locked
Folder c:\windows\nvtmpinst RRS feed

  • Question

  • Hello,

    I run Sigverif program in Command window to scan for unsigned drivers. In "Signature Verificaion Results" window I've got 117 files in c:\windows\nvtmpinst folder. (One file was not scanned). However, I don't see this folder in Windows Explorer (Folder option - Show hiddden filed and folders is selected).

    I found these files in the registry : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles

    How can I find and see this folder? Why is it on my system?

    Thanks,

    Nadia

     

    Tuesday, June 29, 2010 8:52 PM

Answers

  • The C:\Windows\nvtmpinst folder stores unknown signed driver information in .chm format. The .chm file format’s ability to contain and execute arbitrary code is a potential security threat, thus the ability to view the file is often restricted by network security settings. It means that it is not visible in Windows.  

     

    Best Regards

    Dale Qiao
    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you.
    Wednesday, June 30, 2010 6:36 AM
    Moderator

All replies

  • Hi Nadia,

     

    Thanks for posting in Microsoft TechNet forums.

     

    As far as I know, the PnpLockdownFiles is the Microsoft registry key used to store drivers as services, it is a System File Protection to prevent DLL ____ in Windows. The most of protected files are stored at %systemroot%\system32 folder or its sub-folder %systemroot%\system32\drivers.

     

    Best Regards

    Dale Qiao
    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you.
    Wednesday, June 30, 2010 1:54 AM
    Moderator
  • Hi Dale,

    Yes, as I know drivers shall reside in the %systemroot%\system32\drivers. Non pnp drivers are supposed to be in the %systemroot%\inf according to setting in my registry.

    What puzzles me is the results I've got from running Sigverif pointing to  files in c:\windows\nvtmpinst folder, which I don't see on my hard drive, or nvtmpinst folder is misteriously hidden.

    Nadia

    Wednesday, June 30, 2010 2:49 AM
  • The C:\Windows\nvtmpinst folder stores unknown signed driver information in .chm format. The .chm file format’s ability to contain and execute arbitrary code is a potential security threat, thus the ability to view the file is often restricted by network security settings. It means that it is not visible in Windows.  

     

    Best Regards

    Dale Qiao
    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you.
    Wednesday, June 30, 2010 6:36 AM
    Moderator
  • *.dll and *.exe files are also a potential security threat, but they are not hidden.

    Do you know how I can access my folder C:\Windows\nvtmpinst ? I suppose that as an administrator on my computer, I should be able to do that.

    Nadia

    Wednesday, June 30, 2010 3:00 PM
  • Even with the administrator account, the C:\Windows\nvtmpinst folder can't be viewed too. It is a 0 bytes folder which isn't visible in Windows Explorer.

    Best Regards

    Dale Qiao
    TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you.
    Thursday, July 1, 2010 2:04 AM
    Moderator
  • How can it be 0 length if it has 118 files inside?

    I think that it is a security threat for me as an administrator to be denied access to all folders on my computer.

    In this particular case, with C:\Windows\nvtmpinst folder, I am conserned that it could have been created with some malicious code. How do I know that its content is legitimate?

    Nadia

    Thursday, July 1, 2010 2:58 PM
  • I did a scan on my Win7EntSP1 laptop and got similar results, one of which was nvcpl.cpl. Running this manually (it's a Control Panel Applet) brought up an interface that allowed me to modify the settings of the built-in NVIDIA graphics card.

    This plus additional Google searches leads me to believe NVIDIA is the source of the "c:\windows\nvtmpinst" directory. Still, considering the "tmp" part of the directory name it's rather strange that it's persistent AND inaccessible. You would think the NVIDIA installer would delete the directory completely after a clean exit.

    In short, the c:\windows\nvtmpinst folder doesn't seem to be malicious in and of itself, but I share the opinion that it could be a security threat, especially if malicious programs start hiding behind it.

    Wednesday, June 22, 2011 7:50 PM
  • I don't know if you are still having the same problem, but I have a new solution.  The files that showed up when you ran Sigverif, in the "C:\Windows\nvtmpinst" folder,  are for your Nvidia graphics driver.  As you have already stated, if your machine is anything like mine with the same problem (NVidia GeForce, Windows Vista, 32-Bit FYI), selecting "Update Driver" will result in Windows telling you that your device driver is already up-to-date. 

    If you go directly to Nvidia's website, however, you will find that there is indeed a newer driver available.  Nvidia has an excellent tool on their website which will automatically detect your Nvidia driver and let you know that there is a newer driver available.  Once you download and install the new driver, and restart your computer, you will find that Windows should be happy with the new driver.  Running Sigverif again, you will find that all of those nasty C:\Windows\nvtmpinst entries, including CHM files, have now disappeared.

    Hope this solution will help you, and anyone else with the same problem.

    • Proposed as answer by cknoettg Sunday, April 29, 2012 8:33 PM
    Sunday, April 29, 2012 8:33 PM