Wonders and Mysteries of WinSXS

[Alan_B]

Travellers beware - Dragons be here.

 

When Registry Cleaning "Unused File Extensions" was enhanced a year or two ago,

and it suddenly reported problems with something related to "ehome".

I found at that time that this was related to Windows Media Center which was not part of my system,

and had no presence in either System32 of SysWow64 but was plastered all over WinSXS.

 

I have just used Locate32 to search for ehome and found 189 files and 164 directories.

I am surprised that a HDD can hold all of that Windows Media Center stuff and also find space to accommodate some media to be played

 

I have selected

C:\Windows\winsxs\amd64_ehome-bdatunepia_31bf3856ad364e35_6.1.7601.17514_none_4bcd40fd63f3f7b4\

This holds the file

BDATunePIA.dll

243 KB (249,344 bytes) Created & Modified & Accessed ‎21 ‎November ‎2010, ‏‎03:24:42

 

I used Search on Defraggler 2.13.670 and it found 4 instances of this file at

BDATunePIA.dll 1 238080 C:\Windows\winsxs\wow64_ehome-bdatunepia_31bf3856ad364e35_6.1.7601.17514_none_5621eb4f9854b9af\
BDATunePIA.dll 1 249344 C:\Windows\winsxs\amd64_ehome-bdatunepia_31bf3856ad364e35_6.1.7601.17514_none_4bcd40fd63f3f7b4\
BDATunePIA.dll 1 249344 C:\Windows\winsxs\amd64_bdatunepia_31bf3856ad364e35_6.1.7601.17514_none_c81348afa0c88995\
BDATunePIA.dll 1 238080 C:\Windows\winsxs\x86_bdatunepia_31bf3856ad364e35_6.1.7601.17514_none_6bf4ad2be86b185f\

It is worth noting that these CANNOT be hard links to files in System32 or SysWow64 because if they were then Defraggler should have found these files on those paths also.

I also think it would be naughty of Defraggler to try to defrag Hard Links - Bug Report Naughty

 

I am absolutely convinced that some real files consume real amounts of Disk space within WinSXS.

 

I am strongly inclined to believe the experts who claim that all the files that appear to live within System32 and SysWow64 are actually Hard Links to the alternative realities within WinSXS,

 

But I recognise the diabolical deviousness of Microsoft's underhand methology,

and would not be surprised if Microsoft kept us confused by NOT placing hard links as they are required in System32 etc.

but instead MOVED the files from WinSXS into System32 and then placed Hard Links in WinSXS to make it seem as though they still lived in WinSXS

 

I Used Defraggler to search for a file that I knew could be found in System32 and SysWow64, namely CMD.EXE

This is what it found

cmd.exe 1 345088 C:\Windows\System32\
cmd.exe 1 302592 C:\Windows\winsxs\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5ab\ 

This indicates that there is a real presence in both System32 and also WinSXS\WOW64 ( WOW - I never knew that before )

 

Now using Locate32 and searching for CMD.EXE the results are

Name Size Date Modified In Folder Type
cmd 337 KB 21/11/2010 03:23 C:\Windows\System32
cmd 337 KB 21/11/2010 03:23 C:\Windows\winsxs\amd64_microsoftwindowscommandprompt_31bf3856ad364e35_6.1.7601.17514_none_e932cc2c30fc13b0
cmd 296 KB 21/11/2010 03:24 C:\Windows\SysWOW64
cmd 296 KB 21/11/2010 03:24 C:\Windows\winsxs\wow64_microsoft-windowscommandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5ab

Conclusion :- CMD.EXE appears in 4 locations, and two of those locations are real and two are Hard Link smoke-n-mirrows phantoms.

quite surprisingly the larger 64 bit executable lives in System32

but the smaller 32 bit execuatble lives in WinSXS\SysWOW64.

 

I have now tested Attrib.EXE

This really exists in both System32 and SysWOW64

But Locate32 finds the real plus the Hard Links at

Name Size Date Modified In Folder

attrib 18 KB 14/07/2009 01:38 C:\Windows\System32

attrib 18 KB 14/07/2009 01:38 C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22

attrib 16 KB 14/07/2009 01:14 C:\Windows\SysWOW64

attrib 16 KB 14/07/2009 01:14 C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec

The excitement is too much.

My brain hurts.

I am giving up whilst I am ahead.

 

Regards

Alan

[Willy2]

@Alan: How do you know for sure that these are hard links and not the real stuff (files) ? It looks to me that MS simply updates a file and places a copy in WinSXS. Sure, this is an "Evil MS Conspiracy", right ?

 

More info:

http://windows7theme...-windows-7.html

http://windows7theme...olic-links.html

[Alan_B]

I know for sure that Defraggler is intended to defragment ALL genuine files,

and not some form of reparse point or Hard Link.

Unless of course you know different

 

Therefore when Locate32 or Windows Explorer or any other sort for File Finder can find on a path something that LOOKS like a file but is not seen by Defraggler

I can only assume it to be some form of reparse point or Hard Link.

 

Alan

[Willy2]

I see. I tried the Search function in Defraggler and "wasn't impressed". I've dumped both Locate32 and Everything. Even a simple MSDOS command "Dir ....." was better, found more. I switched to "SearchMyfiles". Much better, IMO.

http://www.nirsoft.net/utils/search_my_files.html

[Alan_B]

I agree that Nirsoft is better - if you want to time the boiling of an Egg

 

SearchMyFies took 15 Seconds to search for CMD.EXE in partition C:\,

and it reported the same 4 items that Locate32 reported.

 

Defraggler is 6 times faster - it took 2.5 seconds to report the two GENUINE files that actually exist and consume Hard Drive space.

I will however concede that it takes an extra 0.5 seconds to click on the Filename header to sort in name order so that both cmd.exe appear together between appcmd.exe.mui and cmd.exe.mui

O.K. - it is 5 times faster.

 

Defraggler walks where angels fear to tread

I have just searched for "tracking.log" in partition C:\.

The search was completed in two seconds, finding one instance within C:\System Volume Information\

 

SearchMyFiles scanned C:\ for 13 Seconds and found nothing at all - it could not penetrate Access Control Level exclusion.

 

I accept that SearchMyFies has many more options that can be configured if you wish to spend the time optimising it,

BUT for a quick detection Defraggler searches 6 times faster and does NOT repeat the lies of File Searchers such as SearchMyFiles that believe Hard Links are real files.

 

I value truth, and would prefer to wait twice as long for a true fact rather than a comfortable fiction,

and I am exuberant that in fact the truth comes 6 times faster than the peddling of Microsoft Fiction

 

Regards

Alan

[Willy2]

I DO like boiled eggs !!!

 

I must confess the latest Defraggler version does an amazing job finding files. (I stopped using this feature MANY versions ago). Whereas Locate32 finds e.g. deleted files as well !! And it's this "finding too much" is the reason why I don't like the program. Too much confusion.

[login123]

OK, I'm hooked, which Defraggler version are you using, Alan?

I don't even care if it cooks or not.

[Alan_B]

I found this feature on DF v2.11 and it remains on v2.13.670 (64 bit)

I was disappointed by a limitation in v2.11 and it remains in v2.13

Basically it will only find files that are 613 bytes or bigger.

I would really like to specify the name of a file and know if it exists - even if it is small enough to fit in the MFT - even if it is zero bytes.

 

Please note that to search with defraggler you simply launch and select a partition.

There is no need to Analyze or Defrag

Then you click on Search TAB

Then you tick TWO boxes

"Filename contains:"

"Include non-fragmented files"

Then type the filename and click the Search BUTTON.

 

My bug report is at

http://forum.pirifor...showtopic=38192

You are welcome to "Like" it and bump it up.

 

Alan

[login123]

Thank you. Much exploring to do now.