I was troubleshooting a low disk space alarm on a server. After running TreeSizeFree, I discovered that the bulk of the space was in use in the Recycling bin which is stored in a hidden directory called #:\RECYCLER (I say # because on exists on each drive present in the machine).
You’ll note however that windows doesn’t store the username that deleted the files but rather the SID of the user. Now one could argue that if it’s in the recycle bin already then that’s tantamount to bringing your garbage to the curb and thus can be removed at any time. With that said, I still like to confirm the data first with the user if possible, mostly so I can explain the importance of either using “shift-delete” to permanently delete data or by regularly emptying the recycle bin. An ounce of prevention and all that.
At any rate, I now have the requirement of understanding just who S-1-5-21-77810565-118882789-1848903544-39792 actually is.
It turns out you can run a vbs script to tell you that. (Source code below)
When you double click on from explorer, you’ll be given a Windows message box. Copy and paste the SID here and press OK: