Although NT 4.0 provides a Recycle Bin, it is of very limited use. Only files deleted from the Explorer GUI end up being placed there. Any files zapped from a command window or from within a program are lost forever. Fundelete is a utility that replaces NT 4.0's Recycle Bin to provide full protection of files deleted from anywhere. Fundelete includes the same configurability as Recycle Bin's Properties dialog, including which drives should have protection enabled, and how large the Fundelete Bin should be allowed to grow. Fundelete also provides a filtering dialog that allows you to prevent files of specific extensions not to be sent to the Bin, such as editor backup files, and temporary files. You can also specify directories that will be excluded from protection.
Note that Fundelete does not enable you to recover files that were deleted before Fundelete was installed. To recover valuable files that may have already been deleted, try FileRestore from Winternals Software.
Fundelete was originally named Undelete for Windows NT. A year after we released our "Undelete" Executive Software decided to rename one of their products, which provides some of the same functionality as our utility, to Undelete for Windows NT. We were subsequently informed by attorneys representing Executive Software International, Inc. that we were violating their registered trademark on the word "undelete" by using it in the title of our program. Apparantly, the word "undelete", despite being standard computer terminology and arguably a necessary addendum to the modern English language (it is listed in many computer dictionaries), has been owned by Executive Software since 1987 (we wonder if Microsoft knew that when they added the undelete command to DOS 5 in 1991). We therefore renamed our Undelete for Windows NT to Fundelete for Windows NT.
Fundelete is installed with a self-extracting install program. No file extension filters are automatically installed, so after installation you might want to run the Fundelete filter dialog (placed in the Fundelete program group) and add to it extensions and directories that you want Fundelete support disabled for. After rebooting, any files you delete from within programs or the command prompt , which are not being filtered from protection, will be moved to the Recycle Bin. Simply use the Fundelete Bin as you would for files deleted from Explorer to recover deleted files.
We have posted the source code to one of the modules of the Fundelete device driver. This module, undelete.c, demonstrates several powerful techniques that are useful for device driver writers, and that are not documented anywhere else. Several of them include :
One technique that is of particular interest for developers is Fundelete's method for determining the SID of the user that is performing a file system operation. This is acommplished in several steps. First, Fundelete references the current access token, obtaining a pointer to its object body:
completeContext->Token=PsReferencePrimaryToken(PsGetCurrentProcess());
The next step is for it to obtain a handle to the token object, because token query operations are handle-based. Fundelete accomplishes this through the use of an undocumented API, ObOpenObjectByPointer, that will take an object and create a handle for it in the currently executing process:
ntStatus=ObOpenObjectByPointer( CompleteContext->Token, 0, NULL, TOKEN_QUERY, NULL, KernelMode, &tokenHandle ); ObDereferenceObject( CompleteContext->Token );
After the handle is returned Fundelete can query the token using the NtQueryInformationToken native API. This function is the basis for the Win32-equivalent, GetTokenInformation, so determining its parameters and their formats is straight-forward. Definitions from the Win32 header files are included in Fundelete's header so that Fundelete can perform a TokenUser query on the token, which returns the token's user information including the SID.
tokenInfoBuffer=(PTOKEN_USER) ExAllocatePool( NonPagedPool, requiredLength ); ntStatus=NtQueryInformationToken( tokenHandle, TokenUser, tokenInfoBuffer, requiredLength, &requiredLength ); ZwClose( tokenHandle );
The final step Fundelete performs is to convert the binary representation of the SID into a textual representation. Another undocumented API, RtlConvertSidToUnicodeString, performs this.
memset( sidStringBuffer, 0, sizeof(sidStringBuffer )); sidString.Buffer=(PWCHAR) sidStringBuffer; sidString.MaximumLength=sizeof(sidStringBuffer); ntStatus=RtlConvertSidToUnicodeString( &sidString, tokenInfoBuffer->User.Sid, FALSE );
Download Fundelete (894KB)
Download Fundelete Undelete.c Source Code (13KB)