none
odd results from get-ChildItem

    Question

  • When I issue get-ChildItem it returns a bunch of strange files and directories not seen by either cmd.exe 'dir', or by Windows Explorer.  What are these?

    PS C:\Users\OraAdmin> get-ChildItem -Path y:\ -recurse -file
    
    
        Directory: Y:\
    
    
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    ------         5/5/2018   7:18 AM           1024 ZZZZZ962325697.txt
    ------        4/23/2018   6:00 AM           2024 !!!!!939499991.doc
    ------         5/1/2018   6:44 AM           4048 ZZZZZ3199021441.pem
    ------        4/11/2018   6:59 AM          10000 !!!!!2467187775.jpg
    ------         5/5/2018   6:15 AM          20000 ZZZZZ2650116879.png
    ------         5/5/2018   7:12 AM          25000 !!!!!1313814224.bmp
    ------         5/5/2018   7:15 AM          30000 ZZZZZ2300536607.eml
    ------         5/5/2018   7:46 AM          50240 !!!!!1811659675.docx
    ------        4/23/2018   7:11 AM         100000 ZZZZZ1917862676.xls
    ------        4/11/2018   6:54 AM         150000 !!!!!2162654593.xlsx
    ------         5/1/2018   7:35 AM         175000 ZZZZZ2856964321.mdb
    ------         5/5/2018   6:01 AM         200000 !!!!!1515646143.ppt
    ------         5/5/2018   6:21 AM         225000 ZZZZZ1683057156.pps
    ------        4/23/2018   7:52 AM         250000 !!!!!518717737.pptx
    ------        4/23/2018   7:23 AM         275000 ZZZZZ2592268989.pdf
    ------        4/11/2018   7:35 AM         300000 !!!!!978894766.avi
    ------        4/11/2018   6:18 AM         350000 ZZZZZ614430796.db
    ------        4/11/2018   6:25 AM         350000 !!!!!2087416694.pst
    ------        4/11/2018   7:27 AM         400000 ZZZZZ1691702175.sql
    ------         5/5/2018   7:18 AM           1024 ZZZZZ3055713223.txt
    ------        4/23/2018   6:00 AM           2024 !!!!!2552639158.doc
    ------         5/1/2018   6:44 AM           4048 ZZZZZ2276892211.pem
    ------        4/11/2018   6:59 AM          10000 !!!!!1421414400.jpg
    ------         5/5/2018   6:15 AM          20000 ZZZZZ3245106307.png
    ------         5/5/2018   7:12 AM          25000 !!!!!2565315290.bmp
    ------         5/5/2018   7:15 AM          30000 ZZZZZ2371254390.eml
    ------         5/5/2018   7:46 AM          50240 !!!!!1050599516.docx
    ------        4/23/2018   7:11 AM         100000 ZZZZZ3194302618.xls
    ------        4/11/2018   6:54 AM         150000 !!!!!3969629479.xlsx
    ------         5/1/2018   7:35 AM         175000 ZZZZZ2948687733.mdb
    ------         5/5/2018   6:01 AM         200000 !!!!!3116176774.ppt
    ------         5/5/2018   6:21 AM         225000 ZZZZZ2482586178.pps
    ------        4/23/2018   7:52 AM         250000 !!!!!2723105122.pptx
    ------        4/23/2018   7:23 AM         275000 ZZZZZ2213772589.pdf
    ------        4/11/2018   7:35 AM         300000 !!!!!3247399992.avi
    ------        4/11/2018   6:18 AM         350000 ZZZZZ1199649924.db
    ------        4/11/2018   6:25 AM         350000 !!!!!2278990319.pst
    ------        4/11/2018   7:27 AM         400000 ZZZZZ1117708144.sql
    
    
        Directory: Y:\!!!!!2114975148
    
    
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    ------         5/5/2018   7:12 AM          25000 !!!!!1313814224.bmp
    ------         5/5/2018   6:01 AM         200000 !!!!!1515646143.ppt
    ------         5/5/2018   7:46 AM          50238 !!!!!1811659675.docx
    ------        4/11/2018   6:25 AM         350000 !!!!!2087416694.pst
    ------        4/11/2018   6:54 AM         150000 !!!!!2162654593.xlsx
    ------        4/11/2018   6:59 AM           9999 !!!!!2467187775.jpg
    ------        4/23/2018   7:52 AM         249998 !!!!!518717737.pptx
    ------        4/23/2018   6:00 AM           2024 !!!!!939499991.doc
    ------        4/11/2018   7:35 AM         300000 !!!!!978894766.avi
    ------         5/5/2018   6:21 AM         225000 ZZZZZ1683057156.pps
    ------        4/11/2018   7:27 AM         400000 ZZZZZ1691702175.sql
    ------        4/23/2018   7:11 AM         100000 ZZZZZ1917862676.xls
    ------         5/5/2018   7:15 AM          30000 ZZZZZ2300536607.eml
    ------        4/23/2018   7:23 AM         274999 ZZZZZ2592268989.pdf
    ------         5/5/2018   6:15 AM          20000 ZZZZZ2650116879.png
    ------         5/1/2018   7:35 AM         175000 ZZZZZ2856964321.mdb
    ------         5/1/2018   6:44 AM           4048 ZZZZZ3199021441.pem
    ------        4/11/2018   6:18 AM         349999 ZZZZZ614430796.db
    ------         5/5/2018   7:18 AM           1021 ZZZZZ962325697.txt
    


    Thursday, May 17, 2018 1:36 PM

All replies

  • Not a PowerShell issue.  Check with you Admins to have them check the drive.


    \_(ツ)_/

    Thursday, May 17, 2018 1:47 PM
    Moderator
  • Not a PowerShell issue.  Check with you Admins to have them check the drive.


    \_(ツ)_/

    Unfortunately, in this case, I am effectively the Admin.  Any pointers on where/what I should check?

    And before you reply with simply "this is not a PS issue", I'll gladly take the question elsewhere if you'll advise on the best place to ask it.

    Thursday, May 17, 2018 2:11 PM
  • Try another system first.


    \_(ツ)_/

    Thursday, May 17, 2018 2:38 PM
    Moderator
  • Also, FWIW, I'm not asking "what's wrong with PS", and I'm not asking "what am I doing wrong?"  The PowerShell question is "why is PS the only place these strange files seem to get reported", as neither cmd.exe 'DIR' nor Windows Explorer reports them.
    Thursday, May 17, 2018 2:53 PM
  • We cannot access your system.  There is no way to help you.  Perhaps you need to do a system rebuild or a repair of Net.  You may have a virus or other malware that is interfering.

    Don't ignore human error as a cause.


    \_(ツ)_/

    Thursday, May 17, 2018 3:05 PM
    Moderator
  • "There's no way to help you".

    Maybe I wasn't so clear.  I wasn't really asking for "help".  I don't have a "problem" that needs to be "fixed."    I simply saw something very odd and was just asking if anyone had seen anything like it and could explain it.  FWIW, I also asked on StackExchange and one respondent suggested it might have to do with some sort of security software using it.  As a comparison, I checked a private machine that is not on the corporate network, and these files were not reported.  By contrast they are on every one of the 4 machines, servers and desktops, that I checked that ARE on the corp network.  I've sent an email to our net security guy, but he is out for a few days so it will be next week before I get any feedback on that.

    Thursday, May 17, 2018 6:22 PM
  • My query at StackExchange yielded some results.  One respondent provided a link back to another thread in TechNet, confirming that the files are associated with Palo Alto Network's TRAPS program.

    https://social.technet.microsoft.com/Forums/en-US/096b353f-5f97-43a8-8cdd-32814f2fbcbb/weird-files-in-public-profile-beginning-with-zzzzz-or-?forum=win10itprogeneral

    Thursday, May 17, 2018 9:07 PM
  • Well probably are there, just hidden or marked as system files.

    Check 1st with an antimalware like anti-Malwarebytes (it's free) and you can discard an antispam issue. For how the files look like  something is getting them encrypted  or renamed, and the way you can't see it on the explorer gives another point into it

    Thursday, May 17, 2018 11:23 PM
  • Here is the response I received from our network and security admin:

    This is . . . part of the anti-ransomware protection. These files are only virtual, and are “pretended-to-be” Windows files created by the TRAPS processes. None of these files and folders are physically located on a disk.

     

    The virtual files are the most commonly encrypted by ransomware, and are created at the top and bottom of the file structure to catch ransomware processes.

    Which still leaves me curious as to why/how PS saw and listed them when nothing else seems to.  They aren't
    "just hidden or marked as system files".  If that were the case, I'd be able to see them by changing options in Window Explorer or using the /A switch with the 'dir' command.

    Tuesday, May 22, 2018 1:14 PM