data folder just disappeared - really! any ideas?

Completely gone, poof. vanished. And I invented the ID-10-T error" joke so all the dumb user ideas have already been tried (I've seen them all and done most of them myself)...

M17x-R2, HD is a Sammy 128GB SSD, NTFS (duh), Win7 x64, UAC turned off from day 1, my user is in Administrators group and owns all the files on the disk.

I was in Explorer looking through some files, changed to a different directory to check a logfile and when I came back to the original directory, I got an error about not having enough rights to view the directory. Huh? I right click the folder and the security tab won't show me anything and all the buttons and entry fields are greyed out. I can see the folder in both panes but can't select it. It shows up in a dos dir listing but i can't cd into it or list its contents with dir. i wasn't thinking/got distracted and forgot to cacls before i rebooted. So, I reboot and the folder is completely gone. It's just a data folder, nothing special about it - not a system folder or anything (and I don't use any third-party "hide a folder" utility crap or anything like that, this drive isn't bitlocked or truecrypted or anything).

I reboot into safe mode and Administrator can't see it. I check the recycle bin, not there. At this point, I'm thinking, I must have moved it into another folder. A dir from the root of all drives on the box for certain file and folder names shows nothing. A quick Recuva session finds nothing either. CHKDSK finds no corruption.

I reboot with Knoppix and give it a whirl. Nothing. A quick (ha!) dd of the drive to image it and I throw it in another box and run EASEUS Data Recovery on it - knowing it wouldn't find anything - and it didn't.

At this point, I give the drive scans with MSSE, RootkitRevealer, GMER, Malwarebytes and Spybot (whew!). Nothing there so the PC seems clean.

I notice that the free space on the drive is about 8GB more than it was before the folder disappeared - which is about the size of the folder.

This is really bizarre. I've been doing this PC thing since the 80s and have never seen this before. It's not in the recycle bin, it wasn't shift-deleted since it's not in the mft at all (neither recuva, easeus don't see it), it didn't get moved accidentally. It really is like the rights for the folder somehow gut munged and Windows won't allow any user to see the folder at all so I can't even cacls it.

Right now, I'm going to find a search utility that will look for text in deleted space and give it a whirl.

Anyone out there got any brilliant ideas? It's looking like I'm a bit weak on my forensics-fu tonight....

 

Check your shadow copies.

Right click the folder it was contained in > Properties > Previous Versions > Choose and earlier date > Open.

 

good idea, i didn't even think about that...

but: "there are no previous versions..."

 

the weirdness continues....

i can see the files in (what i assume is) the MFT when i grep through the dd image of the disk.

 

Speaking of images, do you have a backup image that you can extract that folder from?

Also, do you think there might be any chance the folder would appear in linux, like GParted or something?

 

i have an image backup but how would I extract a folder from it?

I did use Knoppix to look at the disk but it didn't see the folder either.

Still haven't found a free "text search in deleted file space" utility. grep through a 128gb file on spinning rust is _slow_ compared to searching 30gb on an ssd...

 

have you done a checkdisk/scandisk of your hdd??

 

yep: "CHKDSK finds no corruption."

 

Disk Management > Action > Attach VHD > Browse > navigate to the .vhd that is the backup image for the disk/volume in question and let it mount. You'll be able to explore it as if it were just another HDD on your machine. AND you'll be able to copy anything you want from it back to your real drive.

 

ah brain fart... i know about vhd. i guess i need to find a dd image to vhd converter. someone has to have written one of those...

i think i'm resigned to scanning for text on disk since the folder seems to be gone, gone, gone....

 

Why not restore the DD image to another disk drive?

Gary

 

But how did this folder go missing in the first instance?

 

Ah, so you are one of those people who enjoy all of the system protection that MS-DOS affords them. Which is none whatsoever.

I think the "backup" he is talking about was taken after that folder got deep-sixed, otherwise the solution would be trivial, like you suggest.

To the OP, all I can say is that it sounds like you were too quick futzing around with things that can have dire consequences. If you are prone to that kind of thing, and in particular given the fact that you turned the machine into a glorified DOS box already, the only thing to protect you from yourself are backups, backups, and more backups. Otherwise, this is not something I'd like to diagnose remotely. Good luck!

 

With Win 7 I don't understand turning off UAC. Vista it was annoying as heck (at least launch day UAC maybe not SP2).

To enforce what Pirx says, backup, backup, backup. Get a NAS to make regular backups.

edit: NM, I went back to re-read your post and sounds like data folder is one you created not a system folder.

 

Sound advise! I have yet to do this and am running a huge risk. I have been putting off buying a desktop storage device for a long time now.

 

I think one of your key errors was shutting down UAC, not and not having it on it's maximum settings...

-> gone D drive = system change of some sort -> UAC would have popped up...

 

That's the question, isn't it?

Please. This is windows. it's not a server, it's a workstation and i'm the only one who uses it. i don't run root on my *nix boxes but on windows, i run an admin-equiv user. uac is crap - even on vista 1.1.

Yeah, just open up acronis and restore it. This folder was just a temporary work/download folder that's excluded from backup since it's always changing contents. Nothing major's lost - half a dozen text files really.

Wasn't futzing a thing. This windows install is months-old and has been pretty solid as far as windows goes. It's my main windows travel laptop, so it's pretty vanilla.

 

Actually, it's best on Vista
Because it's set to high on default.

On that note - UAC is very useful and no problem at all to people.

I think you should detail why it's a problem to you - because it's not to a lot of other people here.

 

ha! well, that's one way of looking at it.

Simply put, Win7's UAC being more friendly than vista's is based on the trusted executable model (so windows can auto-elevate its own processes), which, as we see every patch tuesday, might not be the best decision. But then, uac is just window dressing (no pun intended) designed to annoy you rather than providing security - even MS says it's for convenience, not security.

UAC's goal of getting windows developers to write code that doesn't require administrator-level access en masse is worthwhile and I welcome MS to the 1970s.

in my case, since i didn't make any system-level change and neither did any 3rd-party software, uac wouldn't have thrown a prompt.

 

And you would know that how, since you, in your infinite wisdom, have turned off UAC? I find it laughable that you say you don't run your *nix boxes with root, and yet you are willing to do the equivalent with your Windows. You do realize that Windows machines are much more of a target for hackers and thieves than a *nix box, given the relative difference in market share to the average consumer?

Gary

 

When did it become okay to hassle people about how they run their laptops? Does any of this further him along in figuring out his problem, other than telling him how "wrong" he is?

He has a problem and came here hoping someone might be able to help him figure out a solution, if one exists. He did not come here to have people get judgemental and talk down to him.

A variation of many a mothers' words - Either be helpful and nice, or don't bother posting.

 

A forum is the same as an insurance company to some extend.

You have some gold bars at home, insure them, but no alarm, no at least strengthened windows & doors - leave those gold bars visible, say on a desk.
While you are on holiday these are stolen - will the insurance company pay? Nope, gross negligence.

It's the same here - if people do stupid stuff and it's not an accident people get annoyed.
That's why we are complaining. Especially when these people doing stupid stuff claim to be computer experts or be "experienced enough" to "know" the OS.

 

Fine and all, but this leg of the conversation is only relevant if UAC would have actually warned him in the scenario he described. Admittedly, I don't know much about UAC, nor do I use it. That's why I've not posted sicne the beginning, but am reading to see what productive things can be learned. Instead, I read complaining.

 

I assume you are talking about my post. When folks come here espousing procedures that are unsafe (not running as root on an *inx system and yet running with full admin under windows with UAC turned off), it is important for the fallacy in that logic to be pointed out. Otherwise some newbie is likely to come along and think, well this guy is an "expert" and if he thinks it is safe I should do so as well.

Plus, the guy lost a directory and then goes on to claim that it just disappeared but that disappearance could not have been caused by some third party application all the while running in a state where he could not possibly know if some rouge app were to blame or not. Again, I called him out on this not for his benefit, but for the benefit of other folks who might stumble upon the conversation and think that the OP's actions are some that should be copied.

Sorry, I don't and won't sit idly by when folks suggest stupid practices.

Gary

 

It is relevant because of his assertion that UAC would not have warned him. He has no idea if that is true or not. His claim that no 3rd party software was in play was equally as bogus, because he has turned off all functionality that might let him know and on top of that has given administrative privileges to any and all processes running on his system, including (but in no way limited to) applications running via web pages he may have visited.

Again, I did not point this out for his benefit as it will most likely fall on his "expert" deaf ears, I did so so others don't follow in his footsteps.

Gary

 

If his 'data folder' is just a user created folder, why would UAC warn him ? UAC only put a layer of 'protection' on things that is consider to be 'system' like under \Windows or registry manipulation and things like that.

I don't recall it comes up when I just randomly delete a directory I created on C:\

 

Wow, didn't realize you Vaio-ites were so, ummm, hyperbolic. You're assuming facts not in evidence. Never claimed infinite wisdom. Not espousing people run their pc this way.

Yeah, UAC is set to never, but I'm running (amongst other things) Agnitum's security software (firewall, anti-*) which, is kind of like UAC but with a "remember this choice" setting. I don't visit crap-ware websites, don't allow java or javascript, don't install every new "hey, cool, look at this new free utility that washes your underwear while it fixes your dinner and defrags your ram" utility, etc... My claim is based on the fact that all the software on this PC is software that I've run for months (and some of it for years) on this and other windows boxes and it's proven safe.

Security is like an onion - it's all about layers. UAC is just a layer, it's not a magic star trek shield. I can remember when UAC first came out and i said to myself, "wow, finally". And then i tried it. It hoovered worse than windows search (still) does (which might even be worse now that it ever was; geez, guys, just steal grep and be one with it . maybe when i redo my windows install, i'll move that slider from "never" up a notch or two and give the windows 7 flavor more than a couple days. Do you recc. using the secure desktop or not?

 

Really? Your post did indicate that you believe yourself to be an expert user - hence I find Scuderia's interpretation overall quite accurate.

And Computer protection - if you were such an expert you'd know that pro-active heuristic detection for the best AVs hovers around 60%, and even for known malware (-> known as in "in the signature of the AV") the detection rates only end up in the high nineties at best.
Effectively malware protection can be assumed useless, however not running it would be gross negligence. (i.e. it will most likely catch most of the "old stuff" but most likely will let most of the "new stuff" through at first).

Your claim that not running JavaScript, Java and avoiding "bad sites" is sufficient to avoiding malware is also false.
Malware can come through USB drives, through CDs (one German PC magazine apparently had to redo a whole edition once - malware on the disc...), it can come through email attachments (from a friend you know who has an infected computer) - and "known good sites" - most websites can be hacked - that doesn't mean a lot.
Kaspersky's US website was once infected - it happens, security is never guaranteed on the web unless you live on a hermetically disconnected laptop with ZERO outside connection (no USB drives, no CDs, not network, no Bluetooth, no external HDDs, no USB ports except for mouse and keyboard)...

 

While the OP is wrong about turing off UAC (because we cannot guranteed the site we visit is not infected and that bugs in IE/Flash can allow infected site to invoke programs even though we didn't actively launch any), virus/malware still doesn't sound like a plausible explanation to what he experienced.

So if anyone is in a crusade about UAC, please starts a new thread about that.

@OP
Please consider turn UAC back on(due to the above mentioned situation that is not controllable whether you are careful or not).

You original problem seem like a rare bug of Windows.

 

To be honest - deleting a drive/folder/directory would be the kind of thing a hobby hacker might program as malware.
-> Just causing damage for the sake of doing it...

 

Yes, but just his one particular folder ? Sure everything is possible but personally I doubt it.

EDIT:

Beside, even if he had UAC on, it still cannot help him in this particular case. UAC doesn't protect malware from running (that is what things like DEP or randomized stack can provide some help), it only stops malware from doing damage to important OS things and his data folder doesn't sound like one.

 

Because of the virtualization part of UAC you have to be careful turning it back on. Not so much careful as preparing yourself for what will happen. Suddenly certain files written to the program files directory will appear to be missing. Things like INI files, settings files, stored games etc. But as you suggested earlier, that is a discussion for another thread.

Gary