Super hidden folders in Windows XP

[Blanchimont]

Here's some info some of you might be unfamiliar with ...

In Windows Explorer there's the nifty settings 'Show hidden files and folders' ticked and 'Hide protected operating system files' unticked that lets you practically view all files on your pc? Well... WRONG!

Try locating these two folders on your XP system, with any normal browsing and those settings ticked/unticked respectively ;



...same goes for the OLK* folder (Outlook temp folder), and probably a few others... They (or their contents) don't show up in searches either, however if you know the exact filename you can easily get there by typing the exact path in 'Start/Run', or lacking that by using some similar program like the one used in the screenshot to browse with ...

By the way, does anyone know if these folders are present in Vista too?

[EclipseSin]

Super Hidden Files and Folders exist in every version of windows that I can remember that has some form of DOS prompt. As for the antiphishing folder specifically, I don't know, it might be made after you choose an antiphishing option in IE7, but seeing as I never use IE7 it may or may not be there. I will look.

they are in C:\Users\yourusernamehere\AppData\Local\Microsoft\Windows\Temporary Internet Files

Yes they are superhidden

[AnimeJanai]

C:\Documents and Settings\Ayukawa\Local Settings\Temporary Internet Files\Content.IE5

Some superhidden directories/folders can be accessed if you type them into the address box.   There were some that I could not get to by typing in their names so those are probably accessed by some sort of privileged VXD/DLL.  The Content.IE5 contains a sort of permanent browsing history index.dat which is one of the files that forensic software will go after.

[Blanchimont]

C:\Documents and Settings\Ayukawa\Local Settings\Temporary Internet Files\Content.IE5

The Content.IE5 contains a sort of permanent browsing history index.dat which is one of the files that forensic software will go after.

Yeah, I ran Index.dat Suite to find all the index.dat files on C:/, and even though I had cleared absolutely everything from IE, and rebooted pc, the index.dat in ~/History.IE5 was 11,5MB and and the one in ~/Content.IE5 9,5MB... all other index.dat files were 16/32KB in size and empty when viewed into...
Windows generates the index.dat files anew at startup if they don't exist, with a few exceptions like the one in ~pchealth/ (which would be advisable to untick from the list should you attempt to clean them...)

Now, I can't be absolutely sure of the contents of those two (in History-/Content.IE5) as unlike the others Index.dat Suite weren't able to view those, simply gave a 'no content' message after a LONG while...
...however after running the batch file to remove them after reboot the sizes reverted to the more normal 16/32KB, a pretty good indication something WAS indeed inside ...

Is 9,5/11,5MB a lot then? Well, think about it this way, how much would you have to write in notepad for example, to generate textfiles that size? Or how many urls that would translate to?... Remember, these files persist on the drive after all normal cleaning operations (ie reasonable measures), and as AnimeJanai said, can be used to track past activities should someone decide so ...
Edit; ...and consider I hadn't used IE for browsing for close to a year, so whatever there was inside was pretty old...

[mgz]

C:\Documents and Settings\Ayukawa\Local Settings\Temporary Internet Files\Content.IE5

Some superhidden directories/folders can be accessed if you type them into the address box.   There were some that I could not get to by typing in their names so those are probably accessed by some sort of privileged VXD/DLL.  The Content.IE5 contains a sort of permanent browsing history index.dat which is one of the files that forensic software will go after.

if im tinkering in dos would a directory list show these files

[EclipseSin]

I'm not sure about DOS, but not in a cmd prompt. atleast not on vista they do not

[billlanam]

Certainly visible when viewed from a Linux distribution.

[sloggerK]

If you don't want MS owning your PC don't use windows.
Yaaaaawwwn.

[k0d0chaa]

not really sure what this is about, these folders are basically common knowledge. go to walkernews. uhhh gTLD of some sort i dont remember. thats where i got the 411 on it

another hidden folder for Firefox
C:\Documents and Settings\*Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\*default

* means whatever it is for you

any others?

[kyanwan]

C:\Documents and Settings\Ayukawa\Local Settings\Temporary Internet Files\Content.IE5

Some superhidden directories/folders can be accessed if you type them into the address box.   There were some that I could not get to by typing in their names so those are probably accessed by some sort of privileged VXD/DLL.  The Content.IE5 contains a sort of permanent browsing history index.dat which is one of the files that forensic software will go after.

Yep.   I'm oldsk00l - grew up on DOS.   I use command prompt to find em.

Very easy - because Explorer is hiding them. 

[Blanchimont]

I looked a little closer on those, history.ie5 and content.ie5 index.dat files, with a hex editor;

When you clear everything in IE, they do empty, however...: before cleanup;
Size A

abcd (urls, handled files/(-locations))
efgh
ijkl
mnop

after cleanup;
Size A

----
----
----
----

...however the size stays the same, so should you browse a bit more, it would look something like this;
Size A+B

----
----
----
----
abcd
efgh

What this means? Well, unless we assume Windows uses overwrite capabilities to protect our privacy (yeah, right...), it's about the same as the default recycle bin in Windows, except it takes more than one click to retrieve items, though that's counterbalanced by the fact it'll never get cleaned by default... That's why it showed empty the first time despite the large filesize...
Basically it's Christmas for computer forensics ...

A note about the index.dat in History.ie5: It seems to record everything you do in the "My Files", so if you direct downloads there, or process images and have the files in it or in one of the subdirectiories, it will note those too.
However for some reason activities in other folders don't seem to be recorded, only "My Files" and everything under it...

[AnimeJanai]

Some tools that scan folders will display the hidden foldernames.   For example, I use the DirSIZE tab tool made by space dolphin.  This puts a tab on the property window when you right click on a folder and select properties.  Clicking on the tab makes a list of folders with the folder size displayed next to each folder name.   I noticed that this little tool would also display the hidden filenames.

Going back to my prior post about going to the hidden folder at:

C:\Documents and Settings\Ayukawa\Local Settings\Temporary Internet Files\Content.IE5

Inside that folder "Content.IE5" are a bunch of hidden folders that contain temp or not so temp values for my various internet explorer browser sessions.   To see them, click on the pulldown menu to set the folder options (winXP). Then click on the "view" tab and uncheck the box for "Hide protected operating files (Recommended)".   This will allow system files to be displayed.   Since this is annoying for normal use, remember to recheck the box when done looking around.

[k0d0chaa]

ive been using Total Commander for a wile now with Windows Vista and since i can change file attributes with TC, none of this really applys. i can copy from temp with Vista this way(which normally locks temp and others read exclusive)

ill see if i can delete AnitPhishing as well as soon as i get to XP. give it a shot

[wolkec]

whats the point of those folders anyway?