OneDrive Files On-Demand & Windows 10 Storage Sense Settings

Not sure if everyone knows this but in the Windows 10 Update v1709, there is a OneDrive setting that allows the user to only download files upon opening, but OneDrive will put a place holder for that file if it only synced but hasn’t been used.

https://support.office.com/en-us/article/save-disk-space-with-onedrive-files-on-demand-for-windows-10-0e6860d3-d9f3-4971-b321-7092438fb38e

Interestingly enough, if you are doing an analysis and notice that a file in the OneDrive folder is all zeros in hex view, this is likely the culprit. I initially noticed this when I used EnCase to hash all my files and then created a MD5 list of a OneDrive folder and noticed SEVERAL files with no MD5 values, which were also all zeros in hex view. So if you create a MD5 list and then review it in Excel, it appears that anything with a blank MD5 value will NOT be on disk and in the cloud only.

The setting for that flag is here

\Users\<USER>\AppData\Local\Microsoft\OneDrive\settings\Business1\global.ini

And look for SavedPlaceholdersEnabledState = true

If it is true, then Files On-Demand is turned on. If false, then all of the files should physically be on the disk.

There is also a Windows OneDrive setting (right-click) to “Always keep on this device” which should physical place the file on disk, but I do not know where that setting flag is. I assume it is in a .dat file of some sort. The user can also manually select a OneDrive file that is physically on-disk and make in online-only again by using the right-click option on a file to “Free up space”. This leads to the file placeholder being all zero again in hex.

HOWEVER, there is also a Windows 10 setting called “Storage sense” that if it is turned on, it COULD make the file back to “Online only” after 30 days on non-use. However this time period can be changed by the user

https://support.office.com/en-us/article/use-onedrive-and-storage-sense-in-windows-10-to-manage-disk-space-de5faa9a-6108-4be1-87a6-d90688d08a48

Storage sense registry settings at the end of this article

https://answers.microsoft.com/en-us/windows/forum/all/windows-10-storage-sense-registry-key/cee4f682-2472-4425-8656-72c00bb15ce4

NOTE This Storage sense setting can also auto-delete files from the Downloads folder and Recycle Bin WITHOUT user interaction. HOWEVER, the user can also trigger a cleanup at any time.

So the old days of “if it is in the cloud, it should be synced to disk” or “bulk deletion is suspicious” require a deeper look at settings.

Does anyone know if the other cloud storage services allow for this?