Say I have a folder that contains rootkit cloaked files . I right click that folder , select properties and note the number of files reported to be inside . I then slave that drive to a clean machine and check the properties of that same folder .

Will the rootkit cloak prevent accurate reporting of the file count resulting in a different number being reported ?

no you should get a true reading on the files in the folder if its slaved or viewed from a live cd.
because the rootkit loads with the os on the drive that had os on it once its slaved or live cded that os don,t load so the rootkit not loaded so it cannot hide the files.

i have wondered if there are any that can load to clean machine well scanning slaved drive they end up in that machines ram. then install there.

if none yet i would say its not long until there is. and or install on a none slaved drive ie on original machine when scanned by certain apps they block there presence and install.
jmho

What I was getting at was would there be a discrepency in file counts between the live and slave check . It would be a handy way to check for new rootkits . For instance if the driver folder reported 100 files and the same folder reported 102 when slaved this would confirm a rootkit was installed .

My question is do live rootkits also fool file counts (I have not checked this yet) . I know that they don't hide on a slaved drive .

I tested this and it does work .

how can you right click the folder if it is cloaked?

Not a rootkit hidden folder , a folder that contains rootkit hidden files .

This is what I did . First I infected my test machine with a haxdoor rootkit . Then I right clicked the system32 folder and selected properties . It reported 4580 files . RootkitRevealer reported 2 files hidden in that same folder . Finally I slaved the infected drive to my work machine and checked the properties of system32 on that drive . It reported 4582 files .

This could be used to check for unknown rootkits . If a live drive reports xxxxx files and the same drive reports xxxxx+y files when slaved to a clean system then a rootkit is likely .

I just never checked if rootkits also fooled folder properties before . Now I know .

if a rootkit wanted to fool the file properties, it would just be one more API call to hook...

that is simply because hacker defender is not cloaking that api call. It is security through obscurity. If this method becomes popular, then it would only take a slight change in the code to cloak the file properties. Any ADS rootkit (like the current grozomon one) will also hide from this method.