What is this Xerox directory doing in Program Files?


If you go snooping around, you may find an empty C:\Program Files\Xerox directory. What's that for?

This directory is being watched by Windows File Protection, because it needs to protect the file xrxflnch.exe should it ever show up. (Why does the directory have to exist in order for Windows File Protection to be able to watch it? I'm told it's a limitation of the Windows File Protection engine. I suspect it may have something to do with the fact that the FindFirstChangeNotification function can't watch a directory that doesn't exist.)

Why is xrxflnch.exe so special? I don't know. My guess is that it's some file that is frequently overwritten by setup programs and therefore needs to be protected.

Comments (47)
  1. Sriram says:

    I googled a bit and couldnt find anything on xrxflnch.exe – wonder what it does

  2. Mike Dunn says:

    That might also explain the empty C:Program Filesmicrosoft frontpageversion3.0bin dir

  3. Alan De Smet says:

    Oh, how I hated the impossible to kill "microsoft frontpage" directory, ban of all anal-retentive people who like their system nice and clean. There is just something really irritating about have a directory suggesting that I’ve installed a program that I didn’t install and never will install. I hope someone was flogged for that.

  4. I totally agree with Alan De Smet, I hate the "microsoft frontpage" and other impossible to delete folders. Every time I see that folder it’s just a reminder that my computer won’t do what I want it to do. I should add, it is possible to delete these folders if you know how, but unfortunately WFP we recreate them on next reboot. You can forcibly and permanently disable WFP, but then you lose the niceties it provides. If only Microsoft provided a way to edit the list of files protected by WFP, then us anal folk could remove them. But this would of course be a security hole, a virus could remove USER32.DLL from the list, then replace USER32.DLL with its own malicious version.

    I guess I’m just mad I can’t have my cake and eat it too. :)

  5. Nicholas Allen says:

    If a virus can write to those files, it’s already got full control of your computer. The virus can just disable file protection entirely if it wanted to. It doesn’t have to bother with some list.

  6. Why was Window’s File Protection implemented using this weird service rather than just using NTFS protections so that only the SYSTEM account has write access (in a similar way to the “System Volume Information” folder)? That way, the files would be in the right place and follow the same rules as everything else. I realise that it would be possible to take ownership of the files and then change their permissions but that would be a conscious decision which would make users (and perhaps installer writers) think about what they are doing (and I am sure they could break WFP if they wanted to as well). Old applications might get an accessed denied error when they try and write to them but I think that serves them right for messing with files that do not belong to them (and if it is the choice between adding another flaky layer to the file system or having a few old installers display accessed denied messages, I know what I would prefer).

  7. Raymond Chen says:

    The reason is, as you noted, the installers that fail if they can’t update the file. Consider what happens if system files were ACL’d so that installers couldn’t write to them:

    You buy a printer at your local computer store. You open the box. You install the drivers. The install program fails because it can’t write to MSVCRT.DLL. Your printer is now an expensive paperweight. And since you opened the box, you can’t return the printer for a full refund either.

    Result: Unhappy customer. Blames Microsoft for preventing him from using his printer.

  8. Cooney says:

    Why wouldn’t he blame the printer manufacturer for selling him an expensive paperweight?

  9. Gene Hamilton says:

    Kinda of OT but related to WFP. How people here use some sort of "limited account" WFP always seemed like some sort of hack in place of proper permissions. I know that alot of programs would break if a limited account. (most notably games)

  10. Neil T. says:

    Thanks Raymond. This was another one of those odd things in Windows that I’ve wondered about but never bothered to ask.

    Jonathon: That’s fine and dandy but what about people using FAT32 as their file system? I for one still do because I need to be able to dual-boot with another operating system which doesn’t yet have reliable read/write support for NTFS. Though obviously Raymond’s point is even more true.

  11. Jon Potter says:

    Maybe you could suggest to the WFP people that they also put a "watch" on Program Files to see if the Xerox directory shows up. Seems more like laziness to me than any deep-seated technical reason.

  12. Anon says:

    I wish "Microsoft Frontpage" and "Xerox" were properly capitalized…

  13. garg says:

    WFP is pretty easy to workaround. Just search for all copies of the file you want to change, then make a batch file which will overwrite all copies right after each other with your version. Run it a few times, and sooner or later you’ll succeed.

    That’s all, and that’s about this very nice and safe MS feature.

  14. Michael says:

    I just disable WFP and delete those useless folders. WFP has never helped me out while it was working and I’ve never missed it in the 2+ years I’ve had it disabled. The only time I gave it a second thought was when I upgraded to SP1 and later SP2 and had to figure out the method to disable it anew.

  15. 0xAA says:

    What a coincidence I was just getting pissed off about thoes folders the other day. I had always wondered why that stupid folder wouldn’t die, not matter what I did to it. I wish I knew who was responsible for this so I could smack them upside the head everyday until it gets fixed [hurry up SP3 ;)]

    I hope stupid little things like this are fixed in longhorn, all the little annoyances tend to add up.

    On a completely unrelated note: have you heard about the "Microsoft accused of warezed Soundforge Files" thing? You usually have good info on everything, It would be interesting to hear an explanation for this one.

  16. Raymond Chen says:

    "You usually have good info on everything." Saying that is perhaps the most effective way of making me dislike you. I do not know everything, and I hate it when people assume that I do.

  17. Gene Hamilton says:

    Plus that is really a question for the legal department. And I am sure that Raymond has nothing to do with that part of windows development anyway. I wonder if the Microsoft legal department blogs. :p Ask them.

  18. Ever wondered why there’s always an empty ‘xerox’ folder in Program Files on Windows? Raymond Chen, as usual, has the answer.

  19. Dan says:

    As garg said – it is easily defeatable for files that aren’t locked at login. Why make is so hard to get rid of unwanted, empty directories? I think the thinking is "Program Files" is a secret place most users shouldn’t go look into, so it doesn’t matter if we litter it with uneeded crap. I guess what I need is another file attribute that is "Hidden by me" so I don’t have to see those things. I do like to see things other people think should be hidden so using that property doesn’t work.

  20. Adrian says:

    Legal departments & blogs : not a match made in heaven.

  21. 0xAA says:

    Sorry if I hit a nerver, but I think you took the ‘everything’ part a little more literally than I ment it. I didn’t mean to imply you are some all-knowning all-powerful god who’s going to solve all my problems for me and cure cancer tomorrow, perhaps what I should have said was ‘know a little bit about almost everything’. If theres another site on the web that will talk about knitting one day, programming the next, with plenty of obscure windows trivia mixed in between, I haven’t found it.

    I can guess what the legal department would say, I was simply wondering if raymond had heard anything interesting about it, proving it, disproving it, crazy conspiracy theories or whatever.

  22. 0xAA says:

    whoops: nerver == nerve, stupid clumsy fingers

  23. Raymond Chen says:

    Even if I knew, you know I can’t comment on legal matters…

  24. Anon, if you’re really bothered by the capitalization of the folders and want to change it, here’s how:

    Download and run "Process Explorer" from SysInternals. Do a search for the folder in question, once found right-click on the entry and close the handle. The folder is no longer locked, you can go rename the folder and fix the capitalization. You might want to reboot as soon as you’re done.

    I should add, do this at your own risk. Forcing a handle closed like this could cause problems. I’ve never had a problem.

  25. Brian says:

    I’m slightly annoyed that they decided to lock notepad.exe — one of the first things I do on a new system is change it over to metapad. Though I have gotten it down to a science now (search for notepad.exe, select them all in the search window and delete them all at the same time, then click away the 3 dialogs that pop up).

  26. Raymond Chen says:

    Remember, if you disable Windows File Protection and then start replacing files, you will interfere with the installation of security patches. In extreme cases, you will render your machine unbootable:

    http://weblogs.asp.net/oldnewthing/archive/2003/08/05/54603.aspx

  27. Serge Wautier says:

    Raymond,

    Are you some kind of medium ? Is this post addressed to me specifically ? :-)

    I discovered this xerox dir exactly yesterday afternoon west european time, i.e. about one hour before you posted about it. And yes, I wondered what it is, and especially why i couldn’t delete it. Now I know :-)

    Thanks.

  28. Vorn says:

    Mr. Chen doesn’t know everything; he knows Anything.

    The difference is that to know everything you must be God. to know anything you must simply know where to start looking, and have enough persistence to finish. Operating systems are intended to do everything, programming languages are intended to do anything.

    Also, that constraint (that wfp needs the directory to be there to protect things) seems rather strange; most of the time, if you ask for a file in a directory that doesn’t exist, you get the same error as if you had asked for a file that doesn’t exist in a directory that does.

    Vorn

  29. Christian says:

    Request for longhorn:

    remove those folders – please :)

    cheers

    christian

  30. Zibbo says:

    So what is the directory "nwwia" doing in my xerox folder? It is also empty…

  31. My guess is that it is there because of a marketing stunt by Xerox :-)

  32. Anonymous says:

    "I do not know everything, and I hate it when people assume that I do."

    And if you say you don’t know something, people don’t believe you and think you don’t want to say?

    Sounds familiar?

  33. grouse says:

    "I do not know everything, and I hate it when people assume that I do."

    I feel your pain. Sometimes, when I don’t know something people cheer in triumph because they know something I don’t. WTF? I would never do that to someone else.

  34. I completely fail to see why some of you give Raymond such a hard time. I see this blog as one of my top ten most used resources in trouble-shooting. I now know, thanks to Raymond, why some things are the way they are in Windows and I understand.

    My biggest fear is that sooner or later all you slashdotters will eventually piss Raymond off and he will stop blogging. That will only serve to hurt us all. Raymond works hard for all of us. If it wasn’t for him and his co-workers, Windows would not be able to do all the stuff it can do now.

    Get a grip, people. You know who you are.

    James

  35. Scott says:

    When you have someone who finally answers 10 years of accumulated questions, it’s not surprising they also get the anger at the answers.

  36. Simon Cooke says:

    I was under the impression that the picture preview tool built into XP was provided by Xerox, and the Xerox folder was used by that tool.

    This was a while back, so I may be misremembering, but I did do some digging after finding that folder to make sure it wasn’t some kind of trojan or otherwise, and that was the answer I got from the MS newsgroups.

  37. Matt says:

    You think Raymond has it bad? Visit the IE blog sometime. Slashdotters are attracted to it like flies to honey.

  38. Stefan Kanthak says:

    I do not only wish MSFT had written the directory names "xerox" and "microsoft frontpage" proper capitalized, but obeyed their OWN guidelines of their OWN "Designed for Windows" logo program for placing application directories: "internet explorer", "netmeeting" and "outlook express" have to be created as subdirectories of "%ProgramFiles%Microsoft", and MANY more MSFT programs (Office for example) too!

    On W2K (german version!) I see the directories "WindowsUpdate", "Windows NT", "Windows Media Player", "Windows Media Player Components", "Windows Installer Clean Up", "Uninstall Information", "OfficeUpdate11", "ComPlus Applications" and "Common Files" clutter "%ProgramFiles%".

    Would have W2K, XP oder 2K3 passed the Windows Logo test?

    And: YES, it is possible to move "Internet Explorer", "Outlook Express" and "Netmeeting" (for example) to "%ProgramFiles%Microsoft". When you set all the paths in the registry to the new locations even patches will install correctly (they read the locations from the registry)! Only this @&%$§* hardcoded list of names in USER32.DLL ain’t flexible, and WFP keeps up recreating the now useless empty directories.

  39. David Pritchard says:

    Couldn’t you prevent the folders from being recreated by creating files with the same name in Program Files? You can’t have a file and folder with the same name. I haven’t tried it. Of course, you then just get some irritating files you can’t get rid of.

    I was once annoyed by those folders, but I kind of got over it. And WFP is great, easily W2k’s best feature. It’s the number one reason why the OS is so stable.

  40. Mike says:

    Yeap, WFP is great. Diasble it and you will

    start to repair after idiot setups who replace

    system files (like replacing some ole*.dll

    with a win95/98 version

    which stops winlogon.exe from starting which in turn causes a blue screen). In the end who really cares about some folders that cannot

    be deleted ? And for hackers who like to waste time disabling it I really recommand to find a way to modify the protected directories list, it’s far more better and it seems quite possible… (i won’t tell you the dll name :) )

  41. Heh, Microsoft should sell these "phantom directories" to third-parties. Imagine how much small ISVs would be willing to pay for a directory naming their application to always exist on every Windows box. Sure, it’ll be empty, but it’s advertising. Plus some users might think that something just went wrong with that app and go "re"-download it. ;-)

    I echo the experience of Serge from a few posts ago — the day this was posted was the day I totally randomly saw that directory on a computer and couldn’t figure out what it was, for the first time. And then lo and behold your post.

  42. David Pritchard says:

    By the way, the file creation trick works a treat for blocking those annoying folders. At least it has so far.

  43. David Candy says:

    I have a simple VB program that list files protected by WFP. There’s an API call to list files protected. If you want it mailto:david@mvps.org.

    The TWO files protected seem to be, from reading strings, to do with network scanning.

    If you want to read, copy a text file with the protected name into the folder. Within 5 seconds WFP will have replaced it. Remember WFP is stupid. It just matches names.

  44. Ben Cooke says:

    Stefan,

    I hate it when apps are classified by their manufacturer. It means I have to remember which manufacturer made each product. Some of them are pretty obvious (I wonder who made Windows Media Player?!) but others are less so (Terragen? VNC? WinRAR? Proxomitron? Milkshape3D?)

    Maybe I’m just unusual in that I don’t tend to have much retention for "brand names", but I tend to just install my apps by name alone, unless they have some stupid name in which case I make up one for them. If I had more software installed this would probably start to cause a problem (too many directory entries under Program Files), but since I only use about six applications on a daily basis it doesn’t really bother me a great deal.

  45. Stefan Kanthak says:

    Re: Ben

    You know the "magic" number 7?

    That should be the number of directories below %ProgramFiles% (plus/minus 2).

    OK, this would be to restrictive, but I like to have the installed programs sorted by SOME criteria: Microsoft choose the manufacturer’s name and wrote this into their "Designed for Windows" logo programme.

    That’s where the files should go to; the user interface is but in the "Start" menu, below "Programs", and there you can (re)order entries/folders as you like (although Microsoft want’s the manufacturers name here too).

    BTW: I hate it when installers don’t ask at all, and when they don’t obeye the rules defined by the "Windows Logo Programme"!

    If you don’t mind to take a look over your shoulder: Unix/SVR4 proposes /opt/$PRODNAME/, Sun’s Solaris /opt/$VENDORID$SUFFIX/, and Linux has its FHS.

    Re: David

    I had no doubt that creating files would stop WFP from recreating directories, but now you got useless files instead of empty and useless directories which seems not really like a win to me.

  46. If you’ve ever pecked around in the Program Files folder in Windows, you may have noticed an empty "Xerox" folder. Why is it there? Now you know. Thanks Neil for…

Comments are closed.