windows binaryfiles explorer recycle-bin

Windows Recycle Bin information file binary format

Programmatic removing of files to Recycle Bin in Windows is a trivial operation.

In short: just move a file to C:\$Recycle.Bin\SID\$R{name}* (for drive C) and create an associated binary file ($I{name}) with meta information about the "deleted" file/folder near it.

* where SID is your OS installation identifier that looks like: S-1-5-21-1234567890-1234567890-1234567890-1001.

But I have two question after researching:

What is the algorithm of encoding the deletion date to 64-bit value?
Are the file names (in a trash bin) random generated or there is some logic?

The information file structure is follow (based on my research):

const buffer = new Uint8Array([
    0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  // Header
    0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  // Size                // 65535 (bytes)
    0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0xd7, 0x01,  // Deletion date (64-bit value)
    0x0b, 0x00, 0x00, 0x00,                          // Path string length  // `11`
                            0x43, 0x00, 0x3a, 0x00,  // File path + \0      // `C:\1\1.txt`  // `C:\\1\\1.txt\0`
    0x5c, 0x00, 0x31, 0x00, 0x5c, 0x00, 0x31, 0x00,
    0x2e, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00,
    0x00, 0x00
]);

Header (always is the same), file size in bytes (which is only visible in File Explorer), 64-bit deletion date value, path string length, and UTF-16 encoded null-terminated path string.

The only questionable part is the date. How is it encoded?

For example:

00 00 00 00 00 29 d7 01 is 2021.04.04 03:10

00 00 00 00 01 29 d7 01 is 2021.04.04 03:17

00 00 00 00 00 30 d7 01 is 2021.04.13 00:57

(The first four hexes is 00 just for convenience.)

For example: 00 00 00 00 00 29 d7 01 is 132619794007457792, but new Date(132619794007457792/100000) is 2012.01.10 12:19:00.

I need to transform 00 00 00 00 00 29 d7 01 bytes to 2021.04.04 03:10.

The "deleted" files in C:\$Recycle.Bin\SID\ have name that is started with $R + [A-Z0-9]{7} + optional .{extension}. For example: $RL6JQMF.txt. And associated meta data file: $IL6JQMF.txt that just starts with $I.

Is there some logic for the naming or it is just a random generated one?

In fact, for example, it works well with both $R___ + $I___, and with $R123456789 abc + $I123456789 abc. So, I think it is just random generated.

Only the $R/$I is required. The extension is needed only just to shows the corresponding icon in the File Explorer.

Solution

Okay, I got it.

While 00 00 00 00 00 00 00 00 is 1899.12.30 00:00,

but 00 00 00 00 00 00 01 00 is 1601.11.22 18:44,

so this timestamp is a number of 100-nanosecond intervals since 1601.01.01.

For example, for 00 00 00 00 00 29 d7 01 (132619794007457792) I get the correct date (2021.04.04 03:10) as it shows in File Explorer with:

new Date(132619794007457792 / 10000 + Number(new Date("1601.01.01 Z")))

Anyway, I think this topic would be useful for people.

It's strange that in 2021 I did not found any info about how Recycle Bin in Windows works.