multiple empty folders being generated in C:\Users\Derek\AppData\Local

[Derek]

I've noticed an ever-growing list of empty folders being created in
C:\Users\Derek\AppData\Local. They're given numerical names like the
examples below this line.

{3AF8D36F-3C2F-4066-85FC-9911D5B2E892}
{7C08B29F-8B99-4448-B618-A7D8F1A67AA0}

Can anyone tell me what's generating them and whether it's safe to
delete them?

 

[Ed Cryer]

I've noticed an ever-growing list of empty folders being created in
C:\Users\Derek\AppData\Local. They're given numerical names like the
examples below this line.

{3AF8D36F-3C2F-4066-85FC-9911D5B2E892}
{7C08B29F-8B99-4448-B618-A7D8F1A67AA0}

Can anyone tell me what's generating them and whether it's safe to
delete them?

Do you use AVG?

Ed

 

[Derek]

Do you use AVG?

Ed

Nope, Microsoft Security Essentials.

 

[Ed Cryer]

Nope, Microsoft Security Essentials.

Right, well it's not AVG then.
I have lots in mine too, and I use AVG not MSE.
We need fedeback from others on this.

Ed

 

[Wolf K]

Right, well it's not AVG then.
I have lots in mine too, and I use AVG not MSE.
We need fedeback from others on this.

Ed

AFAIK, these folders are related to installations and updates of
miscellaneous programs. The registry refers to them. Some are junk, left
over from Windows uninstall (which does an incomplete job). But since
you don't know which are which, I wouldn't advise deleting them. OTOH, a
compete uninstall with a utility like Revo will delete any of folders of
this type that have become redundant.

HTH
Wolf K.

 

[Gene E. Bloch]

AFAIK, these folders are related to installations and updates of
miscellaneous programs. The registry refers to them. Some are junk, left
over from Windows uninstall (which does an incomplete job).

From time to time I point out that uninstallation in windows is done by
the maker of the program you are uninstalling, not by Microsoft. Windows
just calls the uninstaller provided by the software company.

The exception, of course, is in uninstalling Windows components.

 

[Paul]

I've noticed an ever-growing list of empty folders being created in
C:\Users\Derek\AppData\Local. They're given numerical names like the
examples below this line.

{3AF8D36F-3C2F-4066-85FC-9911D5B2E892}
{7C08B29F-8B99-4448-B618-A7D8F1A67AA0}

Can anyone tell me what's generating them and whether it's safe to
delete them?

The format of the numbers, is they're GUIDs.

"Globally unique identifier"

http://en.wikipedia.org/wiki/Guid

"The total number of unique keys 3.4 * 10**38.
This number is so large that the probability of the same number
being generated randomly twice is negligible."

You can try running "regedit.exe" from Start, and search
for the strings. Remove the brackets and just copy the GUID
part into the regedit "find" box, and see what turns up.
You could either be swimming in a sea of digits, or perhaps
a product name will be part of the key the GUID is stored in.
(Don't make changes inside Regedit - you're there just to
read and observe.)

That's only if you wanted to trace down what might be using that GUID.
If they're being temporarily generated (to make a random path name),
then they might not exist outside that entry in the file system.
The fact they're in "AppData", suggests a byproduct of installing something.
And an installer, might leave "tracks" in the registry.

Paul

 

[Derek]

The format of the numbers, is they're GUIDs.

"Globally unique identifier"

http://en.wikipedia.org/wiki/Guid

"The total number of unique keys 3.4 * 10**38.
This number is so large that the probability of the same number
being generated randomly twice is negligible."

You can try running "regedit.exe" from Start, and search
for the strings. Remove the brackets and just copy the GUID
part into the regedit "find" box, and see what turns up.
You could either be swimming in a sea of digits, or perhaps
a product name will be part of the key the GUID is stored in.
(Don't make changes inside Regedit - you're there just to
read and observe.)

That's only if you wanted to trace down what might be using that GUID.
If they're being temporarily generated (to make a random path name),
then they might not exist outside that entry in the file system.
The fact they're in "AppData", suggests a byproduct of installing something.
And an installer, might leave "tracks" in the registry.

Paul

I followed your instructions but the search didn't find anything. I
made a small capture file of the 'Local' folder where these folders
are being generated;
http://dl.dropbox.com/u/15227039/Capture.PNG
and, as well as being generated in pairs at the same time and date,
the latest pair were made this morning at 5:52am. The only thing I had
running overnight was truecrypt. I was encrypting a 2T external drive.
I'm starting to wonder if truecrypt may be the culprit. My whole
system drive and my external drive are encrypted, and instead of
starting up as usual a boot loader loads, telling me to input my
password before the PC starts.

 

[Derek]

Correction - they're being generated in 4s, not pairs

 

[Ed Cryer]

Correction - they're being generated in 4s, not pairs

Here's a snapshot of some of mine, sorted into date order;
http://tinyurl.com/cvxu878

I don't use truecrypt, nor any other encryption program.
Mine seem to be being generated in twos, but sometimes just one.

Ed

 

[Derek]

Here's a snapshot of some of mine, sorted into date order;
http://tinyurl.com/cvxu878

I don't use truecrypt, nor any other encryption program.
Mine seem to be being generated in twos, but sometimes just one.

Ed

And these are in your C:\Users\******\AppData\Local folder?
This is kinda weird. I've searched all over the net for an explanation
and some advice on whether they can be just deleted safely, but I'm
still stumped for an answer.

 

[Leala]

And these are in your C:\Users\******\AppData\Local folder?
This is kinda weird. I've searched all over the net for an explanation
and some advice on whether they can be just deleted safely, but I'm
still stumped for an answer.

I have been deleting them regularly for months now with no ill effects
whatsoever and still don't know what is causing them.

 

[Derek]

I have been deleting them regularly for months now with no ill effects
whatsoever and still don't know what is causing them.

Yep, no problems here, either. I made a restore point and got rid of
them. It would be comforting to know what generates them though.

 

[Nil]

Yep, no problems here, either. I made a restore point and got rid
of them. It would be comforting to know what generates them
though.

If you can predict approximately WHEN the files are created, there are
utilities such as Sysinternals Process Explorer that can identify what
created them. It's probably not something you want running for an
extended time, though, because it amasses a huge amount of data and can
bog the system down while it's running.

 

[Derek]

If you can predict approximately WHEN the files are created, there are
utilities such as Sysinternals Process Explorer that can identify what
created them. It's probably not something you want running for an
extended time, though, because it amasses a huge amount of data and can
bog the system down while it's running.

Thanks. I'll Google about a bit for it and see what it does.

 

[Ed Cryer]

Thanks. I'll Google about a bit for it and see what it does.

I'm currently commissioning a brand new computer with Win7 HP 64-bit.
There are no empty folders as yet in C:\Users\******\AppData\Local. I'm
doing it in small chunks as time comes available.
I've finished the initialisation, all Win Updates, installed a few
things. It's still got McAfee and Nero in it, plus lots of other
OEM-provided junk.
I'll be looking in the folder quite regularly, so I might have a better
idea in days to come.
I'll be back here when one appears.

Ed

 

[Derek]

I'm currently commissioning a brand new computer with Win7 HP 64-bit.
There are no empty folders as yet in C:\Users\******\AppData\Local. I'm
doing it in small chunks as time comes available.
I've finished the initialisation, all Win Updates, installed a few
things. It's still got McAfee and Nero in it, plus lots of other
OEM-provided junk.
I'll be looking in the folder quite regularly, so I might have a better
idea in days to come.
I'll be back here when one appears.

Ed

If I were doing that I'd create a shortcut to the folder and put it on
my task bar to regularly check it. Just a thought. ;-)

 

[Paul]

If I were doing that I'd create a shortcut to the folder and put it on
my task bar to regularly check it. Just a thought. ;-)

You could try Sysinternals Process Monitor.

http://technet.microsoft.com/en-us/sysinternals/bb896645

Download and unzip.

The way that program works, it is traces stuff (operations done by processes,
such as file operations or registry operatons). By default, I think it
uses RAM based storage, so for long traces, it may exhaust resources.
There is another option for that.

The key to the program, is the "Filter" dialog. Since you're looking
for a needle in a haystack, the Filter is how you narrow down your
search.

The Filter menu has many options. For example, right now I tried...

Path begins with C:\Downloads Include
Operation is Readfile Include

If I then create a directory with Explorer, in C:\Downloads, such
as C:\Downloads\New Folder, that seems to trigger this kind of activity
in the capture window -

Explorer PID 292 ReadFile C:\Downloads\New Folder INVALID PARAMETER

and I now know that Explorer did it.

I don't know exactly what Explorer is doing at that moment, but at
least it triggered the name of the process to be captured.

I could not find a "CreateDirectory" option in the Operation filter
event. So I couldn't precisely specify the capture of a process
creating a folder. So I tried ReadEile, in that directory.

I expect, there is plenty of ReadFile activity in

C:\Users\******\AppData\Local

so even that is not going to be specific enough to catch it.

Maybe you could change the "Path begins with" filter to include
the first character before the GUID, like this ?

C:\Users\******\AppData\Local\{

and catch it that way. Only the guilty folders should get
snagged then.

For long term operation of Process Monitor, you should
set the captures to go into a "backing file" rather than
using system RAM as the default. Then you can leave it
running for a longer period of time. Look under the "File"
menu for "Backing File" setting, then find an NTFS partition
on your hard drive (preferably not in the AppData folder )
and have the program store the trace in there. If you have
a few hundred gigabytes of space on that volume, who knows
what you might capture.

Paul

 

[Ed Cryer]

If I were doing that I'd create a shortcut to the folder and put it on
my task bar to regularly check it. Just a thought. ;-)

Not a single one has appeared yet, and I've nearly finished the full
installation process.
While there are no empty folders there are, however, about 300MB of
stuff in the Local/Temp folder.

I come back to AVG because I haven't installed that yet. I'm
accumulating circumstantial evidence for it.
McAfee came with a couple of months' free use, and I've left it in just
for the fun and ride. I'll install AVG or maybe MSE when it expires.

Now's the time for suggestions. I can install things and see if some of
those empty folders turn up.
On my old machine there are two more of the damn things timed at
13-00hrs and 19-30hrs yesterday.

Ed

 

[Ed Cryer]

Not a single one has appeared yet, and I've nearly finished the full
installation process.
While there are no empty folders there are, however, about 300MB of
stuff in the Local/Temp folder.

I come back to AVG because I haven't installed that yet. I'm
accumulating circumstantial evidence for it.
McAfee came with a couple of months' free use, and I've left it in just
for the fun and ride. I'll install AVG or maybe MSE when it expires.

Now's the time for suggestions. I can install things and see if some of
those empty folders turn up.
On my old machine there are two more of the damn things timed at
13-00hrs and 19-30hrs yesterday.

Ed

This lot of people here;
http://tinyurl.com/cwuf76a
seem pretty certain it's WLM and other Windows Live Essential programs.

Ed