locked
CAB_NNNN_N files in folder Windows\Temp RRS feed

  • Question

  • Since early February, is regularly generated a series of files in the folder C: \ Windows \ Temp for one of our domain controllers to Windows Server 2008 R2 Standard with a fixed size. For example:

    cab_4752_2 with size 89339 KB every 1 hour or less.

    I have not found anything about the Internet of what creates these files (or processes, or services or scheduled tasks, or infection). At the other domain controller does not have this problem.

    Would appreciate any help. Thank you very much.

    Soporte Sistemas

    Monday, April 23, 2012 11:16 AM

Answers

  • Hello,


    Download Process Monitor v3.01
    http://technet.microsoft.com/en-us/sysinternals/bb896645


    Keep it running to monitor all the active processes. When that mystery file is created again, use the FILTER function to find out which process created this file.


    1. Click the Filter button.
    2. Remove all the default filters.
    3. Apply two new filters

    1) Operation is create file
    2) Path contains C:\Windows\Temp

    4. As a result, it shows me that MsMpEng.exe which is a Microsoft Antivirus process created two files in temp folder. Also, taskhost.exe which is a trusted Windows process created some files in temp folder.


    See the pic attached below. Hope it helps.

    Thanks
    Zhang


    Wednesday, April 25, 2012 3:13 AM

All replies

  • stop all the 3 party services and check. Altenatively you may also give a clean boot and try this +

    http://www.arabitpro.com

    Monday, April 23, 2012 12:59 PM
  • I have seen such files getting created by antivirus software scan etc.

    Do you run any antivirus on the DC? Try disabling that and see if the files are still getting created.

    HTH


     Sachin Gadhave (MCP, MCTS)

    View Sachin Gadhave's profile on LinkedIn

    Monday, April 23, 2012 2:19 PM
  • Hello,


    In Security Tab – Advanced – Owner Tab, check the Owner of the file. The owner of the file should show you the account who created this file. Does it give any clues?


    Another thing I can think of is using Auditing. This setting is located in GPO under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing for "Audit object access."
     
    Right-click on the C:\Windows\TEMP folder, Properties – Security - Advanced. From the Auditing tab, click Add, then enter the Accounts whom you wish to audit and what actions you wish to audit - you can just audit for "Create Files or Write Data" operations.  When the new file is created again, go to Event log for more information.


    Like Syed suggested, use Clean Boot to check if it’s created by 3-party software (i.e. Antivirus software).

    How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7
    http://support.microsoft.com/kb/929135


    By the way, what’s the extension of the file? Is that a .CAB file?  If it’s a log file, you can use notepad.exe to open it and have a look.


    Thanks
    Zhang


    Tuesday, April 24, 2012 7:10 AM
  • Hi all.

    The owner of the files is System. I disabled the antivirus, which does not cause problems in another domain controller, and still occur.

    At server startup, only run ATI programs, Adobe, Acronis and ESET. Like many of my servers.

    The files have no extension and are not readable with notepad. The icon associated with a blank sheet with a lock and the file type is considered of type "File".

    One question, what are the 3 party services?.

    Thank you very much for your quick replies. Can you think of something else?.

    Soporte Sistemas

    Tuesday, April 24, 2012 2:45 PM
  • One question, what are the 3 party services?

    I believe that was '3rd party services' - services run by non-Microsoft applications :)

    Thank you very much for your quick replies. Can you think of something else?. 

    Any task/s scheduled to run on hourly basis on problematic server ? 

    By any chance Admin shares have been disabled or deleted on this server ?

    Non-MS Server Monitoring agents or client management agents may some times cause this issue.


    A UNIVERSE without WINDOWS is CHAOS !

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    About Me !!!

    Tuesday, April 24, 2012 2:57 PM
  • Hello,


    Download Process Monitor v3.01
    http://technet.microsoft.com/en-us/sysinternals/bb896645


    Keep it running to monitor all the active processes. When that mystery file is created again, use the FILTER function to find out which process created this file.


    1. Click the Filter button.
    2. Remove all the default filters.
    3. Apply two new filters

    1) Operation is create file
    2) Path contains C:\Windows\Temp

    4. As a result, it shows me that MsMpEng.exe which is a Microsoft Antivirus process created two files in temp folder. Also, taskhost.exe which is a trusted Windows process created some files in temp folder.


    See the pic attached below. Hope it helps.

    Thanks
    Zhang


    Wednesday, April 25, 2012 3:13 AM

  • You can also apply the filter "Operation is ReadFile" to check who is reading from the file.

    Wednesday, April 25, 2012 3:14 AM
  • Great post Cheers Zhang !!

    http://www.arabitpro.com

    Wednesday, April 25, 2012 5:58 AM
  • Hello again.

    As it appeared the problem has disappeared.

    I understand that because of the political monthly Windows updates, the problem has been corrected since it is the only action that has been done in the past week.

    Thank you all for your able assistance. Greetings from Alicante (Spain).

    Soporte Sistemas

    Wednesday, May 2, 2012 3:27 PM