5

there is a very strange large 10 GB file inside my Windows folder named "d". This file was created around 9 days ago. I can't delete or move that file. Also, there is no information on this file on the internet I have searched a lot. attaching the screenshot of the file and location does anyone have any idea what that file is and which software created that? any clue? please

enter image description here

Update:

I have just found out that this file is being used by a process named "system" but if it is a system file I am wondering why it was just created 9 days ago and why it is 10GB in size. Isn't it suspicious?

enter image description here

Joep van Steen
  • 6,119
Salman
  • 51
  • I do not have any such file as this on any of my Windows machines. Tree Size will certainly show a 10 GB file. Something you downloaded? A different kind of backup? – John Aug 25 '23 at 16:19
  • 3
    This smells a bit like a VeraCrypt volume, or something along those lines. Can you open the file in HxD or some other hex editor? Do you have a D: drive? What does the d.sys file have under "Properties > Security"? – u1686_grawity Aug 25 '23 at 16:24
  • @John no I didn't download anything. – Salman Aug 25 '23 at 16:36
  • @u1686_grawity , I tried to open just now with HxD but it says file in use, this is not VeraCrypt volume, and yes I have D drive.

    when I try to see the properties--> security tab it is showing error as follows "The requested security information is either unavailable or can't be displayed"

     – Salman Aug 25 '23 at 16:37
  • 1
    You can access that file either by making a disk image with a tool such as Macrium Reflect and mounting the image, enabling access to restricted files, or by booting from USB, e.g., with Hirens's BootCD (https://www.hirensbootcd.org/) or an alternative (https://alternativeto.net/software/hiren39s-bootcd/) and opening in a hex editor. BTW, if VeraCrypt, it would not be locked if not mounted. Do an offline malware scan, if suspicious. – DrMoishe Pippik Aug 25 '23 at 17:08
  • @DrMoishePippik sure I will try that and inform here the results really appreciate you all – Salman Aug 25 '23 at 17:29
  • Since that's not an OS file, as the OS does not save any new files to %WinDir% beyond .cab, .inf, and .msu files in subdirectories within %WinDir%\System32 (AFAIK), and no software is ever configured to use %WinDir% (if one does, it's been incorrectly coded by the developer and should not be used), please perform Steps 1 - 6 (excl. #3), which will fix that %WinDir% corruption. If you'd like to keep the file for further investigating, boot to WinRE, then copy the file to C:\Users\Public, which in WinRE will not be within C: – JW0914 Dec 29 '23 at 12:57

0 Answers0