Raymond.CC Blog

What’s the difference between Recycled and Recycler folder? If you’re using Windows, you will have have either folder at the root of your drive. What determines whether you have Recycled or Recycler is the filesystem of your drive. If it is FAT32, you will get Recycled and if you have NTFS, you’ll have Recycler. Some people might have both of the folders because they converted their drive from FAT32 to NTFS.

OK, when you delete a file in Windows Explorer or My Computer, the file immediately appears in the Recycle Bin. This is what you see but actually there is something going on in background. The complete path and file name is stored in a hidden file called INFO2 in the Recycled or Recycler folder. What I learn during my research is the INFO2 file is VERY important because once it is corrupted or removed while you still have files in Recycle Bin, your files filename is all gone!

Let’s do a test here so you’ll understand better.


I’ll delete a file called “test delete.exe” and let it stay in Recycle Bin. Once deleted, I can see that my recycle bin icon now has trash. This is what WE see with our eyes. My partition is NTFS file system, so I have RECYCLER folder at the root of my C: drive. Inside the Recycler folder I have a recycle bin icon. Inside the recycle bin, the file that I just deleted (test delete.exe) is there. I can restore and also delete the file there. Everything is normal up till now.

Let’s see what happens if I use command prompt to check what’s in the RECYCLER directory.

There’s a file called Dc17.exe and also INFO2. I am 100% sure that Dc17.exe is the “test delete.exe” file that I just deleted because I used to the COPY command to copy Dc13.exe to desktop. Command prompt doesn’t process the INFO2 file, therefore it is not showing the “test delete.exe” file name.

If you try deleting INFO2 from command prompt, it will say that “Could Not Find INFO2″ because it has HIDDEN attribute. Just use the command “attrib -h INFO2” to unhide INFO2. Now I am able to delete INFO2 file. Weirdly immediately after deleting the INFO2 file, I can’t see any files in desktop’s Recycle Bin but the icon still showing as if there is trash. I tried to empty recycle bin and it ask me “Are you sure you want to delete ‘windows’?

I took the risk and clicked the Yes button. I checked my Windows folder and thank God it’s still there! I went back to command prompt to list the files in recycler folder and Dc17.exe file is no longer there.

I was unable to find any ways to edit or how to add entries to the INFO2 file but I found a free tool called “rifiuti2” that is used to analyze INFO2 file during windows computer forensics. As its name indicates, rifiuti2 is a rewrite of rifiuti, a great tool from Foundstone folks for analyzing Windows Recycle Bin INFO2 file. The meaning of rifiuti in Italian means “trash”.

The difference between rifiuti and rifiuti2 is:
* Supports Windows in any other languages
* Supports Vista and 2008 (no more uses INFO2 file)
* Enables localization (that is, translatable) by using glib
* More rigorous error checking
* Supports output in XML format

To use rifiuti2 to analyze INFO2 file, you need to copy INFO2 to rifiuti folder and run the command “rifiuti INFO2“. Remember to use the attrib command first otherwise you won’t be able to copy INFO2 file to other location. An example is shown at the image below.

[ Download rifiuti2 ]