Jump to content

Misbehaving of C Drive


Recommended Posts

We have some XP system and some win7 as well as 2003 Server.

All Machine running perfect excluding one which is windows 7 and the issue is we have some "GB" space on C Drive of course in C we have put it the OS and C drive automatically removing free space and going onto "KB" than it come to "GB" (which is actual free space) then again it's going down on "KB" like a loop.

Here are some shots:




Now loop (It will again start like this)




No Error anything else. (Fully Scanned by AV)

Any idea? what the hell is it? any keyword for this issue to search on google?

Link to comment
Share on other sites

What file shares are on this machine, and have you used any packet dumping tools to monitor or locate what is using the space itself, possibly being sent to and from it over the network?

Possibly a damaged drive not being able to report its geometry but I would think there would be other issues happening as well. Check the event viewer for starters, but sounds more like something being used on the drive and wiped. Not uncommon for this to happen to a compromised node in the network.

I would monitor the traffic to and from that workstation, as well as look into tools to monitor file size listings and have a look at whats happening under the hood. If it is compromised though, one sure fire way, disconnect all ethernet or connections to it on the network, reboot, and then see if it happens while disconnected from the network. If it only happens while on the LAN, well, its most likely a pivot point being used by some process(legit) or someone who compromised the network and that workstation(non-legit and you then have bigger issues to look into and track down).

Few seasons back the show did a review(s) of multiple tools for windows(I think multiple seasons), that showed even graphical displays of files sizes by colors and shapes of the file system, with the folder or file names. I don't remember all the names of every tool, but File Monger or Space Monger comes to mind. There might even be something in the sysinternals suite that does the same thing, but any of these might help identify files on the drive when its size is growing/shrinking. Would seem more like someone is using it to move files and data, which it may be a pivot point and tunneled into/out of that one node, regardless of AV scans. Some tools, are just that, and don't necessarily set off AV scanners if all they are doing is file transfers to and from a node or tunneling data through that node as its pipe to the outside world, which if that happens, consider the rest of the network compromised in some manner. Pray its just a faulty drive.


Try some of the disk tools on Portable Apps as well: http://portableapps.com/apps/utilities

They have some for registry and file snapshot comparisons.

Edited by digip
Link to comment
Share on other sites

  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...