none
EMIEsitelist and EMIEuserlist hidden directories and dat-files RRS feed

  • Question

  • 2014-04-05

    Cross-posted from http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/erniesitelist-and-ernieuserlist/00407bd2-e349-423c-a8e5-cb6127840ea5


    Original Post dated April 21, 2014


    EmieSiteList and EmieUserList

    Microsoft Security - Privacy Concerns

    I found two unknown directories on my PC in my user profile.  I have, so far, been unable to identify what put them there, which process owns them, and when I delete them (using Admin escalated privileges) they come back after a few minutes or immediately after reboot.


         c:\users\USERNAME\appdata\local\EmieSitelist\container.dat


         c:\users\USERNAME\appdata\local\EmieUserlist\container.dat


         C:\Users\USERNAME\AppData\LocalLow\EmieSiteList\container.dat


         C:\Users\USERNAME\AppData\LocalLow\EmieUserlist\container.dat


    It was time, anyway, so I wiped the drive using factory low-level overwriting and performed a clean install of Windows 8.1 Pro using a freshly downloaded ISO from Microsoft; one with an ESD distribution, written to a new just out-of-the-bedamned-hardshell-plastic flashdrive..


    I just completed the clean install, in this sequence:


    Boot to flashdrive and let Windows create partitions then install.  Reboot.  Check AppData; no folders found.

    Activate.  Check AppData; no folders found.

    Run first Update; install everything except Bing Bar and Desktop.    Check AppData; no folders found.  Reboot.  Check AppData; no folders found.

    Add Feature Windows Media Center.  Check AppData; no folders found.  Reboot.  Check AppData; no folders found.

    Run Updates a second time.  Check AppData; no folders found.  Reboot.  Check AppData; no folders found.

    Remove MS C++ v12 x86 and x64 installed during Update.    Check AppData; no folders found.  Reboot.  Check AppData; no folders found.

    Download from MSDN (http://msdn.microsoft.com/en-us/vstudio/default) Redistributables MS C++ x86 and x64, 2005, 2008, 2010, and 2012.4 versions, and install in sequence.  Check AppData after each install; no folders found.  Reboot after each install and check AppData; no folders found.

    Run Updates a third time.  Response was No Updates Available.  Check AppData; no folders found.

    Reboot.  Check AppData; all four sub-directories are now present.


    These sub-directories and dat-files are not, so far, present in the AppData\Roaming directory.


    There is nothing except Microsoft Windows 8.1 Pro WMC and the 10 MS C++ packages installed; and MS Silverlight and AMD (videocard) Catalyst Control Center on the machine.  Windows Defender is present but is installed as part of Windows 8 and 8.1; and its' updates are provided via the MS Update process.  All - repeat ALL of these items are provided by Microsoft.


    My questions are:  What are the Emie directories for; what program created them, and what does the various container.dat files "contain"?  And . . . if not absolutely necessary, How do I get rid of them and keep them from coming back?

    First attempt at Solution:


    Permissions are Full for System, USERNAME, and group Administrators.  The USERNAME is the Owner, and Effective Permissions for each of the 3 is Full.


    Open Command Prompt (Admin)

    C:\Windows\system32>cd\

    C:\>attrib -r -h +s C:\Users\USERNAME\AppData\Local\EmieSiteList\container.dat

    C:\>attrib -r -h +s C:\Users\USERNAME\AppData\Local\EmieSiteList

    C:\>attrib -r -h +s C:\Users\USERNAME\AppData\Local\EmieUserList

    C:\>attrib -r -h +s C:\Users\USERNAME\AppData\Local\EmieUserList\container.dat

    C:\>attrib -r -h +s C:\Users\USERNAME\AppData\LocalLow\EmieUserList\container.dat

    C:\>attrib -r -h +s C:\Users\USERNAME\AppData\LocalLow\EmieUserList

    C:\>attrib -r -h +s C:\Users\USERNAME\AppData\LocalLow\EmieSiteList

    C:\>attrib -r -h +s C:\Users\USERNAME\AppData\LocalLow\EmieSiteList\container.dat

    C:\>


    BOTH Files and Directories are no longer Hidden.  The Directories still show that the files within are READ-Only, but checking the actual file shows that it is no longer R-O.


    I then deleted each of the 4 directories and  closed Windows (File) Explorer.


    After less than 3 minutes reading pages on the internet (at Microsoft's Ask Windows Community), I opened Windows Explorer to check and found that the sub-directories had re-created themselves in both the Local and LocalLow directories.


    The container.dat files were back in the Local sub-dir and after another few minutes, also back in the LocalLow sub-dir.


    Both the sub-directories and the container.dat files are once again Super-Hidden.


    Analysis using Windows utilities and SysInternals and NirSoft tools have not identified which object or process or service owns these objects.


    ADDED:  My system is a home system, not connected to any work domain via VPN or otherwise.  WHY is the Windows Update Team not spending time to implement condition-and-error-checking to ensure that unneeded updates, services, and changes are not made without the system owner/operator permission?  Further, WHY is this particular issue so hard to find info about; what is being kept from customers and why?

    Tuesday, May 6, 2014 6:23 AM

Answers

  • Dear sir Shovel Driver,

       About:  EMIEsitelist  and  EMIEuserlist .., hidden directories and dat-files

    Internet Explorer 11 (on Windows 7 and Windows 8.1) provides increased performance, improved security, and support for the modern technologies like HTML5 and CSS3 that power today’s Web sites and services. By adding better backward compatibility with Enterprise Mode, Internet Explorer 11 now helps customers stay up to date with the latest browser—and facilitates using the latest software, services, and devices.

    IE11 Enterprise Mode can be set in the Group Policy Console, or by adding a Registry setting:

    REGISTRY:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main] "EnterpriseMode"="Disable"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode]

    Or a edit a Group Policy setting, which you can find under:

    [Windows-Key]+[R]->[Run]->Type here:

       gpedit.msc

    Press [Enter], with an UAC Warning:
    Do you want to allow the following program to make changes on this computer: gpedit.msc ?

    Select/Press: Yes
    Go to in the Left pane of the GPedti.msc Window:

      Computer Configuration
      Administrative Templates
      Windows Components
      Internet Explorer

    Change / Add at right list, down under:
      "Use the Enterprise Mode IE website list"
     
    Set this option to - whatever you need;  Disabled, Enabled (Default is: Not Configured)
    When Enabled, you need to add a list with Web-Sites, Domains or Web-Pages.

    This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

    If you enable this policy setting, Internet Explorer downloads the website list from your location
      (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode),
    opening all listed websites using Enterprise Mode IE, Web-Sites are seperated by a sign: " ; "

    If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.

    Now to properly close and conclude this mystery:

    EMIEsitelist and EMIEuserlist .., are hidden directories and dat-files
    Thses directories and dat files are used to store data for the IE11
    EnterpriseMode.

    It is not a: Virus, neither it is a Trojan, Hoax, KeyLogger or anything else bad.

    TECHNET Sources:

     Turn on Enterprise Mode and Use a Site List (Deploy):
     http://technet.microsoft.com/en-us/ie/dn262703.aspx

     What is Enterprise Mode?:
     http://technet.microsoft.com/library/dn640687.aspx

    If you find this usefull, please Vote at the button
    "I Find This Usefull"

    Thank you! ;)
    Best regards, MPVS


    MP|VS


    • Edited by vanSijll Sunday, May 18, 2014 1:33 AM
    • Proposed as answer by vanSijll Sunday, May 18, 2014 1:34 AM
    • Marked as answer by Roger LuModerator Tuesday, May 27, 2014 7:16 AM
    Sunday, May 18, 2014 1:25 AM
  • emiesitelist and emieuserlist, to me, sound like they are related to the IE11 "Enterprise Mode" feature.

    (just a guess, but I have been wondering where and how the EM data would be stored. I think you may have answered that question for me ;)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, May 6, 2014 8:06 AM
  • I have those and wondered & tried the delete to see them magically re-appear.

    For a clue, you might want to   Check this out...

    http://social.technet.microsoft.com/Forums/en-US/fd2eacf1-cef5-4e60-81f9-04e3ac0c3560/emie-remote-desktop-services-with-mandatory-profile?forum=ieitprocurrentver

    Wednesday, May 14, 2014 12:38 AM

All replies

  • emiesitelist and emieuserlist, to me, sound like they are related to the IE11 "Enterprise Mode" feature.

    (just a guess, but I have been wondering where and how the EM data would be stored. I think you may have answered that question for me ;)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, May 6, 2014 8:06 AM
  • emiesitelist and emieuserlist, to me, sound like they are related to the IE11 "Enterprise Mode" feature.

    (just a guess, but I have been wondering where and how the EM data would be stored. I think you may have answered that question for me ;)


    I also have these folders and files on my Win8.1u1 machine. Although I am researching IE11 Enterprise Mode, I have not configured any EM settings on this machine, nonetheless, those folders/files are present.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, May 6, 2014 9:26 PM
  • I have those and wondered & tried the delete to see them magically re-appear.

    For a clue, you might want to   Check this out...

    http://social.technet.microsoft.com/Forums/en-US/fd2eacf1-cef5-4e60-81f9-04e3ac0c3560/emie-remote-desktop-services-with-mandatory-profile?forum=ieitprocurrentver

    Wednesday, May 14, 2014 12:38 AM
  • Dear sir Shovel Driver,

       About:  EMIEsitelist  and  EMIEuserlist .., hidden directories and dat-files

    Internet Explorer 11 (on Windows 7 and Windows 8.1) provides increased performance, improved security, and support for the modern technologies like HTML5 and CSS3 that power today’s Web sites and services. By adding better backward compatibility with Enterprise Mode, Internet Explorer 11 now helps customers stay up to date with the latest browser—and facilitates using the latest software, services, and devices.

    IE11 Enterprise Mode can be set in the Group Policy Console, or by adding a Registry setting:

    REGISTRY:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main] "EnterpriseMode"="Disable"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode]

    Or a edit a Group Policy setting, which you can find under:

    [Windows-Key]+[R]->[Run]->Type here:

       gpedit.msc

    Press [Enter], with an UAC Warning:
    Do you want to allow the following program to make changes on this computer: gpedit.msc ?

    Select/Press: Yes
    Go to in the Left pane of the GPedti.msc Window:

      Computer Configuration
      Administrative Templates
      Windows Components
      Internet Explorer

    Change / Add at right list, down under:
      "Use the Enterprise Mode IE website list"
     
    Set this option to - whatever you need;  Disabled, Enabled (Default is: Not Configured)
    When Enabled, you need to add a list with Web-Sites, Domains or Web-Pages.

    This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

    If you enable this policy setting, Internet Explorer downloads the website list from your location
      (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode),
    opening all listed websites using Enterprise Mode IE, Web-Sites are seperated by a sign: " ; "

    If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.

    Now to properly close and conclude this mystery:

    EMIEsitelist and EMIEuserlist .., are hidden directories and dat-files
    Thses directories and dat files are used to store data for the IE11
    EnterpriseMode.

    It is not a: Virus, neither it is a Trojan, Hoax, KeyLogger or anything else bad.

    TECHNET Sources:

     Turn on Enterprise Mode and Use a Site List (Deploy):
     http://technet.microsoft.com/en-us/ie/dn262703.aspx

     What is Enterprise Mode?:
     http://technet.microsoft.com/library/dn640687.aspx

    If you find this usefull, please Vote at the button
    "I Find This Usefull"

    Thank you! ;)
    Best regards, MPVS


    MP|VS


    • Edited by vanSijll Sunday, May 18, 2014 1:33 AM
    • Proposed as answer by vanSijll Sunday, May 18, 2014 1:34 AM
    • Marked as answer by Roger LuModerator Tuesday, May 27, 2014 7:16 AM
    Sunday, May 18, 2014 1:25 AM
  • Just noticed these folders and wondered what they were myself. It would be helpful if MS could use more accurate names. If the folders were called IECompatibilityModeSiteList (or even better InternetExplorerCompatibilityModeSiteList) it would make it much more obvious what the folders were for, and save people from having to do a new install with lots of restarts to try and work out where the folders are coming from.
    Monday, May 19, 2014 12:14 PM
  • Just noticed these folders and wondered what they were myself. It would be helpful if MS could use more accurate names. If the folders were called IECompatibilityModeSiteList (or even better InternetExplorerCompatibilityModeSiteList) it would make it much more obvious what the folders were for, and save people from having to do a new install with lots of restarts to try and work out where the folders are coming from.

    But, EnterpriseMode, and CompatibilityViewMode, are different features, which do different things, in different ways, and, they do not share configuration settings...

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, May 19, 2014 9:11 PM
  • I stumbled on this thread while searching for EmieBrowserModeList. You say the 3 folders I have in both AppData\Local and AppData\LocalLow are legitimate and a result of IE11 Enterprise Mode. You also provide 2 methods of enabling (or disabling) the legitimate IE11 Enterprise Mode and prevent these folders from being created. 

    Well, here's the problem. I'm running Win 7 Home Premium on my personal laptop which does not have Group Policy Editor. I tried to run gpedit.msc and couldn't. I also tried to install the mmc snap-in which doesn't exist. Later I learned that the Group Policy Editor is not available for Home Premium.

    Second, when I used regedit to navigate to the registry key you specified, it is not present on my system. 

    So my question is has an illegitimate process hijacked this so-called legitimate MS process?



    Sunday, January 4, 2015 6:35 PM
  • You say the 3 folders I have in both AppData\Local and AppData\LocalLow are legitimate and a result of IE11 Enterprise Mode. You also provide 2 methods of enabling (or disabling) the legitimate IE11 Enterprise Mode

    There's no documentation from MSFT which states that these folders/files are actually related to EMIE - so it's all supposition so far.

    and prevent these folders being created. 

    No, he didn't say that that there was a way to prevent these folders being created - just that there are ways to configure/control EMIE.


    Well, here's the problem. I'm running Win 7 Home Premium on my personal laptop which does not have Group Policy Editor. I tried to run gpedit.msc and couldn't. I also tried to install the mmc snap-in which doesn't exist. Later I learned that the Group Policy Editor is not available for Home Premium.

    Second, when I used regedit to navigate to the registry key you specified, it is not present on my system. 

    In most cases, GPEditor is reading and writing to registry keys/values - in these cases, exactly the same outcome can be achieved using any registry editing method - it's just that GPEditor helps to avoid improper/invalid edits occurring.
    Based on my observations over many years, it's quite common for "default" registry keys/values to not-exist, since there are also well-documented features/behaviours within Windows, where the absence of a registry key/value will cause the feature/behaviour to adopt a default behaviour. In such cases, to achieve non-default behaviour, the creation of the key/value is needed.
    So, the absence of the key/value is not at all unusual/unexpected, if the "defaults" are to be expected.

    So my question is has an illegitimate process hijacked this so-called legitimate MS process?

    That's difficult to say. Based on the existence of the EMIE-related folders/files alone, I'd say "not hijacked", since my own system, also has those folders/files, and they seem to have been created at almost the same time as IE11 was installed on my Win7 system.

    I'd theorise (due to the lack of formal documentation), and based on observation, that the three folders are auto-created by the IE11 features (regardless of EMIE actually being configured/enabled).
    In my own case, the create-dates on those folders seem to align with installation actions detailed in the IE11_main.log, and, also aligns with the date/time I began tinkering with EMIE and the EMSLM tool.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Sunday, January 4, 2015 10:23 PM
    Sunday, January 4, 2015 10:22 PM
  • I am puzzled with the emphasis, by Microsoft and the Technical folks, on Enterprise settings, applications and structures that load "regular" users down with hidden (sort of) data folders and files.  I do not know the ratio of "regular" (non domain based) users compared to Enterprise users in the Microsoft world, but I would like to know why Windows operating systems do not have settings which can be easily selected to control the install and configurations of Enterprise material.  I suspect the number of Enterprise users is considerably smaller than the number of "regular" users because the Enterprise users will be administrators or power users responsible for large numbers of domain related computers and systems.  Networked stations and monitor related systems do not need operating system installs to be any more sophisticated than regular home, multimedia systems, or gamers' computer systems.  All the systems I have seen as a regular home user or as a technician seemed to have been bulked up unnecessarily (for example) by .Net Framework and other very large installs.  The few regular computer users who needed those installs were people who were developing, testing, or programming within those environments.  I wanted to know the answer to this question so I asked in a few Windows related communities why I needed these files on my home computer; nobody had an answer.  I would like to hear more if anyone has some time on these pages.  Your feedback will be greatly appreciated and useful considering the direction that Windows is taking with versions 8.1 and 10.

    Tuesday, June 2, 2015 9:36 PM