Dim lpTempDir As Asciiz * %MAX_PATH, lpTempFileName As Asciiz * %MAX_PATH
      lpTempDir = Environ$("Tmp")
      If lpTempDir = "" Then lpTempDir = Environ$("Temp")
      If lpTempDir = "" Then MsgBox "Can''t find TMP/TEMP": Exit Function
      If (GetAttr(lpTempDir) And 16) <> 16 Then _
         MsgBox "TMP/TEMP directory doesn''t exist": Exit Function
      GetTempFileName lpTempDir, "~pb", 0&, lpTempFileName

Dean--
   
Here's the best that you're likely to do.  Rename TOPSECRET.DOC at 
least twice.  Do so without performing any other file access in 
between the renamings.  Renaming the file will cause a new file entry 
to be created, and the old file entry will be deleted, with "deleted" 
meaning that the entry's first character is replaced with chr$(229). 
(I know. You know this already, and it's the source of the problem 
you're trying to address.)  However, when renaming the file a second 
time, the OS goes back and reuses the most recently deleted entry, 
overwriting the chr$(229)+"OPSECRET.DOC" entry with whatever file 
name you've supplied this second time.  This is true under Win9x, and 
it most likely is true under NT/2K as well. (I don't have the time to 
test it right now.) 
   
In effect:
   oldname$ = "TOPSECRET.DOC"
   newname$ = "XXXXXXXXX.XXX"
   name oldname$ as newname$
   
   oldname$ = newname$
   newname$ = "YYYYYYYYY.YYY"
   name oldname$ as newname$
   
At this point, if you examine the directory at the sector level, 
you'll see that the "TOPSECRET.DOC" entry no longer exists, and 
"YYYYYYYYY.YYY" has replaced it.

[I've discovered, with much embarrassment, that I accidentally 
deleted a paragraph from this posting while cutting & pasting it from 
my text editor.  As a result, what I intended to say was badly 
distorted in my original posting.] 
   
Dean--
   
 

	

		

			

			
				...renaming the file multiple times was something I already 
tried, unfortunately to no avail. I don't think your statement that 
the OS reuses the most recently deleted entry is accurate, because 
even the example you provided doesn't work. Your example creates 
directory entries for "TOPSECRET.DOC", "XXXXXXXXX.XXX" and 
"YYYYYYYY.YYY". The first two directory entries are still visible 
after processing is complete.
			
		
	
I've now tried this on two PCs and under three operating systems. 
What I described worked exactly as I stated.  I also verified that 
the same method works with filenames on a floppy under NT4.  
   
Note also that my example does not create a directory entry for 
TOPSECRET.DOC.  It assumes that this file already exists. 
   
Having said all this, I also have not tested this approach across 
several file names in succession in a single directory.  It's not 
hard to imagine various factors (write-delays, for example) affecting 
when and how the disk is accessed by the OS.  Moreover, only fools  
rely on a tactic simply because "it seems to work OK."  Reusing the 
most recently deleted filename entry is consistent with other aspects 
of Microsoft file system operations, but Microsoft has never promised 
consistency about anything, even its fully documented features. 
   
   
Semen--
 

	

		

			

			
				If to think about recovering (and Microsoft does it), more or 
less correct algorithm, in my understanding, looks so:
   
1) first of all, to use uninitialized entries.
2) if not available, to use entries for deleted files
3) if not available in clusters, which are already in use, to take new 
cluster
			
		
	
All of this sounds fine, if you can find a way to access the 
directory reliably.  NT provides an interface for disk defraggers 
that might offer some help. 
   
An interesting little challenge.

Dean--
Have a look at what you've attempted.  You've replaced a short file 
name (SUPPORT.TXT) with a long file name (XXXXXXXXX.XXX).  Rename by 
using a file name with the same number of characters as the original, 
up to the 8.3 limit--unless the original is a long file name, 
in which case you probably should match the number of characters in 
the original. 
   
Please post the results here.
   
Moreover, if you plan to do something like this through code, then 
testing it at a command line seems unwise, doesn't it?  You end up 
adding a command interpreter's internal behavior to the mix. 
   
By the way, how are you checking the deleted directory entries?  Are 
you examining the disk itself with a disk editor, or are you relying 
on an undelete utility?
   
   
Semen--
   
Please see my corrected posting above.
 

	

		

			

			
				In their utility SDelete they do (even 26 times) exactly what 
you suggest. If so, SDelete in any case should destroy catalog 
entries forever. But authors don't promiss such effect. For me this 
means that they know situations when renaming doesn't work.
			
		
	
I too believe that the System Internals folks usually know what 
they're doing.  They certainly know more about internal OS design 
than I do.  However, in this case, think for a minute about their 
SDelete utility.  It attempts to obliterate file name entries by 
renaming 26 times.  The source code, which they make available, shows 
this occurring--26 passes through the loop.  And as Mark Russinovich 
states in the source code: 
   
// OverwriteFileName
//
// Securely deletes a file's original name by renaming it several
// times. This works by changing each non-'.' character in the file's
// name to successive alphabetic characters, thus overwriting the
// name 26 times.
   
They obviously should correct the inconsistency between this 
"Securely deletes" statement and their much more equivocal web site 
statements. 
      
In any case, from what is obvious just in the limited experimenting 
that I've now done, wouldn't it seem that 52 renamings would be 
required to achieve the desired 26 overwrites?
   
I stress again that I'm not endorsing apparent behavior as 
sufficient evidence of anything.  In this case, the next logical step 
would be to seek reliable information about how MS operating systems 
reuse file name entries.  Such information probably does 
exist--somewhere.

 

	

		

			

			
				> Have a look at what you've attempted. You've
> replaced a short file name (SUPPORT.TXT) with
> a long file name (XXXXXXXXX.XXX).
   
Go back and count the Xs. Perhaps you're confused because the X is 
wider than most characters in the proportional spaced font that is 
being used (Verdana) so the filename appears longer. But it isn't; 
it's 8.3 just like the filename SERVICES.TXT. (Above you mentioned 
SUPPORT.TXT, but this isn't even the file that was being 
renamed.)
   
Either way, it won't make a difference.
			
		
	
You're right.  It was SERVICES.TXT that was being renamed.  Also a 
short filename, just like SUPPORT.TXT. 
      
I've investigated this one further.  Michael's Podanoffsky's book 
Dissecting DOS offers a good picture of the process by which 
DOS goes about searching for a free directory entry to use.  What he 
describes explains what I've seen happening, and probably what Dean 
has been seeing too. 
   
According to Podanoffsky, the process of locating the free entry is 
completely predictable.  It starts at the first directory entry and 
works forward, looking for a filename that begins with either a zero 
byte or E5h.  The zero byte indicates the beginning of free space in 
the directory (i.e., the end of the directory itself).  The E5h 
indicates a filename that has been deleted.  Naturally any deleted 
entries precede the inevitable zero byte entry. 
   
Because the search begins at the start of the directory, the 
following will be true: 
   
-- If the directory contains no deleted filenames, then the process 
which I've described (renaming a file twice to overwrite the original 
name) works as expected.  The total number of existing files in the 
directory is irrelevant.  Any number can exist.  What counts is the 
number of deleted files, which must be zero. 
   
-- If a directory already contains one or more deleted filename 
entries, then renaming twice will work only if the original filename 
appears in the directory before any of the existing deleted filename 
entries. 
   
Considering the work that would be entailed in manipulating a 
directory so as to control which deleted entry is overwritten, it's 
not surprising that reputable security utilities don't guarantee 
success.  The job could be done, of course.  But only if: 
   
-- The search process Podanoffsky describes is still executed the 
same way by MS operating systems in place today.  (It appears to be, 
at least on some of them, but only my anecdotal evidence supports 
this conclusion.) 
   
-- You're prepared to access the directory itself and rearrange its 
contents when necessary.  (Although not simple, this maneuver is 
certainly conceivable, at least under some operating systems.  But if 
you're prepared to go this far, you'll just access the directory and 
make it contain whatever you want.) 
      
-- You're protecting something valuable enough to be worth the all 
the trouble.
   
An interesting little challenge indeed.