## Windows Enterprise Desktop

August 14, 2017  5:33 PM

## Numbering Decimal Versus Binary Bytes

Profile: Ed Tittel
Disk size, Disk space, Windows 10

One thing I sometimes think about is the difference between binary and decimal numbers. This difference can be particularly interesting when it comes to sizing storage like HDs or SSDs. Manufacturers use decimal numbers to count the bytes of storage they provide. Then they describe them using megabytes (MB), gigabytes (GB), terabytes (TB) and so forth. But when it comes to numbering decimal versus binary bytes, using decimal sizes makes drives look bigger than they really area. As the scale of the units involved increases to TB and beyond, the discrepancy gets bigger along with the units.

### Table 1: Numbering Decimal Versus Binary Bytes

Decimal sizing inflates drive capacity.

What this table shows is interesting. For one thing, for each unit (GB, TB, PB, and EB, which correspond to binary numbers 230, 240, 250, and 260) it shows the difference between a putative decimal number (Claimed) and its binary equivalent (Actual). This is also expressed as an absolute difference (Diff) and a percentage difference (%-age). The Delta column shows how the growing percentage difference as we increase the scale of the units actually decreases (that is, from GB to TB, from TB to PB, and from PB to EB, or Exabyte). That’s a good thing because it means the increase is arithmetic rather than geometric or exponential.

There’s an online tool you can use to work other numbers out for disks sized using MB, GB, and TB units. It’s entitled USB Hard Disk Real Capacity. But of course, it works for any kind of binary storage where buyers must convert a less-than-perfect decimal number into its binary counterpart. While you may or may not check it out, you can use the percentage numbers for each unit from Table 1 to reduce claimed disk sizes to the actual numbers you’ll see showing up in Windows Explorer (or its platform equivalent, such as the Finder for MacOS, and file/directory commands for Unix/Linux).

### Actual Table Data

WordPress wants images, so I took a snap of the table below in HTML to turn it into a graphic. Here’s the table for those who may want to grab it in actual numeric form for manipulation in a spreadsheet or something…

 Claimed Actual Unit Diff %-age Delta 128 119.2093 GB 8.7907 6.87% 256 238.4186 GB 17.5814 6.87% 512 476.8372 GB 35.1628 6.87% 1 0.9095 TB 0.0905 9.05% 2.18% 2 1.8190 TB 0.1810 9.05% 4 3.6380 TB 0.3620 9.05% 6 5.4570 TB 0.5430 9.05% 8 7.2760 TB 0.7240 9.05% 1 0.8882 PB 0.1118 11.18% 2.13% 1 0.8674 EB 0.1326 13.26% 2.08%

August 8, 2017  3:28 PM

## Hackers are coming: How IT can learn from the HBO ransomware attack

Profile: Alyssa Provazza
Endpoint security, HBO, Ransomware

Game of Thrones fans who want to avoid spoilers are running for cover in light of last week’s HBO ransomware attack. End-user computing administrators should take notice and learn about security measures that can protect their employees’ data from similar attacks.

Hackers stole a variety of data in a ransomware attack, then released episode scripts, plus HBO employees’ phone numbers, emails and other personal information. This week, they threatened to dump further confidential data.

Typically a ransomware attack corrupts endpoints by taking advantage of Windows operating system vulnerabilities. Hackers encrypt stolen data so that users cannot access it and demand payment in exchange for decrypting the data.

Most often, the actual attack vectors are social engineering tactics, in which hackers trick users into clicking on links or opening email attachments that launch an attack that exploits the OS vulnerability. If a hack affects one device, it can spread through the rest of a corporate network. That’s why user education is the most important tool EUC admins have against a ransomware attack.

Organizations can hire security consultants to educate users, or adopt training software that continuously tests users to ensure they keep endpoint security top of mind. Third-party services can also send fake attacks to users, then report results back so IT can provide extra awareness training to employees who need it.

But security training isn’t always successful. Phishing attacks, for example, are becoming more advanced and can easily trick even the most discerning users. Technology such as email and web filtering tools can help, as well as endpoint and network monitoring suites. Or, organizations can require SSL client certificates that specifically authenticate the domain that a request for a user’s credentials come from.

“The underlying issue here is that any protection that relies on a human being making a reasonable decision is going to fail,” said Karla Burnett, security engineer at mobile payments provider Stripe, at last month’s Black Hat conference, SearchSecurity.com reported.

To make matters worse, ransomware attacks have increased dramatically in the past three years. They’re growing at a rate of 350% per year, according to Cisco’s 2017 Annual Cybersecurity Report. And about 40% of spam emails contained links to ransomware in 2016, up from just 1% in 2015, IBM said in a Cybersecurity Ventures research report.

As in the HBO hack, it’s not just corporate data on the line. Employee privacy is also at risk if users store personal information on their devices. IT departments should implement security and training tools to safeguard their organizations before the White Walkers — ahem, hackers — breach the wall.

August 4, 2017  1:19 PM

## Win10 Post-Repair-Install Issues Appear

Profile: Ed Tittel
Microsoft Windows Installer, Windows 10, windows installer

Earlier this week, I reported on my experiences in performing a repair install on my production PC. To recap: in the wake of installing KB4032188 on that machine, I couldn’t enter a pin or password to login after the reboot. Eventually, I did get that PC started. Because those boot issues kept re-appearing intermittently, I ran an upgrade/repair install to fix them. The good news is that this approach worked. But there have been some consequences, as Win10 post-repair-install issues appear. Let me elaborate…

A repair/upgrade install fixes many Windows ills, but it only mostly leaves the prior install intact. What falls outside the “mostly” can get interesting…

### Details When Win10 Post-Repair-Install Issues Appear

The appeal of the upgrade (re)install is that this OS repair leaves an existing Windows installation mostly intact. Over the past couple of days, I’ve been learning what falls outside that “mostly” umbrella. Here’s my list of observed items so far. Future experience may cause me to expand as new items make themselves felt or known:

8GadgetPack: Yeah, I know I’m not supposed to run gadgets any more. But they’re so darned handy I do it anyway. Each time an upgrade runs on a Win10 machine, it disables gadgets. Fortunately, Helmut Buhler’s run-time notices this, and offers a repair shortcut on the desktop. A quick double-click on same and gadgets are back at work.

System Restore disabled by default: upgrades and clean installs start up with restore points disabled, no matter the prior state of the OS beforehand. One must remember to visit the System Properties window to turn restore points back on for the boot/system drive (if they’re wanted).

Windows 7 Games: I’m still hooked on Freecell, Solitaire and Hearts. Something about upgrade or clean install kills the ability to run those old games on new Windows versions. A reinstall turns out to be required, but neither terribly difficult nor time-consuming. Prior to repair, the icons still show up (in generic form) but nothing runs; after repair: game on!

Norton Identity Safe: I use Norton Internet Security on my production PC. Norton Identity Safe is my password store on that machine. Also, a Web-based version lets me use it on any machine with Internet access. Although I disabled Norton during the upgrade process, and re-enabled it afterward, Identity Safe wouldn’t run. I ended up downloading and using the Norton Remove and Reinstall tool to fix this.

People: I don’t use the People feature in Windows 10.  (Instead, I use Outlook contacts in various versions of Office 365). People still shows up by default on my Taskbar. Thus, I have to unlock the taskbar, then turn off People in Taskbar settings. Finally, I re-lock the taskbar to keep from changing it by accident.

Nvidia GeForce Experience: the first time I fired it up, post-upgrade, it re-installed itself and informed me I needed a new GeForce driver. Looks like something about the upgrade stymies the operation of and automatic update check here.

### Anything else?

That’s it so far. The great joy of Windows is that you often don’t recognize a problem until it hits you over the head. I’ll keep adding to this list of items as they do that to me. Stay tuned! If any new Win10 post-repair-install issues appear, I’ll let you know here.

August 3, 2017  1:26 PM

## MVA Offers Free Win10 Security Course

Profile: Ed Tittel
FREE, Security training, Windows 10

Every month, like clockwork, I get an email blast named “MCP Monthly” from Microsoft Learning. In fact, anybody who’s ever passed any MCP exam can sign up for and receive this newsletter. This latest issue includes an item entitled “Windows 10 Security in Real Life.” As it happens, this points to an MVA (Microsoft Virtual Academy) course of the same name. The featured instructors are Erdal Ozkaya, MS Cyber Security Architect, and Raymond Comvalius, an independent IT architect. The course includes 6 modules from 8 to 45 minutes or so in length, with total playing time of 2:46, as shown in Table 1. Because MVA offers free Win10 security course to all, it makes sense for interested parties to give it a try.

 Module Title Time 1 Security Landscape 0:42:26 2 Device Protection 0:13:26 3 Threat Resistance 0:07:48 4 Identity Protection 0:43:19 5 Information Protection 0:19:55 6 Breach Detection 0:41:28 Total 2:48:22

### So MVA Offers Free Win10 Security Course: Where Do I Find It?

Sign-up is easy at the Microsoft Virtual Academy. You’ll use your Microsoft Account to login directly to the course at MVA. Then, simply work your way through the six modules in sequence. Along the way, you’ll hear from your friendly and voluble instructors. It’s interesting stuff and worth digging into for those charged with managing and maintaining security for Win10 PCs on organizational networks. You’ll definitely want to check it out.

The content is useful and interest, the topic timely, and the price entirely right. What more could you want?

If you’ve been itching to learn about new MS security technologies such as Windows Hello and Credential guard, you’ll find them covered here. Same goes for data protection using Windows Information Protection (WIP) and Conditional Access. Likewise for Windows Defender’s Advanced Threat Protection. It can help detect, diagnose, investigate and respond to so-called Advanced Persistent Threats (APTs). Good stuff, all the way around. Please dig in at your convenience!

August 2, 2017  5:24 PM

## KB4032188 Causes Win10 Confusion

Profile: Ed Tittel
Troubleshooting, Windows 10

Microsoft released a new Current Branch cumulate update earlier today. Alas, the update known as KB4032188 causes Win10 confusion — at least, on one of my PCs. After the mandatory restart to fully install it, I found myself in the vexing position of being unable to login. On one PC, the update apparently knocked out access to both mouse and keyboard (which speaks to a potential USB driver gotcha). It’s impossible to login to Windows if you can’t key in a PIN or password, nor use the mouse to do likewise with an on-screen keyboard equivalent. Sigh.

When you see the login screen but can’t use a mouse or keyboard, then what? Think fast!

### When KB4032188 Causes Win10 Confusion, What to Do?

I keep a small bin full of USB flash drives on my desk. It numbers the Macrium Rescue Media, Kyhi’s Bootable PE Rescue Disk, and an installable UFD with Windows 10 Pro 15063 among its contents. First, I booted up using the Macrium item to roll back to last night’s image capture. No dice: the boot issue continued unabated. Second, I booted into Macrium again, and ran its Windows boot repair utility. Again: no dice. Finally, I used the Win10 15063 UFD to perform an in-place upgrade/repair install (I did manage to get Win10 to boot to make this happen) to rewrite my Windows files. That almost did the trick, though some post-(re)install cleanup also proved necessary…

### Where Did Those &*(% Drivers Go?

Following the repair install, the machine booted just fine. I was (mostly) back in business. Upon closer inspection, I observed that my Intel I211 GbE NIC had gone south. So I switched to my handy Startech USB 3.0 to GbE dongle to regain network access immediately, then uninstalled the wonky driver in Device Manager. A quick “Scan for hardware changes” later, and MS automatically downloaded a working driver for that NIC without difficulty or demur. Although I’m not using the 2nd NIC on my mobo (an Intel I219-V) the same maneuver worked to restore its driver to working when I switched my RJ-45 cable from one built-in NIC to the other.

One problem I couldn’t solve quickly, and don’t want to troubleshoot to completion, is that my Asrock Extreme7+ motherboard has stopped recognizing 4TB drives. They worked on it before, and still work just fine on my Asrock Z97 Fatal1ty gaming board. Thus, I’ve still got some lingering device issues there. I plan to perform a clean install of Win10 Pro on the production machine later this month, after I come back from a road trip to Fairfax County next week. I’ll perform a manual disk partition to put the recovery partition at the end of the drive where it rightfully belongs, using SysPrep to create a custom Windows image for regular re-use. I just don’t want to take the time to figure out what’s up with the big drives right now.

And so it goes, here in Windows world. I’m back to work, updates are applied, and nearly everything is working like it should be. But there are always more updates a’comin’ and more gotchas inevitably along with them. Stay tuned as I recite my adventures and contortions in dealing with them…

August 1, 2017  12:11 PM

## Using MS Search Effectively

Profile: Ed Tittel
Search Indexing, Windows 10, Windows Search

Because I work as a writer, I often find myself looking for specific references in my previous work. This means I appreciate search tools that offer fast, easy access to document contents, not just filenames. In perusing a TenForums post recently, I learned that Win10’s built-in search function offers content indexing and search. This comes as welcome news to me, because other text search tools I’ve tried out have been none of the following: cheap, fast, and decent performers. But by using MS search effectively, these hurdles may be overcome.

### The Secret to Using MS Search Effectively

Turns out you can index file contents as well as filenames in the MS search tool. This requires using the Advanced Options window available in the Control Panel widget named Indexing Options. The keys to success require two things:

1. Making sure that all relevant file extensions are checked (all are checked by default, so you may decide to prune a bit to speed indexing time if you wish to search content as well as filenames)
2. Clicking the radio button that reads “Index Properties and File Contents” near the bottom of this window.

You can see this at work in this screen capture of my Advanced Options window here:

Click the “file contents” radio button to instruct the built-in search command to report on file and document contents.

### The Downside of Using MS Search Effectively

You knew there had to be a gotcha, right? Perhaps there is more than one, in fact. First, you need to review the “Included Locations” list in the Indexing Options window to make sure all volumes and folders in need of indexing appear therein. Second, you must be prepared to pay the time and space penalties involved in creating and maintaining MUCH BIGGER indexes.

Thus, if you decide to index content as well as so-called “index properties” (basically, this means file names and other file meta-data only) you’ll see some big changes. After indexing for content in the Users folder and my “work drive” (where I keep current or recent writing work), the index file jumped from under 33 MB to 2.4 GB. That file is named Windows.edb; its default location is

C:\ProgramData\Microsoft\Search\Data\Applications\Windows.

Obviously, the bigger file takes more time to create and maintain as well as more storage space. But if you’re willing to bear that burden, you’ll find the built-in search function to be both speedy and useful in chasing down local content references and the files in which they reside. Note: you may also decide to scope your searches by clicking the “Filters” item to focus in on specific volumes or folders (on the C: drive) once your new index is built. I found this to be a great way to search my Documents folder, or my work drive, for example. You may find the same to be true for you, too!

July 31, 2017  10:42 AM

## Consult MAP Toolkit for Win10 Deployments

Profile: Ed Tittel
Software Deployment Tools, Windows 10, Windows Deployment Services

The free Microsoft Assessment and Planning Toolkit, aka MAP or MAP Toolkit, is available to Windows professionals online. For organizations who’ve not yet succumbed to the allure of Windows 10, it’s probably a good idea to download and consult MAP toolkit. That’s true for all organizations, even those pondering the possibility of a migration (not its eventuality).

### Where to Start: Consult MAP Toolkit

• MAP_Training_Kit.zip: sample database with demo exercises to demonstrate MAP actions and capabilities
• MAP_Sample_Documents.zip: large library of sample MAP output documents for all kinds of assessments
• MapSetup.exe: executable file to install MAP on a technician/survey PC (desktop)
• readme.htm: introductory file (read first and foremost before doing anything else); explains pre-requisites, installation, troublehooting, repair, and upgrades for MAP.

Next, before touching the setup file, you’ll want to consult the MAP Getting Started Guide.  As a further illustration, here’s a diagram of Microsoft’s vision for the proper process of using MAP:

Note: the first 4 steps in the process come from the Getting Starting Guide.
Only the 2 final steps, which may repeat indefinitely, come from MAP itself.
[Click image for full-sized view, please.]

Truly, MAP can be a useful tool for those considering Windows deployments of many kinds. These include Windows Server 2016, plus various Windows Server-based platforms and services. (Common examples: SharePoint, SQL Server, Lync, ForeFront Endpoint Protection, and so forth). Of course, my focus here is on desktop OS deployments, particularly Windows 10. But IT professionals, upon inspecting the documentation and exploring MAP capabilities, will soon appreciate that it can do quite a bit more than that.

MAP runs on a single PC with access to the network(s) to be inventoried and assessed. Users may opt into the Customer Experience Improvement Program (CEIP) when running MAP. If so, the toolkit collects anonymized information from its use and ships the data off to MS. MAP creates and uses a SQL Server 2012 Express LocalDB as part of its operation. See the readme.htm file and the Getting Started Guide for more information and further details.

July 19, 2017  3:59 PM

## Add Custom Drivers to WinRE

Profile: Ed Tittel
Device drivers, Windows 10, Windows RE

The Windows Recovery Environment (aka Windows or RE or WinRE) is a valuable tool for system recovery. But on some PCs, the standard collection of device drivers packaged with Windows itself may not cover your needs. You’ll know if this means you when you find you must add device drivers after completing a clean Windows install or an upgrade install. That’s when it make sense to add custom drivers to WinRE as well. If your regular runtime needs them, your recovery runtime will probably need them also. This turns out to be a simple task.

By default, WinRE.wim resides inside the Windows Recovery partition. Shown using Partition Explorer in MiniTool Partition Wizard.
[Click image for full-sized view]

### How to Add Custom Drivers to WinRE

The secret lies to using the Deployment Image Servicing and Management, or DISM, command built into modern Windows versions. That means Windows 7 and newer on the desktop, Windows Server 2008 and newer on the server side of things. Windows 10 users can run some specific PowerShell cmdlets instead to get the job done. Because this involves working on an image file, the basic process works like this:

1. Mount the Windows image (.wim) file you wish to operate upon
2. Add the device drivers needed to that image
3. Dismount the mounted Windows image so it may then be used

### A Script to Add Custom Drivers to WinRE

The operation of the PowerShell script provided here depends on a crafty trick to simplify adding drivers. That trick involves copying all the necessary driver files into a single directory, from which DISM will then add them to the mounted image. For the purposes of this script, I put them into a directory named C:\temp\Drivers. You can put them wherever you want, but that’s where you’ll have to reference them in the command script in place of that reference.

The script also references the version of WinRE that’s included with Macrium Reflect Free, a free and capable backup and restore program. Reflect includes a nice recovery environment, boot repair tools, and more. If you’d rather use a plain-vanilla WinRE image instead, you can. You may find the file named WinRE.wim in C:\Windows\Recovery. Otherwise, if you have access to a recovery partition on one of your disks, you’ll find it at: <DL>:\Recovery\WindowsRE. Of course, <DL> stands for Drive Letter, which means you’ll need to assign a drive letter to the recovery partition (at least temporarily), then use that letter to see (and grab) the WinRE.wim file.

Here’s the script:

```# Mount WIM (remove linefeeds following comments # here)
# Each of the mount, add, and unmount commands go on one line
Mount-WindowsImage -ImagePath
"C:\boot\macrium\WA10KFiles\media\sources\boot.wim"
-index 1 -Path "C:\temp\mount"

# Add any device drivers (.inf files)
-Driver "C:\temp\Drivers\" -recurse

# Unmount the WinPE image
Get-WindowsImage -Mounted -ErrorAction Stop
| ForEach-Object { Dismount-WindowsImage -Path
\$_.Path -Save -ErrorAction Stop }```

### Capturing Drivers for Use with WinRE Customization

The every-handy DISM command also captures drivers, too. Once you get your current Windows installation set up the way you want it, with all drivers up-to-date, it will take a snapshot for you. You can use DISM to populate the afore-cited C:\temp\Drivers directory by entering:

dism /online /export-driver /destination:C:\temp\Drivers

at an administrative command prompt, or in PowerShell (admin). Then, you can run the foregoing script, secure in the knowledge that all the drivers you need will be added therein.

[Note: my thanks to user Lx07 at TenForums.com, who posted the original of this script in the message thread entitled “How do I make Wifi work in PE?” on 10/9/2015. I’ll observe that the directory spec for the Macrium boot.wim has changed since then, too. My pointer as referenced in the preceding script is correct for versions 9 and 10. For the record, for a Windows Recovery partition on drive L:, the file specification would be L:\Recovery\WindowsRE\WinRE.wim.]

July 18, 2017  2:11 PM

## Periodic Win10 Disk Cleanup Checklist

Profile: Ed Tittel
Disk cleanup, Windows 10

Over the years, I’ve developed a drill to keep the trash on my Windows disks under control. For Windows 10, that involves an interesting mix of tools and utilities to get rid of unwanted and unneeded files. Forgive me in advance for dragging in lots of stuff. That said, a genuine periodic Win10 disk cleanup checklist covers many bases. Thus, it should come as no surprise that numerous tools are needed. Here goes!

Right-click and run this tool as administrator to clean up system files automatically.

### Populating the Periodic Win10 Disk Cleanup Checklist

What’s the period? Up to you to decide. I try to hit every item on the list at least once every three months (or after a Windows Upgrade) but some of them I repeat weekly or more often. Those looking for guidance can consider my suggested frequency entries in the following table.

 Tool Description Suggested Frequency Disk Cleanup Run as admin or choose “Clean up system files” Weekly CCleaner Read over cleanup options carefully! Weekly Uncleaner Temporary/working file cleanup only Weekly WizTree Shows disk space consumption, biggest consumers Monthly WinDirStat Shows disk space consumption, biggest consumers Monthly DISM Various options clean up files (see notes) Monthly/Quarterly PatchCleaner Cleans up orphaned WinSxS entries Quarterly Fsutil See Fsutil 7/17/17 blog post Quarterly RAPR.exe Use it to prune duplicate/obsolete device drivers Quarterly

Because WordPress won’t let me easily include hyperlinks inside a table, here are links to 3rd-party items:

CCleaner (Piriform)
Uncleaner (Josh Cell Softwares)
WizTree (Antibody Software)
WinDirStat (Sourceforge)
PatchCleaner (homedev)
RAPR.exe (aka Driver Store Explorer, GitHub)

And likewise, here are some relevant links to built-in Windows utilities also referenced in the table:

Disk Cleanup: Disk Cleanup Beats CCleaner Post-Win10-Upgrade
DISM: see information on startcomponentcleanup and resetbase on TechNet as in “Clean Up the WinSxS Folder
Fsutil: Fsutil Cleans Up Excess Old Transactions

I’m sure this doesn’t exhaust the possibilities for a periodic Win10 disk cleanup checklist, but it’s a pretty good start. Please comment here or email me through my Website to suggest additions or substitutions. I still believe that you can’t have too many good tools in the old admin toolbox. The more, the merrier, in fact.

July 17, 2017  12:16 PM

## Fsutil Cleans Up Excess Old Transactions

Profile: Ed Tittel
Command line, Disk cleanup, Windows 10

In reading over TenForums this weekend, I came across a new potential source of disk space consumption in Windows. It turns out that NTFS can sometimes allocate lots of space for transactions. It uses a built-in facility called the Kernel Transaction Manager (KTM), along with the Common Log File System to implement transactional NTFS, aka TxF. Potential pathologies can result, and consume 100s of MBs or even GBs of disk space. I learned all this, and more, from Chapter 12 of Windows Internals, Part 2, 6th Edition (pp. 469-477). Fortunately, the “file system utility” command, fsutil cleans up excess old transactions. It can also easily report on what’s up with TxF. Here’s a screen cap of one particularly useful such command:

The “resource info \” parameters for fsutil describe transaction space and data for the boot/system drive.
[Click image to see full-sized view.]

### Details: How Fsutil Cleans Up Excess Old Transactions

Just to be clear, the info shown in the preceding screen shot shows what a typical Windows 10 desktop looks like (based on my local sample of 7 physical machines, and 4 VMs). The TenForums message thread I saw voiced a desire to identify and repair the cause of 28GB of “missing” disk space on an SSD (see item#8 for details). It runs out that the poster’s system had been writing huge volumes of transaction logs and data that weren’t getting cleaned up. Running a specific fsutil command cleaned up and reclaimed the excess disk space consumed thereby:

fsutil resource setautoreset true <drive-spec>

There <drive-spec> is the volume ID for the volume you wish to clean up (such as C:\ or D:\). The poster also reported that this took upwards of 30 minutes to complete. Thus, for systems with lots of space consumed by TOPS, be prepared to spend some time to reclaim such space.

### A Few Explanatory Notes on FSUTIL Output

TOPS stands for TxF Old Page Stream. It maintains a default data stream in the \$Tops file, along with an alternate data stream called \$T. Windows Internals says this about the function of the \$T stream:

The \$T stream contains file data that is partially overwritten by a transactional writer (as opposed to a full overwrite, which would move the file into the \$TxT directory). NTFS keeps a structure in memory that keeps  track of which parts of a file are being modified under a transaction so that nontransacted readers can still access the noncommitted data by have their reads forwarded to \$Tops:\$T. When the transaction is committed or aborted, the pages are … moved from the \$T stream into the original file …” [pg. 474].

In a subsequent paragraph, the authors go onto observe that the TxF log files reside in a hidden directory named \$Extend. To find his problem, the Tenforums poster used a file analysis program called WizTree. Turns out it’s adept at displaying both hidden files and on-disk space consumption. This combination is particularly important when detecting TxF related space consumption issues. In the poster’s case, WizTree showed space consumption of 34GB in the \$Extend directory tree. Of course, you can always use fsutil to look for such issues explicitly. Because Fsutil cleans up excess old transactions, I’ve added it to my quarterly disk space inspection and cleanup routine.