Deleting Recycle Bin Items Deleted Over 28 Days Ago For All Users

This topic contains 12 replies, has 3 voices, and was last updated by Profile photo of Jeff Jeff 1 month ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #51929
    Profile photo of Jeff
    Jeff
    Participant

    I have a few different scripts that I have been using to remove items older than 28 days. However, I cannot find a way to do this for all users. I can use "last write time" in PowerShell for all users, but last write time is not the same as the deleted time. I found a script on http://baldwin-ps.blogspot.com/2013/07/empty-recycle-bin-with-retention-time.html that uses the "deleted time", but it only deletes the items for the current user (not all users on a machine). Does anyone know how I can achieve this? Script by D. Baldwin:

    # ----------------------------------------------------------------------- 
    #
    #       Author    :   Baldwin D.
    #       Description : Empty Recycle Bin with Retention (Logoff Script)
    #     
    # -----------------------------------------------------------------------
    
    $Global:Collection = @()
    
    $Shell = New-Object -ComObject Shell.Application
    $Global:Recycler = $Shell.NameSpace(0xa)
    
    $csvfile = "\\YourNetworkShare\RecycleBin.txt"
    $LogFailed = "\\YourNetworkShare\RecycleBinFailed.txt"
    
    
    function Get-recyclebin
    { 
        [CmdletBinding()]
        Param
        (
            $RetentionTime = "28",
            [Switch]$DeleteItems
        )
    
        $User = $env:USERNAME
        $Computer = $env:COMPUTERNAME
        $DateRun = Get-Date
    
        foreach($item in $Recycler.Items())
            {
            $DeletedDate = $Recycler.GetDetailsOf($item,2) -replace "\u200f|\u200e","" #Invisible Unicode Characters
            $DeletedDate_datetime = get-date $DeletedDate   
            [Int]$DeletedDays = (New-TimeSpan -Start $DeletedDate_datetime -End $(Get-Date)).Days
          
            If($DeletedDays -ge $RetentionTime)
                {
                $Size = $Recycler.GetDetailsOf($item,3)
              
                $SizeArray = $Size -split " "
                $Decimal = $SizeArray[0] -replace ",","."
                If ($SizeArray[1] -contains "bytes") { $Size = [int]$Decimal /1024 }
                If ($SizeArray[1] -contains "KB") { $Size = [int]$Decimal }
                If ($SizeArray[1] -contains "MB") { $Size = [int]$Decimal * 1024 }
                If ($SizeArray[1] -contains "GB") { $Size = [int]$Decimal *1024 *1024 }
                
           $Object = New-Object Psobject -Property @{
                    Computer = $computer
                    User = $User
                    DateRun = $DateRun
                    Name = $item.Name
                    Type = $item.Type
                    SizeKb = $Size
                    Path = $item.path
                    "Deleted Date" = $DeletedDate_datetime
                    "Deleted Days" = $DeletedDays }
                
                $Object
    
                    If ($DeleteItems)
                    {
                        Remove-Item -Path $item.Path -Confirm:$false -Force -Recurse
                  
                        if ($?)
                        {
                            $Global:Collection += @($object)
                        }
                        else
                        {
                            Add-Content -Path $LogFailed -Value $error[0]
                        }
                    }#EndIf $DeleteItems
                }#EndIf($DeletedDays -ge $RetentionTime)
    }#EndForeach item
    }#EndFunction
    
    Get-recyclebin -DeleteItems
    
    
    if (@($collection).count -gt "0")
    {
    $Collection = $Collection | Select-Object "Computer","User","DateRun","Name","Type","Path","SizeKb","Deleted Days","Deleted Date"
    $CsvData = $Collection | ConvertTo-Csv -NoTypeInformation
    $Null, $Data = $CsvData
    
    Add-Content -Path $csvfile -Value $Data
    }
    
    [System.Runtime.Interopservices.Marshal]::ReleaseComObject($shell)
    
    #ScriptEnd
    
    #51938
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Never done it but I would think gci/remove-item would be much shorter than this script.

    Homework: Get-ChildItem "C:\`$Recycle.bin\" -Recurse -Force #apply a filter
    #pipe into remove-item

    #51940
    Profile photo of Jeff
    Jeff
    Participant

    I mentioned there are no properties to determine what the "deleted time" was for items in the Recycle Bin. I could only find "Last Write Time." I cannot use "last write time" because the requirement is to delete items that have been in the recycle bin for over 28 days (items deleted over 28 days ago). That is why I had to use the script above. However, that only deletes items for the current user.

    #51946
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Looking into it further I'd probably translate the sids into user accounts prior to deletion for safety..It looks like there is a lot of program stuff in there. Also the names change, so the log isn't going to be useful.

    #51948
    Profile photo of Dan Potter
    Dan Potter
    Participant

    I don't know about your windows os but my lastwrite and deleted time match exactly.

    #51950
    Profile photo of Dan Potter
    Dan Potter
    Participant
    #51959
    Profile photo of Dan Potter
    Dan Potter
    Participant

    To get you started.

    
    gci "C:\`$Recycle.bin\" -Force | select mode,lastwritetime,name,@{n='aduser';e={(get-aduser $_.name).samaccountname}} |ft
    
    
    
    #52049
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Unfortunately, the deleted date information is not easily accessible. It is stored in info files next to the actual files.

    Get-ChildItem -Path 'C:\$Recycle.Bin\*\$I*' -Force

    I have yet to find a way to retrieve the information from these files without using the COM object which only works for the current user.

    #52051
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    The following PDF has an explanation of the $I file format on page 8 (right column).

    http://www.csee.umbc.edu/courses/undergraduate/FYS102D/Recycle.Bin.Forensics.for.Windows7.and.Windows.Vista.pdf

    #52057
    Profile photo of Dan Potter
    Dan Potter
    Participant

    The deleted date is the lastwrite in the recycle bin. see above.

    #52059
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Your observation is correct for the info files called $I(random).(original ext), but not for the original files which get moved and renamed to $R(same as info file).(original ext).

    #52077
    Profile photo of Dan Potter
    Dan Potter
    Participant

    There is one R for every I right? If so, simple logic to tell when the item was deleted and remove both.

    #52087
    Profile photo of Jeff
    Jeff
    Participant
    gci -Path "C:\`$Recycle.bin\" -Recurse -Force

    should be enough to find all files that need to be deleted for all users, right? That whole $I and $R files are interesting, but hoping I don't need to get that involved. If so, I can look further into that PDF. One thing that may be an issue is a machine with a secondary drive. If a file is deleted on that drive (e.g. E: drive), the recycle bin will be under E:\`$Recycle.bin\. I tried using a wildcard with the recycle bin, but that doesn't work.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.