BREAKING NEWS
Cloud Server Hosting For Online Businesses
Inexpensive SEO Services
Benefits of Wanting to play Free Online Slot machines
Windows thumbnail cache

Summary

On Microsoft Windows operating systems, starting with the Internet Explorer 4 Active Desktop Update for Windows 95 to 98,[1][2] a thumbnail cache is used to store thumbnail images for Windows Explorer's thumbnail view. This speeds up the display of images as these smaller images do not need to be recalculated every time the user views the folder.

Purpose edit

Windows stores thumbnails of graphics files, and certain document and movie files, in the Thumbnail Cache file, including the following formats: JPEG, BMP, GIF, PNG, TIFF, AVI, PDF, PPTX, DOCX, HTML, and many others. Its purpose is to prevent intensive disk I/O, CPU processing, and load times when a folder that contains a large number of files is set to display each file as a thumbnail. This effect is more clearly seen when accessing a DVD containing thousands of photos without the thumbs.db file and setting the view to show thumbnails next to the filenames. Thumbnail caching was introduced in Windows 2000;[2] wherein the thumbnails were stored in the image file's alternate data stream if the operating system was installed on a drive with the NTFS file system. A separate Thumbs.db file was created if Windows 2000 was installed on a FAT32 volume. Windows Me also created Thumbs.db files.[2] From Windows XP, thumbnail caching, and thus creation of Thumbs.db, can optionally be turned off. In Windows XP only, from Windows Explorer Tools Menu, Folder Options, by checking "Do not cache thumbnails" on the View tab. In other versions of Windows, thumbnail caching can be turned off via Group Policy. Under Windows 2000, Windows Me, and Windows XP, a context menu command to force refreshing the thumbnail is available by right clicking the image in Thumbnail view of Windows Explorer.

Thumbs.db edit

Thumbs.db files are stored in each directory that contains thumbnails on Windows systems. The file is created locally among the images, however, preventing system wide use of the data and creating additional data load on removable devices.[3] Windows XP Media Center Edition also creates ehthumbs.db which holds previews of video files. Each thumbnail created in a directory is represented in this database file as a small JPEG file, regardless of the file's original format. The images are resized to 96×96 pixels by default or a proportional miniature of their original shape for non-square images, with 96 pixels on the longer side. The size can be controlled by a setting on Windows Registry. Each folder with initiated thumbnail views (that is where they have displayed a Thumbnails or Filmstrip view in Windows Explorer) will have a Thumbs.db file. Folders with pictures also display previews on their icon when displayed in Thumbnail mode – the first four images in the folder at 40×40 pixels (or proportionally shaped), with a 1-pixel divider overlaid on a standard large folder icon. The Thumbs.db file is stored in Compound File Binary Format format, the same format that many Microsoft Office products use.[4]

Centralized thumbnail cache edit

Beginning with Windows Vista, thumbnail previews are stored in a centralized location on the system. This provides the system with access to images independent of their location, and addresses issues with the locality of Thumbs.db files. The cache is stored at %userprofile%\AppData\Local\Microsoft\Windows\Explorer as a number of files with the label thumbcache_xxx.db (numbered by size); as well as an index used to find thumbnails in each sized database.

However, when browsing network shares with write permission, Windows Vista and Windows 7 store a Thumbs.db file in the remote directory instead of using the (local) central thumbnail cache. This can cause issues when deleting remote shares, as the directory will become locked for a period of time when selected as Windows Explorer automatically creates a remote Thumbs.db file.

Creating Thumbs.db files on remote shares can be disabled with a Group Policy setting.[5]

As forensic evidence edit

Law-enforcement agencies have used this file to prove that illicit photos were previously stored on the hard drive.[6] For example, the FBI used the "thumbs.db" file in 2008 as evidence of viewing depictions of child pornography.[7]

In 2013, research was conducted that focused on the Digital Forensic implications of thumbnail caches and recovering partial thumbnail cache files. It identified that whilst there is a standard definition of a thumbnail cache the structure and forensic artifacts recoverable from them varies significantly between operating systems. The work also showed that the thumbcache_256.db contains non-standard thumbnail cache records which can store interesting data such as network place names and allocated drive letters.[8][9]

See also edit

References edit

  1. ^ "Windows Tips". PCWorld. 19 October 1999.
  2. ^ a b c Thumbs.db files forensic issues: AccessData Corporation
  3. ^ IThumbnailCache Interface, MSDN, Microsoft Corporation
  4. ^ Java 2D – Thumbnails Thumbs.db, Oracle Forums
  5. ^ Turn off the caching of thumbnails in hidden thumbs.db files, Microsoft Support
  6. ^ "Forensic Analysis of Windows Thumbcache files". University of South Australia. AISEL.
  7. ^ "FBI posts fake hyperlinks to snare child porn suspects". CNET. CBS Interactive. Archived from the original on November 5, 2012.
  8. ^ [1], Morris
  9. ^ [2], Morris & Chivers

External links edit

  • Thumbcache Viewer – open-source thumbcache_*.db viewer
  • Thumbs Viewer – open-source viewers for both Thumbs.db (legacy mode) and Thumnail Cache (modern)
  • Vinetto is a forensics tool to examine Thumbs.db files.
  • Windows thumbnail cache at the Wayback Machine (archived November 16, 2013) – Description of thumbs.db file
  • Prevent the creation of thumbs.db files via Group Policy (Windows 7)

By using this platform, you agree to the Terms of Use ©2020 Knowpia