The Case of the Phantom Desktop Files


A few weeks ago, my wife mentioned that she sometimes saw files in her desktop folder that didn’t appear on the actual desktop. She brought it up not only because she was confused by the discrepancy, but because she wanted to move some of these phantom files to other folders and wanted to delete others. I had no idea what she was talking about (which was usually the case when she described her computer troubles), so I told her that the next time she saw these mysterious files, to call me to look at it.

A few days later I got home from work and she greeted me excitedly at the door and explained that the problem reoccurred and that she had left a window open showing the elusive files. I rushed to the kitchen computer with anticipation, not even bothering to greet the dogs on the way, and surveyed the situation. She had a maximized IE window open with a full row of tabs for her open emails (I don’t think she ever closes an email window). An IE “Choose a File” dialog box was in the foreground listing the files in her desktop folder, which she had opened by clicking the attachment button in the email editor. The dialog looked like this:

image

I minimized IE to view the desktop background and sure enough, several of the files visible in the dialog, such as the “Maui Feb. 08” folder and the CIMG13xx JPG files, were missing. I opened an Explorer window and navigated to her desktop folder to see if the files would show up there, but they were missing there as well:

image

I’d never seen that behavior before. I knew this was a job for Process Monitor. Since my wife doesn’t keep the Sysinternals tools on her system (sad, but true), I ran it directly from the network using the Sysinternals Live address, \\live.sysinternals.com\tools\procmon.exe. With Process Monitor recording activity, I closed and reopened the Choose File dialog from the email editor and then I search for “CIMG”, a portion of the file name for many of the files present in the Choose File dialog, but not in the Explorer view of the desktop. The first hit was a directory enumeration operation with the file names showing as results in the Details column on the far right:

image

The files were located in her profile under \Appdata\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Daryl\Desktop. This Virtualized is directory created by IE7 when run in Protected Mode (PMIE), which is the default mode on Windows Vista and Windows Server 2008.

PMIE uses Integrity Levels, introduced in Vista and Server 2008, to limit the file system and registry locations to which code running in IE can modify to a subset of those writeable by the user account in which IE executes. As I described in an earlier blog post, the sandbox defined by locations labeled with Low Integrity, the level at which PMIE executes and of the objects that PMIE can modify, allow PMIE to save favorites and temporary files, like the IE cache and browsing history. However, PMIE cannot modify other locations in a user’s account, like documents folders and per-user autostart locations in the registry and file system, because they have an integrity level of Medium. That prevents drive-by-download malware that might infect the IE process from establishing a persistent presence.

In order to preserve backward compatibility with legacy code, such as ActiveX controls and Browser Helper Objects, that might be coded to write to locations outside of the sandbox, PMIE implements shims that intercepts file and registry operations and redirects ones that got outside the sandbox to the Virtualized directory within it.

To see if that was what was happening here, I examined the stack trace of the virtualized operation highlighted above by right-clicking on the line and choosing Stack. The stack showed that Acredir.dll was intercepting the operation and executing redirection functions:

image

Double-clicking on the line in the stack trace opens the module properties dialog, which shows that the DLL is the “Windows Compatibility DLL”, thus confirming this was part of PMIE’s sandbox implementation:

image

I had been familiar with PMIE’s virtualization, but I’d never seen files virtualized on the desktop, so it had not been obvious to me that was what was causing the discrepancy. Process Monitor revealed the cause, so now all I was left with was cleaning up the virtualized files. Most users don’t realize that you can move and delete files from within a file browse dialog, so I took the opportunity to show my wife how she can manage virtualized files from the email editor’s attachment dialog if she came across them again. We deleted the files she didn’t want and moved the pictures out to her photo library folders.

The case was closed. As a bonus, my wife was impressed at the ease with which I’d figured out the source of the phantom files and even more impressed that I wrote the tool I used to solve it. She’d also gotten an in depth look at PMIE’s virtualization and integrity levels, but I think in the end my lecturing on those subjects actually subtracted points.

Incidentally, you’ll almost certainly see files and directories if you look at the PMIE Virtualized folder in your profile, because even routine operations within IE result in redirection. Here you can see thumbnail cache files that the shell’s file browsing dialog creates when you use it from within IE. Normally, the shell stores thumbnail cache files in your profile, but PMIE can’t write to that location so the shim virtualizes it: 

image


Comments (75)

  1. Dave says:

    > As a bonus, my wife was impressed at the ease with which I’d figured out the source of the phantom files and even more impressed that I wrote the tool I used to solve it.

    Yeah, but what about the dogs?

  2. Phileosophos says:

    So here’s the obvious, unasked question: why is Microsoft spewing temporary files all over the desktop in the first place? If you have to create a virtualized directory to maintain backward compatibility with unsecure ActiveX controls, then why isn’t that directory somewhere that won’t bother the user? Something comfortable under the "temp" directory comes most immediately to mind. I can’t fathom the sort of thinking that would allow said files to be created in a location where the user has a right to expect things to be consistent.

  3. Tom says:

    Phileosophos has clearly misunderstood the situation.  The files do not show up in the Desktop because they are NOT located in the desktop.  They’re located in the virtualized directory, somewhere hidden so that the user won’t be bothered by them.

    Only to IE do the files appear to be in the Desktop.  This is the whole point of having the backwards compatibility shim in the first place.  The files must appear to the ActiveX control as though they were in the Desktop, so that the control will be able to find the file.

    The general problem with almost-but-not-quite-seamless compatibility shims in Windows is that some vendors end up relying on them for years.  I vote with my money by avoiding these types of programs (Quicken being the classic example), but most users don’t know and don’t care.  Sometimes even Microsoft programs fall into this category.

    Frankly, I think the only way to deal with this is to have a place to see every shim applied for every program on your system.  But then, Microsoft has always treated partners and OEMs with kid gloves (especially after the antitrust suit).  And so the ecosystem continues to be a quality jungle …

  4. DanF says:

    Actually my Mom had this same issue (though I hadn’t been able to sort it out). If I recall from my mom’s case it wasn’t that it spewed files all over the desktop, the desktop itself was clean. But what happened is (almost same scenario as Mark’s wife). When she went to email a photo she could "see the photo on her desktop" in the file browser window even though it wasn’t there on the "real" desktop. So she’d click it and try to send it and it wouldn’t work, the email would send without the attachment.

    I finally re-saved the picture to her My Documents/My pictures and everything worked fine. But it’s nice to know what the real root cause was. Interesting as usual Mark.

  5. Niels says:

    Interesting reading as always.

    I’m thinking the "phantom" files might have come from some webmail attachment downloads or similar, but just guessing. Maybe an ActiveX helper control for doing just that.

    I think you forgot to add in a link: "As I described in an earlier blog post [link]"

  6. John says:

    Presumably it is a 3rd party ActiveX control spewing files on the desktop and not Microsoft (hopefully).  This solution won’t normally bother the user as the files only show up in the Choose File dialog.  My guess is that Low Integrety processes (or perhaps just Internet Explorer) get a merged view of the real location (C:UsersMeDesktop) and the virtualized location (C:UsersMeAppDataLocalMicrosoftWindowsTemporary Internet FilesVirtualizedCUsersMeDesktop).  But what happens if you are running IE in protected mode and save a file to your desktop?  I don’t run Vista, so I honestly don’t know the answer to this question.

  7. Gwyn says:

    They weren’t temporary files. From the names it looks like they were saved files, his wife had tried to save them to the desktop from within IE and they had been redirected to the virtualised desktop since IE was running with lower integrity.

    Secondly, it wasn’t spewing them all over the desktop, it had obviously redirected writes to the desktop to the virtualised directory.

  8. Michael Dragone says:

    "I had no idea what she was talking about (which was usually the case when she described her computer troubles)…"

    "…I think in the end my lecturing on those subjects actually subtracted points."

    Join the club, Mark. We have a secret handshake and discounts with local retailers.

    Awesome post as always.

  9. Liam says:

    Ahh! Well there you go. I have this exact behaviour on my work lap-top when looking at the directory structure through SharePoint’s multiple-file-upload interface. I’ve never really been bothered trying to fix it (as I’m usually in the middle of something when I notice it).

  10. Ollie says:

    This is the reason why I don’t like Vista. It tries to be easy, but finally has so much complexity, that it’s mostly annoying. I really don’t like the "I-see-a-file-but-it-is-not-where-it-is-supposed-to-be"-virtualization-thing. Conclusion: I am going to switch to Mac soon.

  11. Craig says:

    "my wife was impressed at the ease with which I’d figured out the source of the phantom files and even more impressed that I wrote the tool I used to solve it."

    ….Does your wife not realise just how much of a big deal you are?  Or what you actually do?  We all love your tools and your posts are always enlightening, highlighting just how little *some* of us actually know!

    Awesome as always and I can’t wait for Amazon to deliver your latest book to me!

  12. Tom says:

    Actually, the case isn’t closed, I don’t think users have to see this issue show up… Will this be fixed in the future?

  13. sean says:

    Don’t use IE.  Problem solved.  That "Virtualized" directory does not exist on my Vista machine (on which I use Firefox).

  14. joho0 says:

    "She’d also gotten an in depth look at PMIE’s virtualization and integrity levels, but I think in the end my lecturing on those subjects actually subtracted points."

    If it makes you feel any better, you can come to our office and lecture on any topic to your heart’s content.

    Great piece…and for the very first time, I knew what the problem was before reading your analysis. Actually, I attended your TechNet lecture on UAC and integrity levels which touched on PMIE. Is that cheating?

  15. David Moisan says:

    I’ve had the opposite problem that’s extremely frustrating.  I used a third-party PDF printer.  It would put PDFs in a virtualized folder for My Documents.

    Imagine the fun when you go to your "real" documents folder and then NOT find the pdfs you printed!  

    I switched to another pdf driver that doesn’t do that.

  16. sinsi says:

    I’ve had problems with .exe’s from a .rar unzipped (unrar’d?) to the desktop – problems deleting them. Is this related? I’ve also unzipped a .exe by dragndrop from winrar to the desktop and not seen it, but it showed up in explorer. Maybe winrar and win7 don’t get along.

    So what did the dogs think?

  17. Linda W. says:

    Interesting way to solve the multi-integrity level & backwards compat…gawd…the things MS goes through to preserve backwards compat for some apps…it’s torturous.

    Have seen various solutions, for directories in "well-known" locations (desktop on win, /tmp on unix)…

    SGI IRIX did something similar on the multi-level OS back in the 90’s with /tmp.  Every app expected to use it as a scratch space, but users were separated by virtual walls — so to user progs, they all saw /tmp, but the os multiplexed them to /tmp/<privilege-level+label>.

    Linux is just now adding something similar — the ability to virtually merge multiple directories — so read-contents appear like one big dir, but private files and writes go to another private dir…but user will always see the public dir+their own private dir….

    Not sure of the details, as I saw the summary notes on the last kernel release.  

    Interesting how security issues from the 80’s in the DOD are just now getting to the consumer market 20-30 years later…

  18. muie says:

    Phileosophos + 1

    Had I been a Vista user I would find this behavior counter-intuitive, regardless how much sense the implementation makes.

    Good thing I did not upgrade to Vista. Will wait for Windows 7, hopefully this problem (it is a bug, not a feature) will be fixed by then.

  19. Ian Boyd says:

    i thought one of the implemented features of virtualized folders was that Windows will present a unified view of the files when i browse to the "real" folder.  

    So if i save an image on my desktop: it will be saved on my desktop.

    Is this not the case? Are files downloaded using IE lost to the user? Is that the intended behaviour?

    i can barely explain the idea of folders to friends and family – let alone a folder that eats your files.

  20. Jeff says:

    Sounds like a terrible overlook of usability imo, until which files get "virtualized" is clearly defined.

    Are normally downloaded files stuck into the virtualized storage area? Or only files which are related to 3rd party ActiveX controls?

  21. hasan adil says:

    If a website launches a Java applet in IE7 PMIE mode on Vista then does IE further sandbox the applet i.e. on top of the security framework which the java runtime implements.

    Thanks

  22. Richard says:

    Nice article, as always. There seem to be a number of methods of associating folders into a single view now.

    quote: I think in the end my lecturing on those subjects actually subtracted points. /quote

    I completely relate. I lose those same points nearly every day. :)

  23. Luke Skywalker says:

    Is this only on Windows Vista without SP1..i have X64 SP 1 installed…and i can save things to e.g. the desktop because of the ieuser.exe thats running at medium IL and is the RPC Server for the IL Low iexplore.exe to serve for things like copy things to the PC…etc….P.S. PMIE is enabled……

  24. SmashManiac says:

    What I don’t get is how these files got into the virtualized drive in the 1st place.

    Also, is there any way to clean virtualized drives?

  25. geowrian says:

    While a very intelligent (and actually secure) way to do things, it’s counter-intuitive. I understand why MS would choose this, but like Vista’s UAC, the implementation is horrible. Like Mark’s wife, it seems that the files are missing. Mark, many of the users on this blog, and myself could probably figure it out or at least find the "missing" files, but typical users probably wouldn’t. They would just assume Vista lost their files or it’s a bug or it’s their computer. They wouldn’t say "oh, this is good"…they don’t even know it’s a security mechanism.

    Well designed, Microsoft, but horribly implemented.

  26. Kamlesh Chandra says:

    hi Mark,

    became a fan of your approach and mindset, through your blog. The dedication and love I see in you, is something I would like to have too.

    primary reason for writing; is to let you know that the titles you choose are simply awesome, generates interest, old English style, and tells it wont be tough reading it. :)

    All best! :)

    Kamlesh Chandra

  27. adams says:

    Hello.

    This post reminds me a problem we have with few of our pcs (out of about few hundreds). Windows XP Pro, computers joined to a domain and some of them have troubles with refreshing the desktop (users have to right-click and choose refresh button). We investigated this issue for few months, checked most of our IT infrastructure, reinstalled, rejoined to a domain and found nothing… maybe you guys have any ideas?

    Best regards.

  28. mgrimm says:

    Microsoft should have devised a new icon treatment or type-prefix to flag these to the user, along with mouse-over help.  Why another layer of obscurity?  To Microsoft’s customers this is nothing more than a bug.

  29. PMC says:

    Implementation of virtual folders is a problem!

    I almost think that this is the Microsoft’s lawyer-ly approach to technology:

    1. Put in a very secure way to do things you want to do — like save a file from a Web site.

    2. Implement same in the quickest style possible — even highly experienced technical users have to use tools to find out what is happening.

    3. Since implementation is inconvenient for users, tell them: you can turn off protected mode (or UAC or …) as a "solution."

    4. If they later complain that they were hacked, tell them that THEY chose to turn off the secure way to do things.

    So, is there a way to mark "approved" controls as safe permanently, so they can function intuitively?

    PMC

  30. P Schmied says:

    I’m wondering if the reason that the user can see these files is that like in Windows XP/2003, the Explorer view was changed to show all hidden files and folders and System files.

    Most admins that I know turn this non-default view on for ease of administration and troubleshooting, but it can cause all kinds of issues when a non-tech users can see and manipulate these files, JUST LIKE MAKING ALL USERS MACHINE ADMINS CAN.

  31. PMC says:

    @P. Schmied

    No, not the problem — there is an actual folder that IE Protected Mode makes with the files in it visible to users on-purpose. It has the a similar path from a C FOLDER that the actual path from the C DRIVE.

    Nasty. Disturbing. Annoying.

  32. D. says:

    i agree – the user should never be aware of this.

    and nobodys wife should ever be forced to use process monitor 😉

  33. Anonymous says:

    This isn’t an IE bug or a Windows bug.  This is a security breach in an add-on to IE, which IE & Vista are handling fairly gracefully.  Windows 7 won’t solve it, because it’s not Microsoft’s error.  On IE and Windows end, it is a feature, it is not a bug.

    The ActiveX control or BHO that saved these to the desktop need to be fixed.  If they want write permissions to the desktop, then they should install a user-rights broker.

  34. Joseph Behling says:

    I good an great and you saved the day. Buthow do you keep all these files purged?  since moving to vista unless I write an elaboatre script I can’t use robocopy to basic backups of the user directory because of the virtualization directory.  Robocopy gets stuck on this with a never ending diectory structure.  Any better ideas.

  35. G. Morris says:

    I can’t stand that endless recursion of dirs, it really plays havoc when searching for something through a command window, as the name gets too long for Windows to process. As for the strange desktop behavior, I noticed early on that sometimes files that WERE on the desktop are mysteriously gone next time I log on. I’ve also had other weird things happen in Vista, like my desktop is arranged way differently than I left it. I put it back, and then sometimes it does the same thing. Sometimes not.. My wife has noticed the same occurences a few times as well. That’s Microsoft for you!

  36. Paul says:

    "This isn’t an IE bug or a Windows bug."

    Of course this is a windows bug! No one knows what the hell happens and where are the files!

    They should either block low integrity operations altogether informing users why they do it or they should add mechanism to inform users where are the files.

    MS solution is completely unacceptable yet at the same time typical, it showcases their usual contempt for end users.

    If they really had to have virtualization each time a file is virtualized a dummy file should be created in the actual folder, this dummy file should upon mouse over or opening inform users in non technical terms what happened to their files and how to get desired behavior.

    Is this all so hard to understand or are people just too accustomed to the way MS treats users to even notice the absurdity of their approach?

  37. Rik Mayell says:

    I appreciate that the legacy ActiveX controls and helper applications need somewhere to store their data but couldn’t a less obvious, and visible location have been chosen?

    Obviously, for the time being low integrity files will continue to be written here. To head off end user confusion a nice, simple, method or retrieving attachments, etc, needs to be implemented, at least as a stop gap!?

    I haven’t tested it, but I assume the same happens under Windows 7?

    As to losing points with your dear wife, look out for the moment at which her eyes start to glaze over, works a treat for me.

    Finally, great article, as ever.

  38. Luigi D. Sandon says:

    Now that Mr. Russinovich works at Redmond at least it can inform the guys who designed such a mechanism how they are just baffling users.

    That’s a perfect example of a bad techie solution that doesn’t work in the real world.

    I too agree that MS should stop to put too much emphasis on "compatibility". Windows should be compatible with well written applications, and should begin to stop those written without following the rules.

  39. awgie says:

    Mark, great article.  And great utilities – I have been using them for some time now.  

    I find it remarkable the number of comments that evidence users who are now, and are content to remain, ignorant of how Windows works.  If every application, add-in, or activex object out there were 100% Windows-compatible, there would be no problem, and no need for PMIE.  But the fact remains that many programs are written on non-Windows systems, and many more are written by malicious programmers, so there is a problem, and that is why the virtualized folders exist.

    Why don’t you all complain about truly annoying things like your wife’s cooking, or the neighbour’s dog crapping on your front porch?  Be glad you even have computers.  With all your whining, you’d never have survived 30 years ago when personal computers were in their infancy.

    And finally…

    To Ollie and anyone else foolish enough to think by switching to Mac, or any other operating system for that matter, that you will magically become immune to malicious software, think again.  

    And to Luigi, Windows IS compatible with well written applications, that are written to be Windows compatible.  It is the applications that are NOT well written, or are malicious, that created the need for Windows to impliment this security step.  And what "rules" are you referring to?  If there were a single set of rules that every application developer HAD to follow, then there would be no more viruses, and every application created would be compatible with every other application, and they could all be run seamlessly on every operating system in existence.  

  40. Chuck says:

    Well, someone once said that someday computers would be as easy to use as a telephone. I think that day has finally arrived. Whenever I am forced to use a phone that isn’t my own cell, I usually don’t have the slightest idea how to use it.

  41. Z says:

    Related question: I am concerned that the concept of "libraries" in WIndows 7 is going to create similar confusion perhaps. Have you looked to see what is happening there?

    People are used to files and folders (even novices to computers) and this may make the "location" of a picture or document become even more difficult to understand.

  42. random_n says:

    The Libraries feature of Windows 7 is there largely to facilitate sharing of individual files – the files can be shuffled between the personal and public documents folders without ever changing spots in the Library with a simple UI in the shell.

    It’s a logical feature with a pretty smooth implementation. The actual file locations are fairly easy to find as well, and don’t have tons of junction points to throw off tree-walking utilities.

    As for the virtualized folder issue, these files *should* be flushed when IE closes every single time, and the PMIE broker should pop up a warning whenever a virtualized file is created (with exceptions for the shell-generated junk like the thumbnail cache) with some straightforward actions the user can take. With some stern warnings for executable content (or even just ignoring it until the purge at quitting time), it shouldn’t pose much of a security risk. Maybe for Windows 7 SP1, eh?

  43. Adam says:

    Is there a way to stop the desktop.ini file from showing up everywhere?

  44. liz says:

    I have the same problem about desktop.ini file as well, it invades all my folders and desktop and most of files with "MY" words on it became inaccessible…  So anyone for u can tell us this? And also why "Error 08×80070052 keeps popping up every time i want to copy a file to USB’s? which it never happened before untildesktop.ini invades my files

  45. Alex says:

    Interesting. It looks like it’s bug in a "Open Dialog" window. If you do drag&drop into this window, it asks for the UAC confirmation. But if you copy a file with ctrl+c/ctrl+v – it will be just dropped there and appears then in a "virtualized" folder.

  46. Alex says:

    I would say even more. The behaviour of the "open file" dialog in case of PMIE is REALLY strange. If you try to remove a virtualized file, the conf. dialog appears under the "open file" dialog. To access it, you have to move the "open file" a bit.

    All tests have been done on WinVista x64 SP1 with all latests updates from Windows Update

  47. Grof Luigi says:

    All this comes from overcomplication.

    Virtualizaition (or is it redirection?) of virtual folders like Desktop, My documents… Where is it going to end?

    @Liz: you might have a virus

    GL

  48. egads says:

    Any reason you didn’t just r-click and Open File Location to see it was in the virtualized folder?

  49. Kevin John Panzke says:

    I am having a problem with Phantom Download Files In Both Windows 7 Build 7000 And WS2008R2 Build 7000, Any Suggestions?

  50. Kevin John Panzke says:

    I am unable 2 either run, move. or delete the files in the windows 7 Build 7000 and WS2008R2 Build 7000 Downloads Folders.

  51. wtp says:

    I am very [saddened/confused/more committed than ever to ‘fox and XP/ all of the above]

         SOMEWHERE along the line, maybe a decade ago or more, somebody lost the concept of a system/use-appropriate OS.

          WHY does the "kitchen computer" (I’d suppose an e-mail/ web browsing/ memo display machine, in my home, something I’d build from scraps of "outdated" my-main-desktop systems,) in need of virtualization or similar resource-hungry capability at all?

         Heck, if support weren’t such a hassle, (finding printer drivers, etc) and someone in the family(1) wanted a "kitchen system" I’d be tempted to scare up a new drive for the truly ancient laptop I gave Spoiled Niece, when, at age 10, she asked if I could give her (ok, demanded) a computer to play with – she kept the old Win95-running Thinkpad until its original IBM 32MB HD finally died, and I haven’t been able to find a replacement.

         WHY should we even consider this insanity, or worse, a Citrix-equivalent running on Big Redmond’s file-keeping network? (my old pal from 1984, Winston Smith, keeps asking me about THAT, er, ‘stuff’)

          I think Step 1 would have been to strip it back to Win 98 2nd or 2K, and loaded it with programs one would even consider using in the kitchen (and installed half the stuff in that box someplace where it’s appropriate).

         -written on my bedside T41 w/half a gig

    (1)In my extended family, RTFM means Ring the Family Maven, my job since Mom got a Sanyo 550 8080.

  52. KEVIN JOHN PANZKE says:

    Nevermind, I found the problem with my Windows 7 Installation, the read only option was turned on 4 the Downloads Folder got turned on after my Upgrade Install from Vista 2 Windows 7 Beta 1.

  53. V. Gokal says:

    Hi. How about making a black pen and a white pen for ZOOMIT.

    Then if I draw a line in blue (on black screen) the black pen can write over portions of the blue line, hence portions of the blue line can be "erased".

    Or just make an eraser?

    Thanks for a brilliant programe. I use it in my lectures all the time.

  54. macejv says:

    Losing files from the desktop it is a very serious and annoying problem or issue. I have fixed this thing by using jv16 PowerTools 2009, an application made to optimize Microsoft Windows without losing any key information from your computer (a registry cleaner that has also the option of back-up-ing all the files and settings). I recommend this product to all of you, and i really hope that you will try it and it will show results.  

  55. Peter says:

    We had also recently such weird Phantom file thing in Vista.

    In a [vendor][application] directory in Program Files one file (of many) was missing. However the application operated correctly using the "missing" file. Windows Explorer was not able to list the "missing" file in the directory, nor a command prompt with a dir command. In the command prompt starting notepad with the filename couldn’t open the file. However a third party text editor was able to open the "missing" file from the command line.

  56. Hairs says:

    Another good example of Microsoft wasting the User’s time implementing a massively complicated hack to half-implement some needed functionality because they can’t bring themselves to tell some developers that a part of the OS has been taken out and replaced because it’s borked/insecure/all over the place.

    As usual Mark, another situation which exposes what a good developer you are, and the dichotomy whereby Microsoft has to employ genius level people to try and work out what’s going wrong with the people doing the actual code and design.

  57. DannyD says:

    Don’t use IE.  Problem solved.  That "Virtualized" directory does not exist on my Linux machine (on which I use Epiphany).

  58. macejv says:

    It is right. Some files, folders and settings from our computer can disappear, at a random basis. In order to not encounter these kinds of problems or issues on your computer, an IT user will need to have some additional programs downloaded and installed on their computer (like a registry cleaner or/and a Windows Optimizer such as jv16 PowerTools 2009).

  59. Dave Johnson says:

    Given the way that Vasti does virtually nothing that XP won’t do and given the way it imposes all sorts of ludicrous restrictions because $soft doesn’t like giving users control over their own machine, the solution is clear.

    Either

    1) for the simple minded, use a mac, it’s designed for you.

    2) For the more complex minded, use linux, it’s designed for you.

    3) Stick with XP, there will always be copies around that work and I doubt if manufacturers will stop writing drivers before we get Linux up to the point where non manual-reading users can just plug’n’play.

    Vasti’s just another $soft bodge, strangling the user’s ability to use their own machine because so many make the mistake of *trusting* $soft software to not run any and all instructions that any old spammer or worm chooses to send it. The real cure, is a real OS (sadly still $soft, XP, for simplicity of use) but without trusting virus-havens like OE and IE.

    Dave.

  60. David Gray says:

    Great work as usual Mark and your wife.

    Mark since you play BF2142. Could you please do a ‘Case of the crashing Bf2142 Server’. It must bug you as much as it does me and thousands of other brothers in arms.  

    Thanks

  61. SRS says:

    @Dave Johnson – we all want to know. Which of the three do you use?

  62. microsoft sucks says:

    I really dont understand how this is considered ‘solved.’  How is your wife supposed to save files to her real desktop?  Is she supposed to know that she needs to be running in medium integrity in order to really save to the location she chose to save files?

    Are users supposed to know that deleting their temporary internet files will erase all of their virtualized files?  I am really not surprised that Microsoft screwed this up again.

  63. Mark Israel says:

    Mark,

    I need help fixing a problem dealing with off-line files. Noe of my XP SP-3 users can do a search on a server Share drive. Example: Public

    is on a 2003 R2 SP-2 server. It is shared out to Authenticated Users full control. When my users search using search companion it lags out and then they lose thier network connections to shared drives. The drive letter and directory are there but no files. I am hoping you might shed some light here as I am stuck. This is a new server with the exact same everything as the old server. FQDN, NETBIOS, IP Address and NTFS directory structure is identical. I wonder if I copied over something I need to undo???

  64. Sven says:

    After reading the fact that it was IE showing this files and the screenshots showing it was Vista, I immediately knew it was because of file virtualization. I don’t need no fancy tools; like Raymond I can use my psychic debugging powers. 😛

  65. Leon Zandman says:

    The most important lesson readers can learn from this story comes from this line:

    "Since my wife doesn’t keep the Sysinternals tools on HER system…"

    Indeed, give your wife her own system, so she cannot harm your system 😉

  66. andi says:

    Does the legacy application "see" the existing, non-virtual files? I think the answer is yes.

    If it does, how does vista solve the delete file operation for a legacy application?

  67. Chris, Happy still using WindowsME says:

    Quote from Luigi D. Sandon: "I too agree that MS should stop to put too much emphasis on "compatibility". Windows should be compatible with well written applications, and should begin to stop those written without following the rules."

    The point is that these ActiveX objects WERE written following the rules in force at the time. It is Microsoft who changed the rules, for good reason, but Microsoft now has a duty to honour the correct operation of existing ActiveX components.

    The way forward is to inform the User. When an old style ActiveX control acts in this way, an information balloon should explain to the User, with clickable [+] and [-] to expand for a more or less detailed explanation. Don’t forget information balloons can be invasive. Give balloons the abillity to be minimized so they can be read more thoroughly at a more appropriate time. Better still, give information balloons their own archive area.

    Inform the User. Don’t interrupt them. Don’t confuse them.

  68. Comet says:

    If the "Desktop" view in Explorer, etc., would concatenate the user’s virtualized Desktop with the user’s real desktop (and, I suppose, the All Users real desktop), then the unified view would not confuse the user; they wouldn’t care if the files were stored in the virtual location or in the actual location.  As somebody mentioned, it would be good if the virtualized file icons had some type of indicator, similar to the shortcut arrow’s usage.

  69. Gordon Edwards says:

    Very interesting.  I use W2K Pro SP4 (Yeah, I know, but don’t you got to love it?) and sometimes the offspring put up a new desktop direct from their E: folders without bothering to make it into a .bmp blah blah…  When they log off, often you can see old wallpapers flash up and disappear.  I’ve always cured this by invading their privacy and making bmp’s in the WINNT folder where they belong.  But it’s comforting to learn something of the virtualisation which dogs even older software!

  70. Tapxe says:

    I had this problem a few weeks back as well…  I solved it very easily.  Right-click->properties (or file-> properties from a pdf or something) then cut and paste.  Done…  

    (well, i guess figuring out exactly why it happened is sort of interesting)

  71. Elod Kironsky says:

    We’ve experienced this problem in our company lately so I started to investigate it with the great Sysinternals tools from Mark. The only problem is, that this virtualization of PMIE is permanent, e.g. the acredir.dll hooks will re-direct all write attempt to the Virtualized folder. This doesn’t make any sense, because this virtualization is used only for write attempts and not for reading!!! Also if you actually grant write rights for IE to the desired folder, it will still write to the Virtualized folder!!! This is IMHO incorrect. The only function I found to handle such redirection is AcRedirSetEnabled() and AcRedirSetEnabledForCurrentThread() exported from acredir.dll. But I have very little documentation for these functions. Alternatively you should be able to use CreateFile from ntdll.dll.

  72. James Bray says:

    "As a bonus, my wife was impressed at the ease with which I’d figured out the source of the phantom files and even more impressed that I wrote the tool I used to solve it."

    Surely she must have slight inkling of your level of Geek cred :-)  Hell, I'd certainly advertise it…

    /me wonders why he's still single :-)

  73. B. Smith says:

    Wow, thanks for the advice. You're great with computers, though not with animals and women.

  74. Christian says:

    Sth like this happened to me on a removable media (USB Flash) and a trojan virus. The exe was hidden, did not appear in the Explorer (despite the fact that I have set it to SHOW the hidden files…) and was only visible when I "dir"-ed:

    dir Z:*exe /A:H

    I've tried to delete it with no luck… :(

    Finally I formatted the disk and checked my system just to be somewhat sure…

    So, if you know what could cause sth like this or how to fix it (using a better way) in the future, it would be great! 😀

    I will try your RootKit Finder soon too. :)

  75. Chris Quirke says:

    It's a bit disturbing that a web site is attempting to drop files on the desktop; that's the sort of thing one usually expects from Chrome or Safari, but I'd hope IE would not allow that – as indeed IE8 on modern Windows doesn't, thanks to the virtualization, shims etc.  

    Would IE6 on XP have allowed those files to be dropped on the "real" desktop?