 2012 4:13 am

Followed advice elsewhere on this forum to use safe mode to get into RRbackups.
Dual boot with Linux controlling the sequence can make timing the F8 key a bit interesting.
In safe mode the security tab was visible in properties - but did not have to change anything as logged on as admin.
Just deleted the whole folder (yes - I have multiple backups and cloned drive).
Now richer by 53 Gb.
Thanks to contributers to this forum (with a little help from others on the web).

smugiri · **Posted:** Fri Mar 09, 2012 6:49 pm

Pavl wrote:

Just for info - I have just found the same problem. Xp pro SP2 on a Z61p. Have read most of the stuff I could find on the web and everybody mentions Lenovo RR and hibernate and the third party utilities that let you check disc space occupancy and a few other common issues that have already been mentioned.
The only (and sad) result is that no-one has a clear idea - plenty of suggestions.
Yes my Xp is from a legit purchased, licensed, MS activated CD.
However - I do not know when this space loss started so I am in no position to offer help yet.
This is happening on the primary (boot) partition - I have Linux on other partions and the Lenovo Service partion is in "healthy" condition and all partions visible to disk manager.
However I have a second drive in the bay for backup (Acronis) and general storage - frequent access across both drives but the second drive does not lose space - TreeSize matches "properties" exactly.
Norton finds zero on a full scan.
One note - my drive is new and not the original. Had to rebuild machine after a liquid spill. Had backups so nothing lost. Reinstalled from scratch using purchased OEM cd. And it seems that the invisible lost space was already in place - my backups are roughly the size that is shown on disc now (accounting for recent houskeeping)
It is very likely that my lost space may be a permission / access/ file / cock-up on my part and nothing malicious. But as said before - It would be good to know the cause.

#### EDITED with update - (after a power cut here in rural France)
FOUND. Having written the problem I realised that I was missing something simple (brains perhaps) but I downloaded the scanner that SMUGIRI mentioned.
And it does what the others dont - it found that my supposedly empty RRbackup was the largest thing on the drive.
So thank you Steffen Gerlach for that piece of work and smugiri for the suggestion.
So now all I have to do is get into the folder or kill it - not easy at first as permission is denied but I dont have all the Lenovo utilities on my machine as I did not put back the ones I did not want. Ho Hum.
Will post when sorted.

Glad to hear that it worked for you!

It is an excellent tool: you should consider giving a little donation if you like it.

Pavl · **Posted:** Sun Mar 11, 2012 7:48 am

Good idea Steve - Steffen is going on my Christmas list.

[WinXP] C:\ fills itself miraculously

Who is online