Solved

Unknown file in WINDOWS\system32\Microsoft\Protect\S-1-5-18\

Posted on 2009-05-06
2
3,285 Views
Last Modified: 2013-11-08
Some new files appeared on one of our servers the other day and I am trying to identify what it is.  The file is C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\5fb8c11a-4409-4d41-b8b6-5d53311eebe1.  It is a hidden file and the contents are unreadable.  Does anyone know what goes in this protect folder?  Thanks.
0
Comment
Question by:delmarvamonkey
2 Comments
 
LVL 22

Expert Comment

by:Bartender_1
ID: 24316981
Hi  delmarvamonkey,
That would be the system restore files.

To turn off system restore:

o disable System Restore: Start=>Control Panel=>Performance & Maintenance=>System Applet=>

1. On the System Applet, Click the System Restore tab,
2. Check the Turn off System Restore box,
3. Click OK, then click Yes. This will initiate the restore point purging process.
4. To re-enable System Restore, clear the Turn-Off System Restore check box from the same location

Hope this helps!

:o)

Bartender_1
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24317190
From http://support.microsoft.com/kb/818171:
The folders ... are used by the Data Protection API (DPAPI) and can be used by applications and services.

"In a new install, these folders will typically contain only a single key, or they may not contain any keys. Keys are recreated every 90 days. They are also recreated if DPAPI cannot decrypt the preferred master keys. If you have more than one key in these folders, you are not running a new install of your operating system, or your operating system has had modifications that caused multiple keys to be created."

The SID referenced is the local system account.  These files can be from other processes in addition to system restore - e.g. .net framework. http://msdn.microsoft.com/en-us/library/bb968830(VS.85).aspx

In short - don't worry about it unless it shows up in a virus scan.  These are encrypted files and shouldn't be messed with.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now