← All docs

Where is the Recycle Bin located on disk in Windows?

2 min read

The desktop Recycle Bin is a shell namespace, not a real folder. On disk the artefacts live at the root of each NTFS volume, hidden behind two attributes that keep most users (and a depressing number of triage scripts) from noticing them.

The actual paths

C:\$Recycle.Bin\
D:\$Recycle.Bin\
E:\$Recycle.Bin\

One per NTFS volume. FAT32 and exFAT drives have no $Recycle.Bin — deletes go straight to free space. That is one of the easier anti-forensic moves on Windows: format a USB drive as exFAT, copy your exfil, delete, hand back the stick.

Pre-Vista systems used a different layout entirely: C:\RECYCLER\ on NTFS, C:\RECYCLED\ on FAT. Inside, the INFO2 index recorded the same kind of metadata the $I does today, but as a single flat file rather than per-entry files. If you are working a Windows XP / 2000 case (still happens for legacy SCADA hosts), do not look for $I.

Why you cannot see it

$Recycle.Bin has both the Hidden and System attributes. Windows Explorer hides Hidden by default and refuses to show System unless you also disable "Hide protected operating system files". From a command prompt:

dir /a C:\$Recycle.Bin

…lists it regardless of attribute settings. PowerShell:

Get-ChildItem -Force C:\$Recycle.Bin

Inside, you find one subfolder per user, named after their SID. See Recycle Bin SID subfolders for how to read the SID format.

Acquiring the files

For investigation you want every $Recycle.Bin on every NTFS volume, including external disks that were attached during the relevant window.

  1. Forensic image (E01, raw, AFF4). The cleanest path. Mount read-only and copy the tree out.
  2. KAPE. The RecycleBin target pulls every $I/$R pair across volumes, including handle-locked ones.
  3. Velociraptor. The Windows.Recycler artifact does the same job over a fleet of hosts.
  4. Volume Shadow Copy. Useful for a single live host where you do not want to image the whole disk. A snapshot exposes the bin even when files are locked.

A common mistake: pulling $I files but not the matching $R. Even if you only intend to read $I metadata, having the $R partner lets you verify deleted content against the recorded size and lets you recover the file if needed.

Further reading

Frequently asked questions

What is the full path of the Recycle Bin?
C:\$Recycle.Bin on NTFS volumes (and the same $Recycle.Bin folder at the root of every other drive, e.g. D:\$Recycle.Bin). Older XP systems used C:\RECYCLER or C:\RECYCLED instead.
Why can't I see the $Recycle.Bin folder?
It is both Hidden and System. Enable 'Show hidden files' and uncheck 'Hide protected operating system files' in Folder Options, or use the command line, to see it.
Is there a Recycle Bin on external and USB drives?
Yes. Every NTFS volume gets its own $Recycle.Bin at its root. FAT/exFAT USB drives do not keep a Recycle Bin — files there are deleted immediately.
Can I copy Recycle Bin files while Windows is running?
User-owned $I/$R files can usually be copied, but for a sound forensic acquisition use a write-blocker, a forensic image, or a Volume Shadow Copy to preserve metadata and avoid locked-handle issues.