OT: strange files in %TEMP

#1
This is way off-topic, but with all the experts here ...

On my home computer (Win7/32), **every** time I start an EXE which does not reside in the c:\Windows tree, I get the likes of this in the %TEMP directory.
Code:
20:40:57.996123  CREATE  TMP000003B87C0F2266F9A64046
20:40:57.996288  MODIFY  TMP000003B87C0F2266F9A64046
20:40:58.020166  DELETE  TMP000003B87C0F2266F9A64046
The files are exactly 512K (2^19) in size and are owned by NT_AUTHORITY/SYSTEM. They allow no sharing so I can't read/copy them. I tried denying "SYSTEM" the delete privilege in %TEMP (so I could look at one) but they're deleted anyway.
This **never** happens on my work computer, also Win7/32, and set up quite similarly.
I tried stopping several services that I could do without; that made no difference.
Does anyone have any ideas what they are or how I might get a look at one?
 
Jun 2, 2008
296
1
#2
If you yank the power cord while some are there, do they stay there when you boot it back up?

This makes me wonder what your .exe file associating is like...
 
Jun 2, 2008
296
1
#6
Oh.. sorry, I missed the interval. Wow, so they don't even stick around 'til the .exe is closed. Process Monitor should be able to catch anything since it monitors in real-time. The trick is to define the right filter to catch just that stuff and nothing else. Looking for the string \temp\ in the "Path" would probably do it.
 
Jun 2, 2008
296
1
#7
Correction, "\temp\TMP" (no quotes) would be a good string to look for. There are lots of "\temp\" accesses just because of Process Monitor itself that you don't need to see.
 
#8
Oh.. sorry, I missed the interval. Wow, so they don't even stick around 'til the .exe is closed. Process Monitor should be able to catch anything since it monitors in real-time. The trick is to define the right filter to catch just that stuff and nothing else. Looking for the string \temp\ in the "Path" would probably do it.
According to ProcessMonitor, the file is created by an instance of svchost.exe (secsvcs/WindowsDefender) which immediately creates a file mapping of it. A split second later, Explorer tries to access that file, but it is gone by then. Oddly, WinDefend also runs on my work computer (where this doesn't happen) and there, it has the same "real time protection" settings.
 
#9
Mystery solved (I guess). I don't know exactly what WinDefend does but I guess I should be glad it's protecting me. On the home computer, TMP and TEMP refer to the same place for both the user and the system, so I see this behavior in my usual temp folder. On the work computer, the system environment variables TMP and TEMP point to the default (\Windows\Temp) which differs from the user temp folder. When I watch \Windows\Temp on the work computer, I see the same behavior. Thanks, TEA-Time, for suggesting ProcessMonitor. I had forgotten about it.

FWIW, stopping WinDefend eliminates this behavior and does not affect the startup time of apps at all (tested with TCC).