What is this mystery file?

[Jason]

I have found several VERY large files in c:\windows

They all have the same name, strangely enough.

The filename is {ED56F1A-81BB-11E2-B17D-0002762AD0CA}

There are six instances of that name. The files total almost 9GB in size!

Any idea what this might be? I googled the name but found nothing.

TIA,
Jason

 

[Paul]

I have found several VERY large files in c:\windows

They all have the same name, strangely enough.

The filename is {ED56F1A-81BB-11E2-B17D-0002762AD0CA}

There are six instances of that name. The files total almost 9GB in size!

Any idea what this might be? I googled the name but found nothing.

TIA,
Jason

Let's try it another way.

For *each* file in question, give its exact size in bytes.
You can do "Properties" on the file and get that information.

Another technique you can use, is to generate the MD5sum and SHA1sum
checksums for each file. Do a Google search using those values,
and you'd be surprised what you can find.

The "fciv.exe" utility is an example of a tool that can generate
the checksums for you. The utility is a bit limited (not very
flexible), but with enough trouble, you can get this done.
You can get a copy here.

http://www.microsoft.com/en-us/download/details.aspx?id=11533

Example:

fciv.exe -both D:\{ED56F1A-81BB-11E2-B17D-0002762AD0CA} > myoutput.txt

That would place the two flavors of checksum of that particular file,
into the current working directory of the command prompt (cmd.exe)
window. Opening myoutput.txt, copy/paste to your favorite
search engine, you might discover which Windows (.NET) update
did it.

The site www.virustotal.com , can perform malware
searches on submitted files. It has an option to search by checksum.
And searching against that site, can sometimes uncover an alias name
for the file. They have apparently added the checksums of
"famous" downloads to their sites, downloads which are larger than
the 20-30MB limit they have. I was able to match the checksum
of a CD sized download, against that site, and discover what
the file was.

*******

The format of your file name is similar to a "GUID". It could be
that the leading digit was a zero, and didn't appear in the name.

{ED56F1A-81BB-11E2-B17D-0002762AD0CA}

http://en.wikipedia.org/wiki/Guid

Those are randomly generated, and intended to come from such a
large potential space, that the same string won't be generated twice.
While you will find patterns in these (these can also be generated
from a subset and appear to have an order to them), for
the most part you should consider them random. Which is why
I really didn't expect to find this in a Google search.

As a consequence of the randomness of the name, I have to
resort to file size in bytes, and MD5 checksum, as alternative
"fingerprinting" techniques to feed to a search engine.

There's still no guarantee they'll show up though. It's
a long shot.

Paul

 

[Jason]

I have found several VERY large files in c:\windows

They all have the same name, strangely enough.

The filename is {ED56F1A-81BB-11E2-B17D-0002762AD0CA}

There are six instances of that name. The files total almost 9GB in size!

Any idea what this might be? I googled the name but found nothing.

TIA,
Jason

Stranger yet - all the files have today's date! They are apparently
not recognized malware according to three scanning programs. I'm
still scratching my head trying to understand how there can be
multiple instances of this name - are UUID-named files (I think
that's what these are) unique in some way?

 

[Jason]

I have found several VERY large files in c:\windows

They all have the same name, strangely enough.

The filename is {ED56F1A-81BB-11E2-B17D-0002762AD0CA}

There are six instances of that name. The files total almost 9GB in size!

Any idea what this might be? I googled the name but found nothing.

TIA,
Jason

Let's try it another way.

For *each* file in question, give its exact size in bytes.
You can do "Properties" on the file and get that information.

Another technique you can use, is to generate the MD5sum and SHA1sum
checksums for each file. Do a Google search using those values,
and you'd be surprised what you can find.

The "fciv.exe" utility is an example of a tool that can generate
the checksums for you. The utility is a bit limited (not very
flexible), but with enough trouble, you can get this done.
You can get a copy here.

http://www.microsoft.com/en-us/download/details.aspx?id=11533

Example:

fciv.exe -both D:\{ED56F1A-81BB-11E2-B17D-0002762AD0CA} > myoutput.txt

That would place the two flavors of checksum of that particular file,
into the current working directory of the command prompt (cmd.exe)
window. Opening myoutput.txt, copy/paste to your favorite
search engine, you might discover which Windows (.NET) update
did it.

The site www.virustotal.com , can perform malware
searches on submitted files. It has an option to search by checksum.
And searching against that site, can sometimes uncover an alias name
for the file. They have apparently added the checksums of
"famous" downloads to their sites, downloads which are larger than
the 20-30MB limit they have. I was able to match the checksum
of a CD sized download, against that site, and discover what
the file was.

*******

The format of your file name is similar to a "GUID". It could be
that the leading digit was a zero, and didn't appear in the name.

{ED56F1A-81BB-11E2-B17D-0002762AD0CA}

http://en.wikipedia.org/wiki/Guid

Those are randomly generated, and intended to come from such a
large potential space, that the same string won't be generated twice.
While you will find patterns in these (these can also be generated
from a subset and appear to have an order to them), for
the most part you should consider them random. Which is why
I really didn't expect to find this in a Google search.

As a consequence of the randomness of the name, I have to
resort to file size in bytes, and MD5 checksum, as alternative
"fingerprinting" techniques to feed to a search engine.

There's still no guarantee they'll show up though. It's
a long shot.

Paul[/QUOTE]

Thanks Paul. That's good info, but I think I figured it out...
I believe that Acronis True Image created these. Earlier today, I
needed to recover a file from a backup and told Acronis to
mount the backup. It assignes new drive letters and makes the
backed up files available in the usual way in Explorer - you can find
files to restore in the mounted images and simply copy them. In today's
case, Acronis reported an error during the mount process (which
always takes a long time). I examined the files with a
hex editor and I'm quite sure that they were associated with
the mounting procedure that failed; there are some text strings
at the beginning of the files that led me to this conclusion...


Jason

 

[Paul]

Let's try it another way.

For *each* file in question, give its exact size in bytes.
You can do "Properties" on the file and get that information.

Another technique you can use, is to generate the MD5sum and SHA1sum
checksums for each file. Do a Google search using those values,
and you'd be surprised what you can find.

The "fciv.exe" utility is an example of a tool that can generate
the checksums for you. The utility is a bit limited (not very
flexible), but with enough trouble, you can get this done.
You can get a copy here.

http://www.microsoft.com/en-us/download/details.aspx?id=11533

Example:

fciv.exe -both D:\{ED56F1A-81BB-11E2-B17D-0002762AD0CA} > myoutput.txt

That would place the two flavors of checksum of that particular file,
into the current working directory of the command prompt (cmd.exe)
window. Opening myoutput.txt, copy/paste to your favorite
search engine, you might discover which Windows (.NET) update
did it.

The site www.virustotal.com , can perform malware
searches on submitted files. It has an option to search by checksum.
And searching against that site, can sometimes uncover an alias name
for the file. They have apparently added the checksums of
"famous" downloads to their sites, downloads which are larger than
the 20-30MB limit they have. I was able to match the checksum
of a CD sized download, against that site, and discover what
the file was.

*******

The format of your file name is similar to a "GUID". It could be
that the leading digit was a zero, and didn't appear in the name.

{ED56F1A-81BB-11E2-B17D-0002762AD0CA}

http://en.wikipedia.org/wiki/Guid

Those are randomly generated, and intended to come from such a
large potential space, that the same string won't be generated twice.
While you will find patterns in these (these can also be generated
from a subset and appear to have an order to them), for
the most part you should consider them random. Which is why
I really didn't expect to find this in a Google search.

As a consequence of the randomness of the name, I have to
resort to file size in bytes, and MD5 checksum, as alternative
"fingerprinting" techniques to feed to a search engine.

There's still no guarantee they'll show up though. It's
a long shot.

Paul

Thanks Paul. That's good info, but I think I figured it out...
I believe that Acronis True Image created these. Earlier today, I
needed to recover a file from a backup and told Acronis to
mount the backup. It assignes new drive letters and makes the
backed up files available in the usual way in Explorer - you can find
files to restore in the mounted images and simply copy them. In today's
case, Acronis reported an error during the mount process (which
always takes a long time). I examined the files with a
hex editor and I'm quite sure that they were associated with
the mounting procedure that failed; there are some text strings
at the beginning of the files that led me to this conclusion...


Jason[/QUOTE]

Maybe that string is in the registry ?
Check in regedit.
During the installation, Acronis might have decided to
make that its "random file name" of choice.

There are software APIs for creating random file
names, for non-collision purposes, in %temp%. I guess
that's too easy for your typical modern programmer.
Better to just litter the drives with the things.
Only a loser puts their files in %temp%...
Much better to scare the crap out of your customers,
by dropping strangely named files where ever you want.

Paul

 

[Jason]

Thanks Paul. That's good info, but I think I figured it out...
I believe that Acronis True Image created these. Earlier today, I
needed to recover a file from a backup and told Acronis to
mount the backup. It assignes new drive letters and makes the
backed up files available in the usual way in Explorer - you can find
files to restore in the mounted images and simply copy them. In today's
case, Acronis reported an error during the mount process (which
always takes a long time). I examined the files with a
hex editor and I'm quite sure that they were associated with
the mounting procedure that failed; there are some text strings
at the beginning of the files that led me to this conclusion...


Jason

Maybe that string is in the registry ?
Check in regedit.
During the installation, Acronis might have decided to
make that its "random file name" of choice.

There are software APIs for creating random file
names, for non-collision purposes, in %temp%. I guess
that's too easy for your typical modern programmer.
Better to just litter the drives with the things.
Only a loser puts their files in %temp%...
Much better to scare the crap out of your customers,
by dropping strangely named files where ever you want.

Paul[/QUOTE]

LOL... (from a retired developer, albeit not on the MS platforms)

 

[Monty]

Another technique you can use, is to generate the MD5sum and SHA1sum
checksums for each file. Do a Google search using those values,
and you'd be surprised what you can find.

That's neat. I never thought to do a Google search of a hash sum.

The "fciv.exe" utility is an example of a tool that can generate
the checksums for you. The utility is a bit limited (not very
flexible), but with enough trouble, you can get this done.
You can get a copy here.

The program that I like for checking checksums is "HashTab". This
adds a new tab called "File Hashes" to the Properties label of a file.
Choose from a total of 22 hash algorithms.

 

[VanguardLH]

I have found several VERY large files in c:\windows They all have the
same name, strangely enough. The filename is
{ED56F1A-81BB-11E2-B17D-0002762AD0CA}
There are six instances of that name. The files total almost 9GB in
size! Any idea what this might be? I googled the name but found
nothing.

You could use a hex editor (HxD is free) to look inside the files to see
if you can find some strings to identify the file. However, with a
large average size of 1.3 GB per file, you could be looking for awhile.
An alternative is to use the 'strings' utility from SysInternals (now
Microsoft). 'strings' finds sequences of string characters in the file
and outputs them to stdout (the console). In a console (aka command
shell or command prompt), run something like:

<path>strings.exe {ED56F1A-81BB-11E2-B17D-0002762AD0CA} > log.txt & notepad.exe log.txt

<path> is wherever you stored the strings.exe program. The above
example uses the same filename that you gave so no extension is shown.
You run 'strings' against the file, it outputs the strings it finds to
stdout which gets redirected into the log.txt file. Then Notepad loads
the log.txt file and you can hunt around in there for recognizable
strings.

How old are these files? Since you said the filename is the same for
each one then they cannot all be in the same C:\Windows folder. So
where are they (in which folders)? Are these really files or folders?

If you go into the registry and search on that filename (minues the
braces), do you find anything?

 

[VanguardLH]

Thanks Paul. That's good info, but I think I figured it out...
I believe that Acronis True Image created these. Earlier today, I
needed to recover a file from a backup and told Acronis to
mount the backup. It assignes new drive letters and makes the
backed up files available in the usual way in Explorer - you can find
files to restore in the mounted images and simply copy them. In today's
case, Acronis reported an error during the mount process (which
always takes a long time). I examined the files with a
hex editor and I'm quite sure that they were associated with
the mounting procedure that failed; there are some text strings
at the beginning of the files that led me to this conclusion...

I'ved used Acronis in the past. It was a bitch to define your own
scheduled event (so you could stop and disable their scheduler and use
the already available Task Scheduler in Windows). As I recall, yeah,
the job name was some mashup of random looking characters. You had to
call their job loader program and specify that oddball filename for the
job description file. I don't recall that was the name of the output
file unless you are using True Image's expiration and auto-cleanup
scheme (it has to name the output files).

I do NOT recall that any of the job description files or the output
(backup) files were dumped into the C:\Windows folder. Obviously you
cannot have multiple files by the same name in the same folder so they
weren't all in C:\Windows. You need to check your backup jobs defined
in True Image and make sure of what is the destination for the output
files.

Acronis has their own forums and they can better help you. That is, for
example, where I got help on how I could use Task Scheduler and not
waste the memory on running Acronis' scheduler service and why I
remember the oddball output file name for the backup job definition (but
I thought your backup job still specified the output file).

Didn't see this reply of yours until already submitting my other one.
You might find it easier to find strings inside a binary file by using
Sysinternals' 'strings' utility (see my other reply).

 

[Wolf K]

I have found several VERY large files in c:\windows

They all have the same name, strangely enough.

The filename is {ED56F1A-81BB-11E2-B17D-0002762AD0CA}

There are six instances of that name. The files total almost 9GB in size!

Any idea what this might be? I googled the name but found nothing.

TIA,
Jason

They are related to programs and/or devices that have been updated or
uninstalled. Some or all are outdated. Unfortunately, Windows does not
automagically clean the registry during/after updates or uninstalls, so
over time a mess of junk accumulates. Some of this junk can cause
problems, so it should be removed.

Some people will tell you that you don't need to clean the registry, but
that's not true. I use CCleaner, which is cautious, and leaves some junk
behind. However, sometimes more drastic measures are necessary. Eg,
yesterday, I used regedit to eliminate references to three junked
printers: Update kept offering updated drivers for them. One of these
dated back to XP: updating to W7 and then W8 simply brought the registry
forward.

I also deleted all references to Babylon toolbar, which is a nasty piece
of work as it reinserts itself when you've removed it via the browser's
Add Ons manager.

 

[Zaidy036]

Acronis has their own forums and they can better help you. That is, for
example, where I got help on how I could use Task Scheduler and not
waste the memory on running Acronis' scheduler service and why I
remember the oddball output file name for the backup job definition (but
I thought your backup job still specified the output file).

Didn't see this reply of yours until already submitting my other one.
You might find it easier to find strings inside a binary file by using
Sysinternals' 'strings' utility (see my other reply).

look at chain2gen in ATI forums

all current ATI images are in Set0 with other saved ones in others:
set1, set2, etc.