Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

OT: strange files in %TEMP

May
12,834
163
This is way off-topic, but with all the experts here ...

On my home computer (Win7/32), **every** time I start an EXE which does not reside in the c:\Windows tree, I get the likes of this in the %TEMP directory.
Code:
20:40:57.996123  CREATE  TMP000003B87C0F2266F9A64046
20:40:57.996288  MODIFY  TMP000003B87C0F2266F9A64046
20:40:58.020166  DELETE  TMP000003B87C0F2266F9A64046
The files are exactly 512K (2^19) in size and are owned by NT_AUTHORITY/SYSTEM. They allow no sharing so I can't read/copy them. I tried denying "SYSTEM" the delete privilege in %TEMP (so I could look at one) but they're deleted anyway.
This **never** happens on my work computer, also Win7/32, and set up quite similarly.
I tried stopping several services that I could do without; that made no difference.
Does anyone have any ideas what they are or how I might get a look at one?
 
If you yank the power cord while some are there, do they stay there when you boot it back up?

This makes me wonder what your .exe file associating is like...
 
Code:
20:40:57.996123  CREATE  TMP000003B87C0F2266F9A64046
20:40:57.996288  MODIFY  TMP000003B87C0F2266F9A64046
20:40:58.020166  DELETE  TMP000003B87C0F2266F9A64046
What is that output from? SysInternals' Process Monitor? If so, what process does it say is doing that?
 
What is that output from? SysInternals' Process Monitor? If so, what process does it say is doing that?
That's the output of a TCC plugin of mine. How can I catch something that happens that fast with Process Monitor?
 
If you yank the power cord while some are there, do they stay there when you boot it back up?

This makes me wonder what your .exe file associating is like...
They don't exist long enough for me to even think of the power cord.
 
Oh.. sorry, I missed the interval. Wow, so they don't even stick around 'til the .exe is closed. Process Monitor should be able to catch anything since it monitors in real-time. The trick is to define the right filter to catch just that stuff and nothing else. Looking for the string \temp\ in the "Path" would probably do it.
 
Correction, "\temp\TMP" (no quotes) would be a good string to look for. There are lots of "\temp\" accesses just because of Process Monitor itself that you don't need to see.
 
Oh.. sorry, I missed the interval. Wow, so they don't even stick around 'til the .exe is closed. Process Monitor should be able to catch anything since it monitors in real-time. The trick is to define the right filter to catch just that stuff and nothing else. Looking for the string \temp\ in the "Path" would probably do it.
According to ProcessMonitor, the file is created by an instance of svchost.exe (secsvcs/WindowsDefender) which immediately creates a file mapping of it. A split second later, Explorer tries to access that file, but it is gone by then. Oddly, WinDefend also runs on my work computer (where this doesn't happen) and there, it has the same "real time protection" settings.
 
Mystery solved (I guess). I don't know exactly what WinDefend does but I guess I should be glad it's protecting me. On the home computer, TMP and TEMP refer to the same place for both the user and the system, so I see this behavior in my usual temp folder. On the work computer, the system environment variables TMP and TEMP point to the default (\Windows\Temp) which differs from the user temp folder. When I watch \Windows\Temp on the work computer, I see the same behavior. Thanks, TEA-Time, for suggesting ProcessMonitor. I had forgotten about it.

FWIW, stopping WinDefend eliminates this behavior and does not affect the startup time of apps at all (tested with TCC).
 
Aha.. interesting. I enabled Windows Defender on my Win7 64-bit machine and I saw it once, but now I can't get it to happen again. :-/
 
Uhoh, I think we brought the site down... Sorry Rex! Heh

No problem, Vince. I can't live without SysInternals' utilities!

-Tim
 

Similar threads

Back
Top