How to recover deleted files from the Recycle Bin (even after emptying)
3 min read
Two recovery scenarios. The trivial one is "file is still in the bin"
— restore from the shell. The interesting one is everything after that:
emptied bins, shift-deleted files, anti-forensic wipers. The same $I
metadata that lets the shell restore a file is also your best map for
what to chase on disk when the easy path is gone.
When the file is still in the bin
- Open the desktop Recycle Bin.
- Right-click the file, choose Restore.
- Windows reads the original path from the
$I, renames the$Rback to the original name, and moves it to that path. If the original folder is gone, Windows recreates it.
For batch restoration from the command line:
PowerShell.exe -Command "(New-Object -ComObject Shell.Application).NameSpace(0xA).Items() | %{ $_.InvokeVerb('Restore') }"
…runs Restore on every item in the bin. Useful when a user mass-deleted in error and you need to undo at scale.
When the bin has been emptied
Emptying removes both $I and $R from the filesystem index, but the
underlying NTFS clusters are only marked free. Until something else
allocates them, the content is still there.
The single most important rule is the same one disk-recovery has preached for decades: stop writing to the drive. Pull power if you can, image the volume if you cannot. Every browser cache write, every temp file, every Windows Update is a candidate for overwriting the clusters you want.
After the drive is preserved:
- MFT analysis — the Master File Table
$STANDARD_INFORMATIONentries for the original paths often survive long after the cluster data is gone. They give you proof of existence, sizes, and timestamps even when the content cannot be carved. - USN journal — the USN journal
records
RENAME_OLD_NAME,RENAME_NEW_NAME, andFILE_DELETEfor the original path going into and out of$Recycle.Bin. - Volume Shadow Copies —
vssadmin list shadows(orGet-VssShadowCopyin PowerShell). A pre-empty snapshot is the cleanest possible recovery. - File carving — scan unallocated clusters for known signatures
(PDF
%PDF, Office Open XML PK headers, etc.). Photorec is the reference free tool. - Backup repositories — Windows File History, Veeam endpoint backup, OneDrive Recycle Bin (separate from the shell bin), Google Drive trash. Each has its own retention story.
What the surviving $I is still good for
When the $R content is unrecoverable but the $I is intact (or
recovered from a shadow copy), you still have:
| Field | Why it matters |
|---|---|
| Original full path | Pin the file to a folder, attribute by SID |
| Original size | Verify any carved fragment is complete |
| Deletion FILETIME | Anchor the deletion on a timeline (UTC, to the second) |
That triplet is often enough to prove intentional deletion of a specific file. The content is gravy.
Anti-forensic patterns to watch for
A user who reads forensic blogs reaches for one of three moves:
- Shift-delete. Bypasses the bin entirely. No
$Irow exists. Absence of a$Ifor a known-deleted file is itself a finding. - Empty and overwrite. Empties the bin, then drives heavy disk activity to overwrite freed clusters (large downloads, video playback). Cluster recovery becomes much harder.
- Content wipers.
sdelete -p 3 -z, BCWipe, Eraser. The$Rcontent is zeroed, then deleted. The$Imay survive long enough to be interesting.
Cross-reference any apparent wipe with Prefetch hits on the wiping tool and AmCache SHA-1 evidence of the tool being present.
Further reading
Frequently asked questions
- How do I restore a file from the Recycle Bin?
- Open the Recycle Bin, right-click the file, and choose Restore. Windows moves it back to its original folder using the path stored in the matching $I metadata file.
- Can I recover files after emptying the Recycle Bin?
- Sometimes. Emptying removes the $I/$R entries from the index, but the underlying NTFS clusters often survive until overwritten. File-carving or NTFS $MFT analysis can recover them; stop writing to the drive immediately.
- What does the $I file tell me about a recoverable file?
- It records the original full path, the original size in bytes, and the exact deletion time. Even when the $R content is gone, the $I metadata proves a file existed, where it lived, and when it was deleted.
- Why should I stop using the drive after deleting something important?
- Deleted content stays on disk only until those clusters are reused. Every new write — including browsing and temp files — risks overwriting it, so power down or image the drive as soon as possible.