Strange Disk Utilization
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.security (More info?)
One of our domain controllers running Windows 2000 Server has a disk drive
with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free on
this disk. Strangely enough, if I go through and total the size of all
directories and drives on this disk, I only come up with 6.6 GB of used space.
Is there any way to see if someone has compromised this server and installed
hidden files?
One of the directories on the disk has 358 subdirectories. Do blank
directories take up enough space on a disk to matter?
Thanks.
One of our domain controllers running Windows 2000 Server has a disk drive
with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free on
this disk. Strangely enough, if I go through and total the size of all
directories and drives on this disk, I only come up with 6.6 GB of used space.
Is there any way to see if someone has compromised this server and installed
hidden files?
One of the directories on the disk has 358 subdirectories. Do blank
directories take up enough space on a disk to matter?
Thanks.
More about : strange disk utilization
Archived from groups: microsoft.public.win2000.security (More info?)
First be sure to run a full malware scan using the latest virus definition
from your publishers website and get a second opinion with something like
Sysclean and the matching pattern file from Trend Micro. Hopefully that
server has not been used for internet browsing but if it has scan for
parasites also. I would also use tools like Process Explorer, Pslist,
TCPview, and Autoruns to see if any unexplained processes or ports are being
used. It would be easiest to compare to a known clean like configured
computer. Some compromises like Root Kits are hard to detect and it may help
if you use Pslist to compare running processes shown locally to what is
found when you enumerate processes from another network computer.
Your computer may not be compromised however. I would run Check Disk on that
volume and try to browse the directories and drill down them to see if
anything interesting is found such as the one you mention with 358
subdirectories. The link below is to available resource kit tools that you
may want to use to further check out disk use. --- Steve
http://www.petri.co.il/download_free_reskit_tools.htm -- diruse and diskuse
for example.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtm... -- Process
Explorer and other utilities from SysInternals.
http://www.trendmicro.com/download/dcs.asp -- Sysclean is a stand alone
tool that does not need to be installed.
http://www.trendmicro.com/download/pattern.asp -- pattern file in .zip.
"Molnir" <Molnir@discussions.microsoft.com> wrote in message
news:C252AC07-DDE2-4C24-A017-A1B128A1F738@microsoft.com...
> One of our domain controllers running Windows 2000 Server has a disk drive
> with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free
> on
> this disk. Strangely enough, if I go through and total the size of all
> directories and drives on this disk, I only come up with 6.6 GB of used
> space.
> Is there any way to see if someone has compromised this server and
> installed
> hidden files?
> One of the directories on the disk has 358 subdirectories. Do blank
> directories take up enough space on a disk to matter?
>
> Thanks.
First be sure to run a full malware scan using the latest virus definition
from your publishers website and get a second opinion with something like
Sysclean and the matching pattern file from Trend Micro. Hopefully that
server has not been used for internet browsing but if it has scan for
parasites also. I would also use tools like Process Explorer, Pslist,
TCPview, and Autoruns to see if any unexplained processes or ports are being
used. It would be easiest to compare to a known clean like configured
computer. Some compromises like Root Kits are hard to detect and it may help
if you use Pslist to compare running processes shown locally to what is
found when you enumerate processes from another network computer.
Your computer may not be compromised however. I would run Check Disk on that
volume and try to browse the directories and drill down them to see if
anything interesting is found such as the one you mention with 358
subdirectories. The link below is to available resource kit tools that you
may want to use to further check out disk use. --- Steve
http://www.petri.co.il/download_free_reskit_tools.htm -- diruse and diskuse
for example.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtm... -- Process
Explorer and other utilities from SysInternals.
http://www.trendmicro.com/download/dcs.asp -- Sysclean is a stand alone
tool that does not need to be installed.
http://www.trendmicro.com/download/pattern.asp -- pattern file in .zip.
"Molnir" <Molnir@discussions.microsoft.com> wrote in message
news:C252AC07-DDE2-4C24-A017-A1B128A1F738@microsoft.com...
> One of our domain controllers running Windows 2000 Server has a disk drive
> with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free
> on
> this disk. Strangely enough, if I go through and total the size of all
> directories and drives on this disk, I only come up with 6.6 GB of used
> space.
> Is there any way to see if someone has compromised this server and
> installed
> hidden files?
> One of the directories on the disk has 358 subdirectories. Do blank
> directories take up enough space on a disk to matter?
>
> Thanks.
Archived from groups: microsoft.public.win2000.security (More info?)
"Steven L Umbach" wrote:
> First be sure to run a full malware scan using the latest virus definition
> from your publishers website and get a second opinion with something like
> Sysclean and the matching pattern file from Trend Micro. Hopefully that
> server has not been used for internet browsing but if it has scan for
> parasites also. I would also use tools like Process Explorer, Pslist,
> TCPview, and Autoruns to see if any unexplained processes or ports are being
> used. It would be easiest to compare to a known clean like configured
> computer. Some compromises like Root Kits are hard to detect and it may help
> if you use Pslist to compare running processes shown locally to what is
> found when you enumerate processes from another network computer.
>
> Your computer may not be compromised however. I would run Check Disk on that
> volume and try to browse the directories and drill down them to see if
> anything interesting is found such as the one you mention with 358
> subdirectories. The link below is to available resource kit tools that you
> may want to use to further check out disk use. --- Steve
>
> http://www.petri.co.il/download_free_reskit_tools.htm -- diruse and diskuse
> for example.
> http://www.sysinternals.com/ntw2k/freeware/procexp.shtm... -- Process
> Explorer and other utilities from SysInternals.
> http://www.trendmicro.com/download/dcs.asp -- Sysclean is a stand alone
> tool that does not need to be installed.
> http://www.trendmicro.com/download/pattern.asp -- pattern file in .zip.
>
I used diruse and dumped the results to a text file, then imported into
Excel. It looks like for whatever reason the properties of the Profiles
directory wasn't enumerating the size of the 350+ subdirectories correctly.
As far as I can tell, this directory is no longer used and all roaming
profiles are stored on a different machine.
Thanks for the help and peace of mind.
"Steven L Umbach" wrote:
> First be sure to run a full malware scan using the latest virus definition
> from your publishers website and get a second opinion with something like
> Sysclean and the matching pattern file from Trend Micro. Hopefully that
> server has not been used for internet browsing but if it has scan for
> parasites also. I would also use tools like Process Explorer, Pslist,
> TCPview, and Autoruns to see if any unexplained processes or ports are being
> used. It would be easiest to compare to a known clean like configured
> computer. Some compromises like Root Kits are hard to detect and it may help
> if you use Pslist to compare running processes shown locally to what is
> found when you enumerate processes from another network computer.
>
> Your computer may not be compromised however. I would run Check Disk on that
> volume and try to browse the directories and drill down them to see if
> anything interesting is found such as the one you mention with 358
> subdirectories. The link below is to available resource kit tools that you
> may want to use to further check out disk use. --- Steve
>
> http://www.petri.co.il/download_free_reskit_tools.htm -- diruse and diskuse
> for example.
> http://www.sysinternals.com/ntw2k/freeware/procexp.shtm... -- Process
> Explorer and other utilities from SysInternals.
> http://www.trendmicro.com/download/dcs.asp -- Sysclean is a stand alone
> tool that does not need to be installed.
> http://www.trendmicro.com/download/pattern.asp -- pattern file in .zip.
>
I used diruse and dumped the results to a text file, then imported into
Excel. It looks like for whatever reason the properties of the Profiles
directory wasn't enumerating the size of the 350+ subdirectories correctly.
As far as I can tell, this directory is no longer used and all roaming
profiles are stored on a different machine.
Thanks for the help and peace of mind.
Archived from groups: microsoft.public.win2000.security (More info?)
If the Server has been used for web browsing (not a good idea), consider
purging all temp files and browser cache regularly.
Remember to turn on all the "Show hidden .. " Windows Explorer options to be
able to navigate all available folders.
Hope this helps. Do let us know. Thanks!
"Molnir" wrote:
> One of our domain controllers running Windows 2000 Server has a disk drive
> with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free on
> this disk. Strangely enough, if I go through and total the size of all
> directories and drives on this disk, I only come up with 6.6 GB of used space.
> Is there any way to see if someone has compromised this server and installed
> hidden files?
> One of the directories on the disk has 358 subdirectories. Do blank
> directories take up enough space on a disk to matter?
>
> Thanks.
If the Server has been used for web browsing (not a good idea), consider
purging all temp files and browser cache regularly.
Remember to turn on all the "Show hidden .. " Windows Explorer options to be
able to navigate all available folders.
Hope this helps. Do let us know. Thanks!
"Molnir" wrote:
> One of our domain controllers running Windows 2000 Server has a disk drive
> with a 25.6 GB capacity. My Computer shows that we only have 2.86 GB free on
> this disk. Strangely enough, if I go through and total the size of all
> directories and drives on this disk, I only come up with 6.6 GB of used space.
> Is there any way to see if someone has compromised this server and installed
> hidden files?
> One of the directories on the disk has 358 subdirectories. Do blank
> directories take up enough space on a disk to matter?
>
> Thanks.
Related ressources:
- ForumStrange sound from hard disk - any problem?
- ForumStrange CPU and RAM Utilization by LSASS.EXE
- ForumHow to measure power utilization ?
- ForumSandisk SSD - Lost Partition - Very Strange
- ForumVery strange issue.
- Foruminstalled a new PSU, strange buzzing sound
- ForumMy speeds and GPU utilization on my 680 slower in 3 way sli vs. 2 way
- ForumOverclocking/complete Utilization of installed memory problem.
- ForumConstant BSOD, tried basically everything, very strange
- ForumA strange question regarding the disk defragmenter and an unknown drive.
- ForumP8Z68 Deluxe/Gen3 strange issue
- ForumIntel Celeron 2.2 Proc 900 How much ram? Anyway to tweak ram utilization ?
- ForumDisk activity constant 100% on ssd windows 8
- Forum[win7 pro x64] Strange issues including BSOD and semi-freezing
- ForumStrange Windows 7 stutter
- ForumStrange problem with files
- ForumParallel and com ports not appearing in device manager
- ForumStrange Client Behavior: Port 8002 Looking for Other Ports
- ForumLost Disk Space
- Forumreplacement disk
- More resources
!
