Which files were moved to the “SIS Common Storage” folder by the groveler service?

Der vorherige Eintrag in diesem Blog ist die Deutsche Fassung dieses Artikels.

We have:

  • A Win2000-Server that used to be a RIS-testserver a while ago.
  • A Directory on D:\ named “SIS Common Storage”

RIS has beed uninstalled long ago, the folder remained – about 3GB in size with 5800something files, most of them named like


Metapad shows that PDF-docs, bitmap images, .EXE-files and others among them. Google lets you find quickly that the “Groveler” service moves duplicate files on volumes with RIS-images once into this folder and replaces the original files with NTFS-Links containing “reparse points”.

The “groveler” service was removed together with RIS once ago, it has not moved files to the SIS-folder since them. The default Windows tools do not let you see if there are just orphans lying around in “SIS Common Store” (i.e. files that were not deleted together with their links in the filesystem), or what is there inside this folder at all.

The FSutil.exe from Windows 2003 server is ist generally designed to show this “reparse point” info contained in files, but only for one file or folder at a time:

Fsutil: reparsepoint

Typically used by support professionals. Queries or deletes reparse points, which
are NTFS file system objects that have a definable attribute containing user-
controlled data, and are used to extend functionality in the input/output (I/O)

Reparse points are used for directory junction points and volume mount points. They
are also used by file system filter drivers to mark certain files as special to that driver.

Additionally it has a bug not showing correct GUID info of SIS reparse points. Well done, idiots.

After a lot of “googeling around” one may find the improved tool FSutil2.exe, (not at Microsoft!) which has amongst others fixed this bug:

This is a newer fsutil.exe utility that fixes how reparse points are displayed for RIS CIS Files.

The original fsutil.exe that shipped with Windows XP had a bug where it would not display
the correct {GUID} information. This version fixes this and includes other enhanced


An example in the provided readme for FSutil2.exe reads:

D:\>fsutil.exe reparsepoint query \path\to\ntoskrnl.exe

Reparse Tag Value : 0x80000007
Tag value: Microsoft
Tag value: SIS
Format version: 5
CSid: 4B0C4C00-FEA2-11D3-8D9C-00C04F4700A8
LinkIndex: 0x00000000.000072e4 Check: 0
LinkFileNtfsID: 0x00020000.0000126f
CSFileNtfsID: 0xe0300000.00002fe4
CSChecksum: 785d2b09
Checksum: 37118f04

Reparse Data Length: 0x00000040
Reparse Data:
0000: 05 00 00 00 10 b0 11 b1 00 4c 0c 4b a2 fe d3 11 ………L.K….
0010: 8d 9c 00 c0 4f 47 00 a8 e4 72 00 00 00 00 00 00 ….OG…r……
0020: 6f 12 00 00 00 00 02 00 e4 2f 00 00 00 00 30 e0 o……../….0.
0030: 09 2b 5d 78 dd 2c 13 c1 04 8f 11 37 df 42 a6 cd .+]x.,…..7.B..

Interesting for us: The line “CSid: 4B0C4C00-FEA2-11D3-8D9C-00C04F4700A8″ – The file poked by fsutil.exe reparsepoint query has actually a reparse point with tag SIS in its metadata and – guess what – is placed in the folder “SIS Common Store” with the filename 4B0C4C00-FEA2-11D3-8D9C-00C04F4700A8.sis!

We scan the drive D:\ for files with SIS reparse points.

Writing a few batch files that accomlpish this shouldn’t be a problem. I guessed most of the files in “SIS Common Store” were dead files from “RIS-times”, so I don’t need automated file renaming and stuff..

The first batch lists the content of drive D:\ into a text file:

REM Write drive content without directories into files_all.txt
dir /b /s /a-d d:\ > d:\temp\files_all.txt

The next one reads the previously created file (FSutil.exe itself does not support recursion) and tests every file for reparse points:

REM Read files_all.txt and apply “FSutil.exe reparsepoint query” to each line
for /f “delims=;” %%a in (d:\temp\files_all.txt) do (
echo %%a >> d:\temp\files_reparsepoint.txt
d:\temp\fsutil2.exe reparsepoint query “%%a” >> d:\temp\files_reparsepoint.txt 2>&1

files_reparsepoint.txt can be searched with grep grep from the Unix tools for SIS reparse points.

REM Look for “Tag value: SIS” and echo 3 lines before to 2 lines after
cat d:\temp\files_reparsepoint.txt | grep -i “Tag value: SIS” -B 3 -A 2 > final_result.txt

You then have a list of relations of files on the drive and the “{GUID}.sis” files. Excerpt:

Reparse Tag Value : 0×80000007
Tag value: Microsoft
Tag value: SIS
Format version: 5
CSid: 4B0C4C00-FEA2-11D3-8D9C-00C04F4700A8

Of the about 5800 files a total of 6 was still still present in the system, that means on D:\ there were 6 files with SIS reparse points linking to files inside the “D:\SIS Common Store” – I copied these and deleted the rest after making a backup.

Der Eintrag "Which files were moved to the “SIS Common Storage” folder by the groveler service?" ist vor mehr als einem Jahr geschrieben oder zuletzt editiert worden und unter Umständen veraltet oder nicht mehr korrekt.


Seiten und Einträge, gefunden nach Tags.

4 Kommentare

  1. Kommentar von Devlar

    Was bedeutet CSid in zeile:
    CSid: 4B0C4C00-FEA2-11D3-8D9C-00C04F4700A8


  2. Kommentar von Stefan

    Die ID der Datei, die gleich bleibt, auch wenn die Datei umbenannt wird.

  3. Kommentar von Devlar

    Danke Stefan fuer dein erstes Antwort. Mein problem ist es, dass ich mit SIS backup API soll identifizieren dies GUID (so genannt Common Store File – GUID.sis). Ich weiss schon das ID bleibt, aber wie kann ich diesen ID von den Datei bekommen?

  4. Kommentar von Devlar

    got it already :)

Hinterlasse einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *

7 × vier =

Du kannst folgende HTML-Tags benutzen: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2001-2015 onderka.com | Über, impressum und Lizenz | RSS Einträge | RSS Kommentare | 57q @ 0.435s | 348.289 Spammer