Hello everyone, I'd like to know what is the utility of C:\WINDOWS\TempFile file. I have a W2k3 R2 SP2 server and my backup tool (arcserve) sometimes cannot save this file as it is used by another process (an so the save in uncompleted). In order to resolve this "problem" I use process explorer to find the HANDLE and stop it. Once the handle is stopped, I have no more the problem until the next system reboot that the problem reappears. My question in this case is, what is this file? What is the utility for the system and why it is allocated by another process (system)? If as per its name it is a temporary file, why it is not being deleted automatically?Is there any solution for this issue? Thank you in advance ps: I have already placed a filter in arcserve in order to skip saving this file but no improvement. ps2: sorry for my english

I have never heard of it. Can you confirm you are using Windows 2000 R2 SP2? I have never heard of this either.If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".

What process holds the lock? Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

I have never heard of it. Can you confirm you are using Windows 2000 R2 SP2? I have never heard of this either. If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". I'm so sorry, I've just saw that. My OS is Windows 2003 R3 SP2...:(

What process holds the lock? Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Dave, In process explorer, I cannot find it directly. I'm obliged to make a search (ctrl-f) with the word "tempfile" in order to finde the process. The process is always the SYSTEM. if I want to solve my problem (temporarily till next reboot) I have to "close the handle". In addition, when I'm looking for the file in C:\Windows...the file is 0byte size....

Difficult to know without knowing the process name or executable. Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

Repost? Ok, I would run a full antivirus scan on the system, then check the file properties and set it to administrators full control over the file so your backup process can grab it.

Hi kouzoulos, I strongly suspect you have a virus. There is not supposed to be any file called TempFile in your Windows directory.If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".

Hi, You may run Process Monitor to monitor what application uses the C:\WINDOWS\TempFile. You may download and install Process Monitor from the following link: Process Monitor v2.95 http://technet.microsoft.com/en-us/sysinternals/bb896645 Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

You may want to consider backing up your needed files and doing a fresh install. Change up your passwords. Highly advisable if you belive your system has been comprimised. You may want to look at creating a bootable USB stick with a good antivirus program on it, booting from it and perfomring a full low level scan.

You may want to consider backing up your needed files and doing a fresh install. Change up your passwords. Highly advisable if you belive your system has been comprimised. You may want to look at creating a bootable USB stick with a good antivirus program on it, booting from it and perfomring a full low level scan. Hello, It is not so easy to re-install the OS as it is a TS Server with 20-30 users...as per the virus scan...I've already scanned it with MalwareBytes,MRT,the local antivirus (etrust), scan with kaspersy.No virus detected.... Concerning the Backup profile...it is a profile with administrator privileges.

Difficult to know without knowing the process name or executable. Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows] Hello Dave, as I said previously, in process explorer, I see the SYSTEM process...it is always the system...

here a screenshot that I took earlier: http://imageshack.us/photo/my-images/220/tempfile.jpg/

Kouzoulos, It looks like you have an active Trojan, based on what symantic and mcaffee report on TempFile.exe, sure it's running as system, becasue it's activly dug in there like a tick. Take administrative ownership of the file and remove it. I would look into standing up a new term server, install antivirus, then move the users over so you can rebuild the old one.

Kouzoulos, It looks like you have an active Trojan, based on what symantic and mcaffee report on TempFile.exe, sure it's running as system, becasue it's activly dug in there like a tick. Take administrative ownership of the file and remove it. I would look into standing up a new term server, install antivirus, then move the users over so you can rebuild the old one. Hello Jason, thank you for answering. The file disappears once the handle is "killed" till next system reboot...also, the file has no extension. In addition, I left for a while the file on the disk, and some minutes later, the size was at 8.8MB but I couldn't neither open it (if it would be possible) nor to copy it into another folder in order to analyze it.

Going out on a limb here, but your system may be rootkited.. which is not good. I would definitly look at a bootable USB with antivirus and advanced malware anti rootkit scanners on it.

thank you all for your suggestions. Have a great day! kouzoulos

I have the same file/issue. C:\WINDOWS\TempFile (no extension) created a boot time. 8,209 KB File, properties: 8.01MB (8,405,015 bytes) and there's not much else.. Cannot open or copy to view contents "It is being used by another person or program" Process Explorer shows - Process: System, PID: 4, Type: Handle, Handle or DLL: C:\WINDOWS\TempFile As soon as you close the Handle the file disappears. I've ran "Sophos Virus Removal Tool" which includes "rootkit" reviewer builtin, and it found "0" threats. We have SEP 11.0.4x, and full scan and logs show no issues. I've searched regedit, and did not fine TempFile Windows 2003 Standard Edition SP2 All latest patches via WSUS The system does not seem to be affected by the file. CPU and RAM are normal. ProcessMonitor - Search Found Explorer.EXE Event Info (doesn't tell me anything) --- Date & Time: 5/9/2012 10:01:17 AM Event Class: File System Operation: QueryDirectory Result: SUCCESS Path: C:\WINDOWS TID: 7712 Duration: 0.0000540 0: system 1: system.ini 2: system32 3: TAPI 4: Tasks 5: Temp 6: TempFile 7: TRYRW.LOG 8: tsoc.log 9: twain.dll 10: twain_32 11: twain_32.dll 12: twunk_16.exe 13: twunk_32.exe 14: uddiadm.msp 15: uddidb.msp 16: uddisetup.log 17: uddisp.exe 18: uddiweb.msp 19: updspapi.log 20: vb.ini 21: vbaddin.ini 22: vmmreg32.dll 23: vpc32.INI 24: vpd.properties 25: VxSDM.log 26: WBEM 27: Web 28: WellXchange.INI 29: win.ini 30: Windows Update.log 31: WindowsShell.Manifest 32: WindowsUpdate.log 33: winhelp.exe 34: winhlp32.exe

I have the same file/issue. C:\WINDOWS\TempFile (no extension) created at boot time. 8,209 KB File, properties: 8.01MB (8,405,015 bytes) and there's not much else.. Cannot open or copy to view contents "It is being used by another person or program" Process Explorer shows - Process: System, PID: 4, Type: Handle, Handle or DLL: C:\WINDOWS\TempFile As soon as you close the Handle the file disappears. I've ran "Sophos Virus Removal Tool" which includes "rootkit" reviewer builtin, and it found "0" threats. We have SEP 11.0.4x, and full scan and logs show no issues. I've searched regedit, and did not fine TempFile Windows 2003 Standard Edition SP2 All latest patches via WSUS The system does not seem to be affected by the file. CPU and RAM are normal. ProcessMonitor - Search Found Explorer.EXE Event Info (doesn't tell me anything) --- Date & Time: 5/9/2012 10:01:17 AM Event Class: File System Operation: QueryDirectory Result: SUCCESS Path: C:\WINDOWS TID: 7712 Duration: 0.0000540 0: system 1: system.ini 2: system32 3: TAPI 4: Tasks 5: Temp 6: TempFile 7: TRYRW.LOG 8: tsoc.log 9: twain.dll 10: twain_32 11: twain_32.dll 12: twunk_16.exe 13: twunk_32.exe 14: uddiadm.msp 15: uddidb.msp 16: uddisetup.log 17: uddisp.exe 18: uddiweb.msp 19: updspapi.log 20: vb.ini 21: vbaddin.ini 22: vmmreg32.dll 23: vpc32.INI 24: vpd.properties 25: VxSDM.log 26: WBEM 27: Web 28: WellXchange.INI 29: win.ini 30: Windows Update.log 31: WindowsShell.Manifest 32: WindowsUpdate.log 33: winhelp.exe 34: winhlp32.exe -- My latest two ideas are: .Check Open files and use File Unlocker to see what might appear or show fileuse details. . Run SFC /SCANNOW from system console (need source Windows CD) to validate key windows files

I have the same file/issue. C:\WINDOWS\TempFile (no extension) created at boot time. 8,209 KB File, properties: 8.01MB (8,405,015 bytes) and there's not much else.. Cannot open or copy to view contents "It is being used by another person or program" Process Explorer shows - Process: System, PID: 4, Type: Handle, Handle or DLL: C:\WINDOWS\TempFile As soon as you close the Handle the file disappears. I've ran "Sophos Virus Removal Tool" which includes "rootkit" reviewer builtin, and it found "0" threats. We have SEP 11.0.4x, and full scan and logs show no issues. I've searched regedit, and did not fine TempFile Windows 2003 Standard Edition SP2 All latest patches via WSUS The system does not seem to be affected by the file. CPU and RAM are normal. ProcessMonitor - Search Found Explorer.EXE Event Info (doesn't tell me anything) --- Date & Time: 5/9/2012 10:01:17 AM Event Class: File System Operation: QueryDirectory Result: SUCCESS Path: C:\WINDOWS TID: 7712 Duration: 0.0000540 0: system 1: system.ini 2: system32 3: TAPI 4: Tasks 5: Temp 6: TempFile 7: TRYRW.LOG 8: tsoc.log 9: twain.dll 10: twain_32 11: twain_32.dll 12: twunk_16.exe 13: twunk_32.exe 14: uddiadm.msp 15: uddidb.msp 16: uddisetup.log 17: uddisp.exe 18: uddiweb.msp 19: updspapi.log 20: vb.ini 21: vbaddin.ini 22: vmmreg32.dll 23: vpc32.INI 24: vpd.properties 25: VxSDM.log 26: WBEM 27: Web 28: WellXchange.INI 29: win.ini 30: Windows Update.log 31: WindowsShell.Manifest 32: WindowsUpdate.log 33: winhelp.exe 34: winhlp32.exe -- My latest two ideas are: .Check Open files and use File Unlocker to see what might appear or show fileuse details. . Run SFC /SCANNOW from system console (need source Windows CD) to validate key windows files Hey troyboy14k, I solved my problem with a non-standard solution but at least it works. I found the file by using "process explorer" and I terminated the "handle". Once the handle closed, normally the C:\WINDOWS\TempFile is no longer exist. I created a "TempFile" in the c:\windows (you know, new empty textfile without extension) and then I denied the access to the file for everyone-administrator (file properties->security).This non official solution has resolved my problem without a visual impact on my servers. I repeat, it's not a virus in my case as it is a fresh Windows installation (server never connected to the Internet). Thank you