Windows 11

Windows 11 File and Folder Structure in Depth

Windows 11 File and Folder Structure in Depth

I’ve just done a count of how many files I have on the C: drive of my PC where Windows 11 is installed. It’s not a small number being 689,246 files in 139.196 folders, taking up a not insignificant 1.06TB of my 2TB SSD. This isn’t including my documents and files either, which I always store on a separate SSD and which consume 638GB on their own.
This is a lot of files then, but if we focus just on the C:\Windows folder where the bulk of the operating system resides, and that’s 277,286 files in 97,319 folders, taking up 27.6GB of space. This is pretty unwieldy given we’re always told a Windows installer will occupy a 4GB USB Flash Drive and that Windows can be installed on devices with only a small amount of storage.
Indeed, you may remember that back in the days of Windows 8, there were quite a few tablets released to the market that came with as little as 32GB of eMMC storage (eMMC essentially being a plug-in memory card that’s so slow you should always upgrade to the SSD model of any low-end PC or Chromebook that you’re looking to purchase).
I still have one of these devices, an HP Stream 7 tablet, and it’s stuck on Windows 8.1 not because it won’t run Windows 10 (it certainly doesn’t meet the security requirements to run Windows 11) but because with just a few apps installed, there’s not enough free space for the Windows installer to use. Microsoft had to release a workaround for upgrades to Windows 8.1 for these devices, which I myself had to use, where an OTG (On-the-Go) USB adapter had to be purchased so a Flash Drive could act as temporary storage for the installer.
This storage limitation effectively made the operating system, and ultimately the device, completely unusable unless you only ever used the built-in apps like Mail and lived in the web browser for everything else.
Fortunately, 32GB Windows devices are a thing of a past as OEMs (Original Equipment Manufacturers) quickly realized they were, effectively, rubbish. It’s not uncommon for devices to come with just 128GB of storage though, and eMMC disks too, such as the Microsoft Surface Go which, as I write this, comes with both for its basic configuration.
When you think that the Windows installer is and has for years now only been around 4GB in size, what do I have installed to have enabled that to balloon to 27.6GB? Well, this isn’t software, as I didn’t even count the Program Files and Users folders in that figure; it’s Windows, or, rather, the multiple copies of Windows that reside on your PC. Let me explain.

Windows Files and Folders

Windows comprises four different types of files: files that are available to view and open/ manipulate on the PC, files that are Hidden from the user but otherwise available to view in File Explorer, files that are marked as System which really is a sort of “You can’t find me!” double-hidden, and files that are locked by the operating system because frankly they’re very important.
You can view the first two categories of hidden files in File Explorer by clicking the three horizontal dots icon for the menu, selecting Options, and from the dialog that appears, clicking the View tab and changing the options for Show hidden files, folders and drives and Hide protected operating system files (Recommended) (see Figure 11-1). Honestly though, there’s no real reason to do either.

Figure 11-1. You can display hidden and system files in File Explorer

The third category of hidden files and folders are ones that are truly locked by the operating system and inaccessible for reasons of maintaining good security on the PC. This means that even as an Administrator, you cannot access these files and folders because if malware were to gain Administrator privileges, as can happen, then all manner of merry hell could be unleashed on your PC and across your network.
There are only a few of these which include the UEFI system boot partitions, something we’ll look at in depth in Chapter 20 when we cover troubleshooting problems with the Windows boot system. The other is the hidden C:\Program Files\ WindowsApps folder (see Figure 11-2). This contains configuration and security files for apps installed through the Microsoft Store which, now win32 and other types of more traditional programs can be installed from there can make a PC much more secure overall.

Figure 11-2. The WindowsApps folder is inaccessible to everybody, including Administrators

The only way to see what’s inside these folders and partitions is to boot the PC from a compatible portable OS, such as GNU/Linux.

Why Are Operating System Files Visible to the User?

This asks the question: Why is most of the operating system visible to the user and why are just a few folders and partitions truly protected? Surely, after all, the whole OS should be like this? You’d be right if Windows 11 was a modern operating system, which of course it isn’t.
You don’t have to dig very deep in Windows 11 to find interface elements that date all the way back to Windows 95 (see Figure 11-3) and even earlier in some cases.

Figure 11-3. Is Windows 11 still Windows 95 in a party dress?

If you look at who uses Windows, then home or prosumer users are a very small percentage of the overall user base. Most users these days want the simplicity of an iPad or a Chromebook. I have Windows PCs, but I need the full desktop environment and software for my job; let’s be honest, it would be difficult for me to write authoritatively about an operating system I no longer used. I’m also a PC gamer, something I’ll come onto again in a while, as I prefer the full keyboard and mouse control a PC gives you, and the only other platform that provides that, Mac OS, has almost no serious games and certainly not the ones I enjoy such as Elite Dangerous.
A year after Windows 11 was released, Windows overall was still Microsoft’s biggest cash cow. This is despite the company’s cloud services, Azure, still growing exponentially year on year now for more than a decade.
I asked a senior figure at Microsoft just a month before writing this why the traditional file and folder structure still existed, as clearly Microsoft was keen to move to a much more secure future for desktop computing; see my comments about Windows 10X in Chapter 1.
Clearly, I already knew what the answer was, but I wanted to hear it from them. The answer was clear, “We will not do anything that breaks any functionality for corporates.” Microsoft gets an awful lot of telemetry about how people use Windows, what features they use, how often they’re used, and so on. Now don’t panic about this as all the data is anonymized. Microsoft only needs to know that nobody is using X or Y feature anymore, so it can be marked for removal.
What this does mean though is that Microsoft can see that among desktop PCs running Windows 11 Enterprise, there are still B% of machines where program compatibility settings, something I’ll talk about in Chapter 12, are being used for one or more programs, and that C% of older, custom programs still need Administrator privileges to run.
Why is this? Well, there are two reasons. The first is that many businesses and corporations have older software they’ve been using for years, perhaps much longer than a decade, and they don’t want to replace it with a new, modern app because (A) it still works, (B) the staff would all need to be retrained on the new app which costs time and money, and (C) because most corporate executives wouldn’t recognize the value of spending money on upgrading something if they stepped in it.
The other reason, certainly the reason for older software requiring Administrative privileges, is that before the days of Windows Vista, lots of programs were very poorly, very sloppily written. This is simply a case of programmers being lazy and not bothering to code anything properly.
Microsoft then sees all the telemetry saying that D% of older win32 programs need direct access to R and S in the Windows file system, and they know that if they try and make the core OS any more secure by hiding those folders and files, they’ll break those programs completely. For as long as major corporations are Microsoft’s bread and butter, and for as long as they’re refusing to replace those older programs with modern apps, the situation will sadly never change.
This was the reason for Windows 10X, where apps would run in a virtualized environment that simulated a traditional PC, but where the actual file system was inaccessible to the user. Sadly, that OS model was cancelled at the time because on lower-end hardware it had horrible performance and programs all ran really slowly.
When it comes to the folders that are protected, these are all things that came into existence with or after the advent of Windows Vista and User Account Control. Any programmer writing a program for a PC after that time would know they’d have to code things properly, and, as such, Microsoft could afford to be more strict with the file system and operating system files.

What Are the Root Files and Folders on a PC

The folders on the C:\ drive of a PC will actually vary depending on what software and features you have installed, as some PCs will have a Bluetooth folder or one related to specific hardware of software such as an AMD or an Xbox Games folder. There are folders though that are the same across all PCs.

Root Windows Folders

  • MSOCache will be seen only on systems with Microsoft Office 2007 or a later version installed. It contains installation files for the Office suite that are used if the installed apps need to be repaired; it is not needed for the most recent editions of Office.
  • ProgramData contains win32 app data that applies to all users on the PC. This includes configuration and other files necessary for the apps to run. It can be a very large folder but should never be deleted.
  • System Volume Information is seen on all of your hard disks and is used by the System Restore and File History features, the latter likely to be removed in a future build of Windows 11. It contains archived and encrypted versions of critical system files, such as the Registry, and files that change on app installations. It does this with versioning control, so that System Restore can roll back to previous versions if needed. It is also used in a limited way by the File History feature for version control of your documents.

Win32 Program and Store App Folders

  • Program Files and Program Files (x86) are the folders in which win32 desktop apps are installed. The Program Files (x86) folder is only seen in the 64-bit versions or Windows, and of course Windows 11 only comes in a 64-bit version. This is a hangover from earlier versions of the OS. It is where 32-bit software is installed, though some 64-bit software does end up being installed here, presumably because of decisions made by the publishers including Adobe.
  • Program Files\WindowsApps is the install location for all Microsoft Store apps. This folder is heavily protected by the OS, to the point where even the local Administrator account cannot gain access to it.
  • Packages is a folder found in the Users\[UserName]\AppData\ Local\ folder. This is where Microsoft Store apps are installed. If you have a very large Store app, you can copy an installation folder from here to another PC, as I did with an installation of the 320GB game, Microsoft Flight Simulator. This folder can also be accessed by using the address %localappdata%\Packages.

Windows Operating System Folders

  • Windows\AppPatch contains application compatibility files.
  • Windows\Boot contains files necessary for starting the OS; I detailed these in Chapter 13.
  • Windows\CSC contains offline files and documents, used for caching.
  • Windows\Cursors contains cursor and icon files for the OS.
  • Windows\Debug contains Windows error logs. I’ll talk more about the log files shortly.
  • Windows\Fonts where all the installed typefaces on your PC are installed.
  • Windows\Globalization where language packs, dictionary files, and other files relating to location are stored.
  • Windows\IME contains language files used by the OS and apps, also IME (x86) on 32-bit systems.
  • Windows\ImmersiveControlPanel contains the files that constitute the Settings panel.
  • Windows\INF contains device driver installation files.
  • Windows\Media contains audio and video files that are used by the OS, such as sound packs.
  • Windows\Prefetch the system Windows uses to load commonly used files before you open them. The OS tries to anticipate what you want to use and open. Sometimes, this cache can become corrupt, and if so, it is safe to delete the contents of this folder.
  • Windows\Resources contains ease-of-access themes, accessibility themes, and other themes for Windows.
  • Windows\Security contains security files and logs used by Management Console snap-ins.
  • Windows\SoftwareDistribution is the folder used by Windows Update. Should you find that Windows Update is unable to download or install any updates, you can completely delete the contents of this folder. I detailed the process of how to do this in Chapter 9.
  • Windows\System exists to maintain compatibility with legacy apps that do not look for the System32 folder.
  • Windows\System32 is the main repository of all files that constitute the Windows operating system.
  • Windows\System32\Config contains the main Registry files used by the OS. Additional Registry files can be found in the %userprofile% and %userprofile%\AppData\Local\Microsoft\Windows folders.
  • Windows\System32\Drivers contains installed driver files.
  • Windows\System32\Divers\etc contains configuration text files such as the Hosts file, which can be used to modify the mapping of host names to IP addresses.
  • Windows\System32\GroupPolicy contains Group Policy script and template files.
  • Windows\System32\icsxml contains files used by the Universal Plug-and-Play feature for hardware.
  • Windows\System32\Microsoft contains cryptography files.
  • Windows\System32\oobe contains files that are used by the Windows Out-of-Box Experience when setting up new users on the PC.
  • Windows\System32\ras contains remote access encryption files for Windows server connections.
  • Windows\System32\Recovery contains files used by the Windows Reset feature.
  • Windows\System32\restore contains files used by the System Restore feature.
  • Windows\System32\spool contains files associated with your installed printers and the print spool queue.
  • Windows\SysWOW64 used to store files necessary to maintain app and driver compatibility between 32- and 64-bit code.
  • Windows\Tasks contains scheduled task files.
  • Windows\WinSxS called the Windows Side-by-Side folder. It contains multiple copies of dynamic link libraries (DLLs) and other files that are crucial to your app and OS operation, but where different versions of the same file may be required to be loaded by different apps simultaneously. This folder can grow to an enormous size but is crucial to the operation of Windows 11.
  • Windows\Web contains images used by the lock screen and for Windows wallpapers.

User Account Folders

  • Users\[UserName]\AppData\Local is also known by the shortcut %localappdata%; this folder contains the data and settings that are necessary for installed apps and for your user profile to operate correctly. Internet temporary files are also stored in this folder.
  • Users\[UserName]\AppData\LocalLow contains data that cannot be moved and has lower-level access on your PC, such as when a web browser is used in privacy mode.
  • Users\[UserName]\AppData\Roaming can be accessed by the shortcut %appdata%. It contains data and settings that can move with your user account, such as when you are connected to a domain.

Windows Log Folders

  • PerfLogs is where custom Data Collector Sets that are created in the Performance Monitor are stored.
  • Windows\Debug is where log files are created when an app or service crashes or when certain audit processes are performed, such as installing Windows Updates. These logs are stored in plain text format and can be read in Notepad.
  • Windows\Logs is the main log folder for the Windows OS. It contains many log files such as WindowsUpdate.log. These files are sometimes stored as Extensible Markup Language (XML) files that can be opened in a web browser. Many files, however, are stored as Event Trace Log (ETL) files. You can read these files in the Event Viewer by clicking the Action menu and then the Open saved log option.
  • Windows\Minidump contains crash reports that are created by applications and Blue Screens of Death (BSOD). They have the file extension .dmp. You cannot read these files in Notepad and will need the Windows Driver Kit (WDK) or Windows Software Development Kit (SDK), both of which are available as part of Microsoft Visual Studio.
  • Users\[UserName]\AppData\Local\CrashDumps contains crash dump files that are pertinent to the specific user account. They can also be accessed through the address %localappdata%\ CrashDumps.

Windows Temporary File Folders

  • Users\[UserName]\AppData\Local\Temp is the main temporary file storage, stored on a per-user basis. It is used for multiple purposes, including downloaded files and web pages that are viewed in your browser. You can most easily access it by navigating to %temp%.
  • Users\[UserName]\AppData\Local\Microsoft\Windows\ INetCache is used for storing temporary Internet files.
  • Users\[UserName]\AppData\Local\Microsoft\Windows\ Temporary Internet Files\Low is another Internet files temporary folder.
  • Windows\Temp is a protected temporary file store used by the OS and apps.

Windows File Types

  • Bootmgr is a critical file required at PC startup.
  • Desktop.ini is a file found in every folder on your PC. It contains configuration data about how that folder and its contents should be viewed in File Explorer.
  • DLL files, dynamic link library files, contain code shared by many different apps and services. These apps and services can call upon DLLs to perform tasks that may be required by different apps, such as managing the print queue and displaying window furniture.
  • EXE files, win32 apps that can be run on a double-click of the mouse.
  • Hiberfil.sys is the Hibernation file that stores the PC’s memory state.
  • INF files are device driver installation files.
  • INI files are configuration and option files for apps and Windows features.
  • Thumbs.db contains thumbnail images of files and documents within a folder. You may also have some ehThumbs.db files, which were used by Windows Media Center from Windows XP to Windows 7.
  • Pagefile.sys and Swapfile.sys are used by the virtual memory feature in Windows 10.
  • SYS files contain system settings used by the OS and both software and hardware drivers on the PC.

Managing the Shell User Folders

how when I set up my desktop PCs, I always have a second SSD on which I store all of my documents and files. This is for several reasons, some of which no longer apply really. I used to always create and maintain System Image Backups of my Windows installation, something else I discussed in Chapter 9, so that when a problem arose with the operating system I could simply reimage the machine without affecting any of those files.
These days, Windows 11 is very stable overall and the need the I and many people had to reimage Windows once a year to refresh it doesn’t really apply anymore.
The other reason though, and it’s more pertinent these days, is that I have a huge amount of files, over 600GB, but I also use a large amount of very large software. Just the packages I use with Adobe Creative Suite come in at 22GB, then there are a series of virtual machines running in Hyper-V that take up 240GB of disk space.
I’m also a gamer, and rather than wanting a powerful desktop for work plus another powerful PC for gaming, I have a single machine that can do both. I mentioned before that I’m an Elite Dangerous player, well, that’s 50GB, then there’s 320GB for Microsoft Flight Simulator. I also have friends using my PC for gaming when they come to visit, and that’s another 310GB.
All in it’s more than a terabyte just for Windows 11, software, apps, and games. It makes sense then to store my best part of a terabyte of documents and files somewhere else.
There are a few ways to move the Shell User Folders (Documents, Pictures, Music, Video, and Downloads) to a different location. By far, the simplest is to use cut and paste in File Explorer from the current location to the new one. When you do this, Windows 11 knows what you’re doing and automatically updates all the OS references for you. Alternatively, if you right-click any of these folders and select its Properties from the menu that appears, a dialog will open in which you can manually change the location of the folder in the Location tab (see Figure 11-4).

Figure 11-4. Windows makes it easy to move the Shell User Folders

If you want more control, you can move folders in the Registry Editor. Navigate to the following keys to find all of the shell user folders and many additional folders such as the location of local and roaming profile stores:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ User Shell Folders
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ Shell Folders

You can see in Figure 11-5 that the Registry gives you much more control over the locations of user folders on the PC, though you need to restart the machine for any changes to take effect. I will show you in Chapter 19 how to connect to the Registries of other users on the PC and how to connect to the Registries of remote PCs to make changes on a wider scale.

Figure 11-5. The Registry gives you full control of shell user folders

Some additional controls can be found by searching in the Start Menu for Advanced System Settings and clicking the Environment Variables button in the dialog that opens (see Figure 11-6). These controls are much more limited however but can offer a friendlier interface than the Registry Editor for some folders.

Figure 11-6. Some environment variables can be handled from a dialog interface

Creating Symbolic Links

A symbolic link is a virtual file or folder, appearing to be in one location where the actual file or folder is stored elsewhere, such as on a network share. Windows has supported symbolic links since Vista, and they can be useful for giving people quick access to files that are not stored on their own computer.
The best example of a symbolic link is a shortcut icon that you might drag (sometimes accidentally) onto your desktop or into a folder (see Figure 11-7). It’s a quick way to access files elsewhere, but if you delete the symbolic link, the original files remain untouched.

Figure 11-7. An example of a symbolic link is a folder shortcut

There are two types of symbolic link in Windows. A soft link is one that works in a similar way to a shortcut, and it can be created for anything from a file to a disk. It’s useful for creating an easy way for someone to access a network share, but if the name or location of the destination file or folder changes, the link will break.
Hard links on the other hand are pointers not to the item but to the storage space holding it. This means that any changes to the destination are always and immediately reflected at the other end of the link. Hard links are mostly used to provide a secondary access address to something and have the disadvantage that if you delete the hard link, you will also delete whatever is at the other end of it.
With a soft link though, you can delete the link without deleting whatever is at the destination, as the link and destination are different things. All of this makes hard links only really useful for specialist purposes for backups and programming, and soft links good for everything else.
To create a symbolic link, you use the Command Line tool MKLINK. Let’s say I want to create a symbolic soft link to the folder \\N5\n2\Virtual Machines on my NAS drive and link it to a folder called “VMs” on the E: drive on my PC. I would use the command MKLINK /D E:\VMs \\N5\n5\Virtual Machines.
The MKLINK command is used with the following syntax: MKLINK [[/D] | [/H] [/J]] [Link] [Target] where

  • /D creates a link to a directory.
  • /H creates a hard link which makes it look as though the file or folder actually exists in the target destination and can be useful for times where software is having compatibility issues with standard soft links.
  • /J is used to create a directory junction, which is a hard link that acts like a hard disk, partition, or disk volume.
  • [Link] is the new symbolic link location and name.
  • [Target] is the file or folder you want to link from.

Disks and Partitions

The files, folders, and documents we have all reside on our physical disks and on partitions on those disks. At the beginning of this chapter, I detailed why Windows 11 supports so many legacy options and features, and it’s no different with disk and partition types and formats.
Windows 11 does try and limit what you can do with disks and partitions however. If you open the Computer Management console from Windows Tools and click Disk Management in the left panel, or just search in the Start Menu and launch Create and format disk partitions, then you get very limited options for formatting disks and removal drives.
Hard disks and SSDs installed in the PC can only be formatted in the NTFS file system, more on this shortly (see Figure 11-8), and USB Flash Drives can only be formatted as NTFS or exFAT.

Figure 11-8. The Disk Management Console tries to limit how you can format disks

Sometimes though, you might need a different format. One of the oldest is FAT32 (File Allocation Table, 32-bit), and if like me you have a UEFI firmware on your motherboard that supports taking screenshots (some of which I have needed throughout this book), only a FAT32 formatted drive will work.
To get greater control, we need to use the FORMAT command from the Command Line. This is used with the syntax Format <volume> [/FS:file-system] [/V:label] [/Q] [/L[:state]] [/A:size] [/C] [/I:state] [/X] [/P:passes] [/S:state] There are many switches you can use with the Format command, but the most relevant to this example is /FS:filesystem. You can specify different options here: FAT, FAT32, NTFS, exFAT, ReFS, or UDF. To create a USB Flash Drive currently plugged in with the drive letter E: in a FAT32 format, we would use the command FORMAT E: /FS:FAT32.

MBR and GPT Partition Structures

So what are these mythical disk and partition formats I speak of? The first is the partition structure. When you install a new hard disk or SSD into a PC, it has to be initiated before it can be formatted, and there are two different structures it can be given, MBR (Master Boot Record) and GPT (Globally Unique Identifier Partition Table).

Windows File Systems

Once a disk has been initiated, it can be formatted in a variety of ways. The default is NTFS (New Technology File System), which was first introduced with Windows NT 3.1, but the others include CDFS (for Compact Disks and DVDs), UDF (Universal Disk Format), FAT12, FAT16, FAT32 which dates from the time of DOS, exFAT which is a modern version of FAT designed for USB Flash Drives and that supports large disk and file capacities, NTFS, and ReFS which is a relational database structure used by Windows Server.


The Windows disk, folder, and file structure can at best be described as “complex,” and this is why security features such as User Account Control (UAC) exist to help prevent the end user or malware from deleting or changing anything they shouldn’t.
On my own PC, the WinSxS (Windows Side-by-Side) folder that contains multiple different versions of DLL (dynamic link library) files that are required by both the OS and installed software on the PC is a whopping 10GB. I have known people in the past to wonder what this is, assume they don’t need it, and delete it, only to discover afterward that Windows won’t work and none of their software will load.
Speaking of software, that’s where we’re going to take this next, as it’s only logical at this point to discuss how to troubleshoot software and app compatibility and how you can repair apps that aren’t working on a PC, not to mention looking at how the addition of Android apps in Windows 11 might complicate things further.