Used Space on all Windows Drives (include Mount Points)

NivR · March 25, 2015, 7:25am

Hi,

i tried to use the drives inspector, its look he doesn’t familiar with volumes (doesn’t have drive letter), only mount points…
does any one already has ready analysis?

Cheers Mate

AlanM · March 25, 2015, 10:35pm

If this question is checking UNC path names, those are mounted generally using the user credentials and not available to the entire system as they often need credentials to use and require that user to be logged in.

Remember that the client is running as SYSTEM so it can only see things that are globally available. If you mounted the volume permanently as a drive letter then SYSTEM should be able to see it.

JasonWalker · April 2, 2015, 1:48am

I think this question is valid and geared toward local volumes. In Windows it’s possible for a drive to be partitioned, and some partitions to either have no drive letter at all (like BOOT by default), or to be mounted as a subdirectory in the filesystem rather than as a drive letter.

For instance, given the following disk layout
Microsoft DiskPart version 6.3.9600

Copyright © 1999-2013 Microsoft Corporation.
On computer: JASON-PC

DISKPART> sel disk 0

Disk 0 is now the selected disk.

DISKPART> list vol

Volume ### Ltr Label Fs Type Size Status Info

Volume 0 E DVD-ROM 0 B No Media
Volume 1 V DVD-ROM 0 B No Media
Volume 2 C OS NTFS Partition 922 GB Healthy Boot
Volume 3 ESP FAT32 Partition 500 MB Healthy System
Volume 4 WINRETOOLS NTFS Partition 490 MB Healthy Hidden
Volume 5 PBR Image NTFS Partition 8176 MB Healthy Hidden

I’d like to have some way to inspect volumes 2, 3, 4, and 5 there; but the only results I’ve been able to find in Drives are

q: volumes of drives whose (type of it=“DRIVE_FIXED”)
A: OS
T: 0.128 ms
I: plural string

AlanM · April 7, 2015, 1:03am

So the difference is somewhat the concept of “drives” vs “volumes” and the Windows client doesn’t have the concept yet of “volumes”

The volume of is really the volume name. The concept of a “drive” is pretty specific in the function we call ( GetLogicalDrives ) and thus doesn’t support non drive letter type “volumes”

If we did something like this it would be to more match the other platforms “volume” type inspectors.

JasonWalker · April 7, 2015, 1:24pm

Agreed. An inspector could potentially return similar results to “mountvol” -
C:\Users\aajwalker5\Downloads>mountvol
Creates, deletes, or lists a volume mount point.

MOUNTVOL [drive:]path VolumeName
MOUNTVOL [drive:]path /D
MOUNTVOL [drive:]path /L
MOUNTVOL [drive:]path /P
MOUNTVOL /R
MOUNTVOL /N
MOUNTVOL /E

path        Specifies the existing NTFS directory where the mount
            point will reside.
VolumeName  Specifies the volume name that is the target of the mount
            point.
/D          Removes the volume mount point from the specified directory.
/L          Lists the mounted volume name for the specified directory.
/P          Removes the volume mount point from the specified directory,
            dismounts the volume, and makes the volume not mountable.
            You can make the volume mountable again by creating a volume
            mount point.
/R          Removes volume mount point directories and registry settings
            for volumes that are no longer in the system.
/N          Disables automatic mounting of new volumes.
/E          Re-enables automatic mounting of new volumes.

Possible values for VolumeName along with current mount points are:

\\?\Volume{8895d0b6-bc17-11e0-ae8f-806e6f6e6963}\
    *** NO MOUNT POINTS ***

\\?\Volume{8895d0b7-bc17-11e0-ae8f-806e6f6e6963}\
    C:\

\\?\Volume{8895d0bc-bc17-11e0-ae8f-806e6f6e6963}\
    D:\

…which is probably accessed through the Win32_Volume WMI class

C:\adm\tools>wmic volume list /format:csv

Node,Automount,BlockSize,Capacity,Compressed,DeviceID,DirtyBitSet,DriveLetter,DriveType,FileSystem,FreeSpace,IndexingEnabled,Label,MaximumFileNameLeng
th,Name,QuotasEnabled,QuotasIncomplete,QuotasRebuilding,SerialNumber,SupportsDiskQuotas,SupportsFileBasedCompression,SystemName
NDJSMSPWADM01,TRUE,4096,524283904,FALSE,\?\Volume{8895d0b6-bc17-11e0-ae8f-806e6f6e6963},FALSE,3,NTFS,475746304,TRUE,System,255,\?\Volume{8895d0b6-
bc17-11e0-ae8f-806e6f6e6963},FALSE,FALSE,FALSE,-570330762,TRUE,TRUE,NDJSMSPWADM01
NDJSMSPWADM01,TRUE,4096,999622176768,FALSE,\?\Volume{8895d0b7-bc17-11e0-ae8f-806e6f6e6963},FALSE,C:,3,NTFS,354451169280,TRUE,OSDisk,255,C:,FALSE,FA
LSE,FALSE,-368965157,TRUE,TRUE,NDJSMSPWADM01
NDJSMSPWADM01,TRUE,\?\Volume{8895d0bc-bc17-11e0-ae8f-806e6f6e6963},D:,5,D:,NDJSMSPWADM01

JasonWalker · April 7, 2015, 1:28pm

In fact, here’s a relevance to retrieve the data via WMI. Probably shouldn’t use this in a Fixlet relevance (the WMI inspectors are expensive), but it should be okay within an Action Script or an Analysis Property as long as it’s not evaluated too frequently.

q: selects “DeviceID, Label, Name, Capacity, FreeSpace from Win32_Volume” of wmi
A: Capacity=524283904
A: DeviceID=\?\Volume{8895d0b6-bc17-11e0-ae8f-806e6f6e6963}
A: FreeSpace=475746304
A: Label=System
A: Name=\?\Volume{8895d0b6-bc17-11e0-ae8f-806e6f6e6963}
A: Capacity=999622176768
A: DeviceID=\?\Volume{8895d0b7-bc17-11e0-ae8f-806e6f6e6963}
A: FreeSpace=354452279296
A: Label=OSDisk
A: Name=C:
A: Capacity
A: DeviceID=\?\Volume{8895d0bc-bc17-11e0-ae8f-806e6f6e6963}
A: FreeSpace
A: Label
A: Name=D:
T: 11.025 ms
I: plural wmi select

jgstew · April 7, 2015, 5:47pm

This has the raw size of the disks themselves from WMI, which is related to what @JasonWalker mentions:

http://bigfix.me/analysis/details/2994706

I could see adding some of the raw volume info from WMI to the above analysis that @JasonWalker provided.

This is related and does not use WMI, and works on all OSes:

http://bigfix.me/analysis/details/2994572

NivR · April 27, 2015, 5:51am

Server Used Space (in GB)

if (name of operating system starts with “Win”) then (if (version of operating system >= “6.0”) then ((((it/1024/1024/1024) of sum of (it as integer) of string values of properties “capacity” of select objects “* from win32_volume” of wmi) - ((it/1024/1024/1024) of sum of (it as integer) of string values of properties “freespace” of select objects “* from win32_volume” of wmi) ) as string) else ((sum of ((sum of (total space of it /(1024 * 1024 * 1024)))) of drives whose (type of it = “DRIVE_FIXED”) as string))) ELSE (if (name of operating system contains “Linux”) then (sum of ((sum of (total space of it /(1024 * 1024 * 1024)))) of filesystems whose ((total space of it /(1024 * 1024 * 1024)) < 5000 AND (free space of it /(1024 * 1024 * 1024)) < 5000 AND name of it != “/dev/shm” AND name of it does not contain “/smb” AND type of it = “DRIVE_FIXED”) as string) ELSE (“Not Supported”))

Server Total Space Allocated (in GB)
if (name of operating system starts with “Win”) then (if (version of operating system >= “6.0”) then (((it/1024/1024/1024) of sum of (it as integer) of string values of properties “capacity” of select objects “* from win32_volume” of wmi) as string) else ((sum of ((sum of (total space of it /(1024 * 1024 * 1024)))) of drives whose (type of it = “DRIVE_FIXED”) as string))) ELSE (if (name of operating system contains “Linux”) then (sum of ((sum of (total space of it /(1024 * 1024 * 1024)))) of filesystems whose ((total space of it /(1024 * 1024 * 1024)) < 5000 AND (free space of it /(1024 * 1024 * 1024)) < 5000 AND name of it != “/dev/shm” AND name of it does not contain “/smb” AND type of it = “DRIVE_FIXED”) as string) ELSE (“Not Supported”))