#### Which files were moved to the "SIS Common Storage" folder by the groveler service?

Geschrieben am 30.11.2007, 18:50 Uhr

Der vorherige Eintrag in diesem Blog ist die Deutsche Fassung dieses Artikels.

We have:

• A Win2000-Server that used to be a RIS-testserver a while ago.
• A Directory on D:\ named "SIS Common Storage"

RIS has beed uninstalled long ago, the folder remained - about 3GB in size with 5800something files, most of them named like 48dea770-1cda-11db-8780-000a5e029b89.sis.

Metapad shows that PDF-docs, bitmap images, .EXE-files and others among them. Google lets you find quickly that the "Groveler" service moves duplicate files on volumes with RIS-images once into this folder and replaces the original files with NTFS-Links containing "reparse points".

The "groveler" service was removed together with RIS once ago, it has not moved files to the SIS-folder since them. The default Windows tools do not let you see if there are just orphans lying around in "SIS Common Store" (i.e. files that were not deleted together with their links in the filesystem), or what is there inside this folder at all.

The FSutil.exe from Windows 2003 server is ist generally designed to show this "reparse point" info contained in files, but only for one file or folder at a time:

Fsutil: reparsepoint

Typically used by support professionals. Queries or deletes reparse points, which
are NTFS file system objects that have a definable attribute containing user-
controlled data, and are used to extend functionality in the input/output (I/O)
subsystem.

Reparse points are used for directory junction points and volume mount points. They
are also used by file system filter drivers to mark certain files as special to that driver.


Additionally it has a bug not showing correct GUID info of SIS reparse points. Well done, idiots.

After a lot of "googeling around" one may find the improved tool FSutil2.exe, (not at Microsoft!) which has amongst others fixed this bug:

This is a newer fsutil.exe utility that fixes how reparse points are displayed for RIS CIS Files.

The original fsutil.exe that shipped with Windows XP had a bug where it would not display
the correct {GUID} information.  This version fixes this and includes other enhanced
outputs.


Thanks!

D:\>fsutil.exe reparsepoint query \path\to\ntoskrnl.exe

Reparse Tag Value : 0x80000007
Tag value: Microsoft
Tag value: SIS
Format version: 5
CSid: 4B0C4C00-FEA2-11D3-8D9C-00C04F4700A8
CSFileNtfsID:   0xe0300000.00002fe4
CSChecksum:     785d2b09
Checksum:       37118f04

Reparse Data Length: 0x00000040
Reparse Data:
0000:  05 00 00 00 10 b0 11 b1  00 4c 0c 4b a2 fe d3 11  .........L.K....
0010:  8d 9c 00 c0 4f 47 00 a8  e4 72 00 00 00 00 00 00  ....OG...r......
0020:  6f 12 00 00 00 00 02 00  e4 2f 00 00 00 00 30 e0  o......../....0.
0030:  09 2b 5d 78 dd 2c 13 c1  04 8f 11 37 df 42 a6 cd  .+]x.,.....7.B..


Interesting for us: The line CSid: 4B0C4C00-FEA2-11D3-8D9C-00C04F4700A8 - The file poked by fsutil.exe reparsepoint query has actually a reparse point with tag SIS in its metadata and - guess what - is placed in the folder "SIS Common Store" with the filename 4B0C4C00-FEA2-11D3-8D9C-00C04F4700A8.sis!

We scan drive D:\ for files with SIS reparse points.

Writing a few batch files that accomlpish this shouldn't be a problem. I guessed most of the files in "SIS Common Store" were dead files from "RIS-times", so I don't need automated file renaming and stuff..

The first batch lists the content of drive D:\ into a text file:

REM Write drive content without directories into files_all.txt
dir /b /s /a-d d:\ > d:\temp\files_all.txt


The next one reads the previously created file (FSutil.exe itself does not support recursion) and tests every file for reparse points:

REM Read files_all.txt and apply "FSutil.exe reparsepoint query" to each line
for /f "delims=;" %%a in (d:\temp\files_all.txt) do (
echo %%a >> d:\temp\files_reparsepoint.txt
d:\temp\fsutil2.exe reparsepoint query "%%a" >> d:\temp\files_reparsepoint.txt 2>&1
)


files_reparsepoint.txt can be searched with grep grep from the Unix tools for SIS reparse points.

REM Look for "Tag value: SIS" and echo 3 lines before to 2 lines after
cat d:\temp\files_reparsepoint.txt | grep -i "Tag value: SIS"  -B 3 -A 2 > final_result.txt


You then have a list of relations of files on the drive and the "{GUID}.sis" files. Excerpt:

[...]
d:\some\path\to\ntoskrnl.exe
Reparse Tag Value : 0×80000007
Tag value: Microsoft
Tag value: SIS
Format version: 5
CSid: 4B0C4C00-FEA2-11D3-8D9C-00C04F4700A8
[...]


Of the about 5800 files a total of 6 was still still present in the system, that means on D:\ there were 6 files with SIS reparse points linking to files inside the "D:\SIS Common Store" - I copied these and deleted the rest after making a backup.