Hacker News new | ask | show | jobs
by kevindqc 3346 days ago
5 MB.

https://gist.githubusercontent.com/riverar/f4a56b91580af1bd3...
1 comments
asveikau 3346 days ago
Haven't looked at the code that generates this list (if available), but that sure looks to me like double-counting going on here. Most files in \Windows\WinSXS are hardlinks.

Example pulled at random:

    D:\analysis\Windows\WinSxS\amd64_microsoft-windows
    -imageres_31bf3856ad364e35_10.0.15063.0_none_edd17c6c30b4bf9f\imageres.dll

     ...

     - Total: 4435


    D:\analysis\Windows\System32\imageres.dll

     ...

     - Total: 4435
I am willing to bet those are the same file hardlinked and only wastes the 4435 bytes once, verifiable thusly:

    cmd> fsutil hardlink list \Windows\System32\imageres.dll
    Windows\WinSxS\amd64_microsoft-windows-imageres_31bf3856ad364e35_6.3.9600.16384_
    none_cd7c033dcbdd0cab\imageres.dll
    Windows\System32\imageres.dll
link
kevindqc 3346 days ago
The source seems to be: https://github.com/riverar/eoraptor

Seems to check though https://github.com/riverar/eoraptor/blob/master/FileEnumerat...

link
asveikau 3346 days ago
As I suspected, that doesn't look hardlink aware.

A way to correct for this would be to open the files and de-dupe by (((ULONGLONG)nFileIndexHigh) << 32) | nFileIndexLow in this structure: https://msdn.microsoft.com/en-us/library/windows/desktop/aa3...

Edit:

> Seems to check though https://github.com/riverar/eoraptor/blob/master/FileEnumerat...

No it does not, reparse points are used for symbolic links and junctions - not hardlinks.

link