Windows recycle bin analysis tool


Recycle Bin has 2 major formats, which can be roughly divided as “before Vista” and “after Vista”.

Before Vista, known as the INFO2 file

This hidden file is located in \RECYCLED folder (FAT16/32) or \RECYCLER\<sid> folder (NTFS). MSDN has a complete explanation about the name difference. Although researched info about this older format has been widely circulated, there are some inaccuracies in my opinion regarding the INFO2 data fields. Besides, available info generally covers XP/2003 format, which is a bit different from earlier Windows (95, 98, ME, etc).

Note: <sid> stands for Security Identifier, which is unique for each user on a system.

After Vista, known as \$Recycle.bin folder

For this format, recycle bin folder is located in $Recycle.bin\<sid>. Deletion info for recycled files are not stored in single file. Instead, each recycled file has its own accompanied index file with very similar name. When original file is permanently deleted or restored, the corresponding index file would be removed too.