Questions

Admin files lost in the void (Win XP Home SP2)

+
0 Votes
Locked

Admin files lost in the void (Win XP Home SP2)

e_ludema
Hi folks,

Long story short. Admin user files disappeared (but folder structure still intact).

Their setup: Windows XP Home SP2 on an HP notebook (only a few years old). They have slow dial-up and only use their connection to check AOL and gmail email accounts. Other than that, no fancy downloads, P2P software, AdWare, Viruses, etc, that I could find that would cause the problem.

What happened: The 9 year old son swore he didn't do a thing to the box... looking through the event logs, I get a series of 4 errors in the Applications one right after the other:

1508: Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.

1502: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.

1515: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.

1511: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

- Followed by "WebFldrs XP -- Configuration completed successfully".

This all happened on the "Admin" account (not Administrator, but Admin (with Admin rights, of course)). When the mom got home and booted up her computer, her Desktop was nearly empty - "My background, icons, files, ... are all gone!" I'm sure it's because she was logged into a temporary account which didn't point to her \Doc & Settings\Admin directory (the event log shows the same sequence of errors twice, assuming once for the son, then again for her when she tried to logon). In a panic, she removed a few of her kids games, figured out how to do a System Restore and restored to every possible time and Restore Point she could find (about 5 combinations in the past 5 days). She was able to get the Admin account back up, mostly manually, except for all the files in \Documents and Settings\Admin\*.

So, this is what I see while staring at the box: In C:\Documents and Settings\ there are Admin, Kelsey, Jason and Administrator accounts (along with All Users, Default User, and Guest). When I show hidden files, it also displays a Admin(2) and Admin.PC142202798417. The Admin(2) and Admin.PC* are nearly empty shells. The strange thing is her Admin folder. All of her files disappeared, BUT, her folder structure is still intact! All of her folders are still there, but the files have been emptied out.

Ok, so what I've done: Logged in as all the different accounts, did a dir /s/a (all files in the tree including hidden files), no files found. (A side note, the other accounts Jason, Kelsey, ... still have their files... this is only affecting \Documents and Settings\Admin). I logged in as the "hidden" Administrator account through Safe Mode, still nothing. The Recycle Bin claims to be empty, but surfing through the hidden "C:\RECYCLER" folder, there is a bunch of removed files, but none of them are the missing files. I downloaded a couple of free undelete apps. One of them returned a possible 11,000 or so deleted files, but none of them seemed to be the missing files either. Now this one is strange: I look at the hard drive properties to get the size of the drive (NTFS) and it says:

Capacity: 60,003,381,248 Bytes
Free Space: 40,290,553,856 Bytes
Used Space: 19,712,827,392 Bytes <---

If I do a file tree dump in DOS including all dirs, and all files including Hidden, Read-Only, etc, using a C:\dir *.* /s/a, it returns:

Free Space: 40,290,553,856 Bytes (matches)
Used Space: 18,832,969,864 Bytes (ummm) <---

So, summary - About 1 Gig of something is unaccounted for doing a full directory dump. The recycle bin doesn't account for them. Undelete software doesn't list them (including files renamed to Dc???.doc, etc). None of the accounts show them, including Administrator in Safe Mode. It seems that the temp account was created, she panicked and doing whatever she did with the restore points was too much for it. The files seem to be lost in a void - is there a NTFS drive dump app that can reveal any clues?

Any help, clues or insights would be wonderful!

Thanks for reading this long-winded, confusing post :)

Eddie
  • +
    0 Votes
    e_ludema

    I guess the basis of my question is this: Is it possible to have files at one point exist on a NTFS drive and then the next day for those files to be invisible to Windows, including deleted files, recycle bin and hidden files? Did those files really actually exist? If I can see files deleted from 3 years ago but not files from 1 week ago, where could they have gone?

    Sorry, just thinking out loud.

    Thanks again,
    Eddie

    +
    0 Votes
    pfredette

    I have experienced the same invisible file problem but on 2 users and not the Admin account. Have you had any success in finding out what happened.

  • +
    0 Votes
    e_ludema

    I guess the basis of my question is this: Is it possible to have files at one point exist on a NTFS drive and then the next day for those files to be invisible to Windows, including deleted files, recycle bin and hidden files? Did those files really actually exist? If I can see files deleted from 3 years ago but not files from 1 week ago, where could they have gone?

    Sorry, just thinking out loud.

    Thanks again,
    Eddie

    +
    0 Votes
    pfredette

    I have experienced the same invisible file problem but on 2 users and not the Admin account. Have you had any success in finding out what happened.