What is ‘\Program Files\XEROX\NWWIA’, and how do I get rid of it?
OK, this is one of the weirdest situations I’ve seen come up in a
long time.
The short answer is that it does appear to be something related to “Windows
Image Acquisition”, which is a common component of Windows. Why it shows up
empty, and why it remains protected by the operating system is as best we can
tell, a mystery.
Become a Patron of Ask Leo! and go ad-free!
For what it’s worth, it benign. It’s on lots of systems, including my
own.
Using SysInternals Process Explorer I was able to
tell that the windows logon process has the directory open. But I was able to
find no reference to it in the registry. And apparently when
you do manage to delete it, the system file protection service dutifully
restores it.
There’s a long thread on the subject out at the Annoyances.org discussion
forum titled Deleting Ghost/Empty Directories that has
many theories and a couple of ways to delete it, if that’s really important to
you.
Talking to Microsoft about this xerox dir. they said it is only on oem versons of windows XP. If you reload with a retail verson this dir. is not listed… This was tested by myself and posted to Microsoft.
The nwwia is a xerox driver for a printer
This is an old problem that XP inherited from Windows NT. My computer came with an OEM install of XP Home, but I clean installed a retail version of XP Pro over it, so if only the OEM versions are supposed to have it, why does retail OS have it as well? Did SP2 stick ’em on???
WHY MSFT still has these stupid Xerox directories is beyond me.
Here this should explain the whole mystery:
http://support.microsoft.com/default.aspx?scid=kb;ja;418634
Or, maybe not!
:P
If I’m right! This has something to do with Microsofts self healing system32 folder.Nothing can be deleted from this directory, but things can be renamed….with a script. For example at the college I work for we didn’t want students to be able to play solitare from a RIS image. So we created an image with out it. This script deletes a files from the sys32 folder and renames all the games to notepad.exe, and if you are wondering yes we can tell when a new student tries to play a game when he stupidly asks, why does solitare open notepad.
del C:\WINDOWS\system32\sol.exe
copy C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\sol.exe /y
del C:\WINDOWS\system32\spider.exe.exe
copy C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\spider.exe /y
del “C:\Program Files\Windows NT\Pinball\PINBALL.EXE”
copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\Windows NT\Pinball\PINBALL.EXE” /y
del %SystemRoot%\System32\winmine.exe
copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\winmine.exe /y
del “C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe”
copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe” /y
del “C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe”
copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe” /y
del “C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe”
copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe” /y
del “C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe”
copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe” /y
del “C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe”
copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe” /y
del %SystemRoot%\System32\mshearts.exe
copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\mshearts.exe /y
del %SystemRoot%\System32\freecell.exe
copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\freecell.exe /y
be very careful with this script because you can not reverse it, because notepad is the system editor for windows. I’ll try to come up with a solution to rename this directory. And then we might be able to delete it.
Here’re the simple facts of the matter: this particular folder (and others) are protected by the Windows File Protection (WFP) which is a part of the System File Checker (created mainly to avoid unwanted/irreversible changes to critical system files and an inheritance from NT/2K).
You cannot remove this directory or any others protected by WFP without first disabling WFP (which of course will leave system files and directories -meant- to be protected, completely unprotected by the WFP and SFC)
How to disable Windows File Protection which allows you to delete the xerox\nwwia directory:
http://www.winguides.com/registry/display.php/790/
This can be deleted, and is one of the system processes that is keeping it open, try removing weird looking ones you dont trust. if u end process and it pops back up and it looks weird. just let it be,
or you can restart your computer and try 2 delete the file before you do anything else which is open other programs etc, that might correspond with the process.
Okay I have xerox as well, could someone just tell me if its a virus or anything!lol! P.S i checked out that website and it was in japanese (i think!) :-)
It’s benign. I just ignore it. Some people seemed to get really worked up about it, but really … it’s harmless.
The Xerox folder is to do with the scanning software built into XP – it’s licensed from Xerox. If you have plugged in a scanner, a webcam, or a digital camera at any time that’s likely why it’s popped up. It’s not malicious, but it is part of the XP system files. Just ignore it.
I removed the annoying directory (spyware). It uses a clone called winlogon and loads itself into the real windows winlogon. It is then undetectable by antivirus and anti spyware.
Step 1:
Restart windows is safemode without network
Search your windows and internet directories for these files and “delete”. (Be sure to empty the recycle bin too and be sure to check for hidden and system files):
xrxwiadr.dll
xrxscnui.dll
xrxwbtmp.dll
and the two executables files
XrxFTPLt.exe
xrxflnch.exe
in addition locate a trojan called MSWebcheck_Monitor and delete these files too:
webcheck.dll
loadwc.exe
You may or may not find them. But you need to double check for them anyway.
Step 3:
Run Regedt32.exe or regedit.exe
Find the all files that begin with webche* and “delete” these keys
Step 4: Go to control panel and open the system icon and turn off “system restore” . By turning it off all the restore points will be deleted. These files need to be deleted because they have been infected as well. And for whatever reason windows seems to like to tap into these restored files.
Step 5: Restart your windows in normal mode and viola! and open your windows explorer. You should no longer and will “never” see the ghost directories again.
Step 6: Turn your restore back on and make a restore point for today.
The conclusion is that even though the xerox directories seem legit, if you don’t have a xerox device attached, the directories are not needed. Good Luck, let me know how it goes…
I forgot to add to step 3:
Search and delete from the registry and and all keys begining with xrx. The five files are also described in step 1.
COULD YOU DECIDE IF IT IS VIRUS OR NOT!
It is not.
If it bothers you to look at it, make it a hidden file. Works for me. :)
Thanks man! Ill be trying this, that xerox folder just WONT go lol. I re-installed windows with a total wipe of the drive to find after a couple of weeks it was back! Corse, i didnt re-install windows because of this, i had major system problems.
My problem is that I have a great xerox printer. I have had it for a couple of years, before I got windows xp, and in order to upgrade it for use on windows xp you have to delete all xerox files. Well….haven’t been able to do that in order to install it. I will have to try the tips given and see if I can delete it long enough to install what I need.
download this program from systernals.com called process explorer. open it click on find and find handle. search for nwwia. it will be in the winlogon.exe. right click on C:\program files\xerox\nwwia and click close handle. you can now delete the xerox folder
Thanks tedstyle November 19, 2005 02:20 AM
It worked great.
I got rid of the mystery xerox/nwwia folders!
Can you be my personal IT assistant? jk :’)
Thanks a lot for the tip with the Process Explorer, no more xerox on my disk :) :)
Just do an advanced search under system folders, hidden folders, and sub folders for “sfcfiles.dll”. Then highlight each file, one at a time, and hit F2 and change the name to “sfcfilesold.dll”. You will get a warning from windows that this is a necesary file but just ignore it. Restart your computer and then you can delete Xerox and nwwia. I learned this on Annoyances.org.
MD
I found that the easiest thing is to boot windows in safe mode and then delete the folders through command prompt… Thats just me though.
tedstyle
God bless you!
Thank you!
Yes!!
thank u!!!
it worked out great!!!
This folder and \Program Files\microsoft frontpage\version 3.0\bin both reappear, even if deleted in safe mode from command prompt. Is the situation similar for the frontpage folder (also completely empty with no other folders in it and no frontpage of any version installed on the PC) as it is with the xerox one?
Yes, surprising to say that works for microsoft frontpage\version 3.0\bin as well. Thanks and good luck.
Process Explorer can be found here: http://www.sysinternals.com/Utilities/ProcessExplorer.html
Go to the very bottem, and find your O/S.
Just follow tedstyle’s directions. very straight forward.
Thanks for setting my mind at ease!
I don’t like that it’s there, but so long as it is not actually spyware / a trojan / other malware I’m not going to bother getting rid of it.
I deleted it in safe mode but it just came back when I rebooted in normal mode. I swear when I removed it and surfed in safe mode my adware stopped; I assumed it had something to do with it…I guess not.
I did the following: Re-named the .dll files, I’ve used 12 Ghosts Shredder to then remove those after reboot. It still wouldn’t let me remove Xerox, or nwwia folders. I’ve just stopped the WIA snap in. Hope that works, and if not.. Maybe I have to turn off system restore??
try http://www.archive.freeola.com/m.p.w.general/nwwia.shtml
Is it dangerous if I leave it?
Quoting the article you just commented on “For what it’s worth, it benign. It’s on lots of systems, including my own.”
That means no, it’s not dangerous.
Well Xerox is actually an update or some sort of secrutity for MS Office. It will come with it so dont worry it i snothing bad.
(dont email me) Can somenody tell me plain and simple if it’s a virus and if i SHOULD get rid of it? A friend of mine got freaked out when i said i had it and he said it was a hacking file and hasn’t spoke to me since
It is not. It is benign.
Here’s what you do:
I owe this solution to ‘twister’, who lives/posts here:
http://www.asendtechnologies.com/vb/showthread.php?t=6868
This will give you added power over your Xtremely Pesky operating system. I did the
following and have had NO problems
Do a find on ‘sfcfiles’. You need to do the advanced search option, and check ‘Search
system folders’, ‘Search hidden files’, and ‘Search sub folders’.
Results will be sfcfiles.dll, in one or more places. Change all their names (highlight
the file and hit F2) to sfcfilesold.dll.
XP may tell you that you are being very very BAD, so tell XP to go piss up a rope…lol……..
Restart, and voila, you can delete nwwia, xerox etc.
Ref. http://blogs.msdn.com/oldnewthing/archive/2004/11/16/258220.aspx
..you may find an empty C:\Program Files\Xerox directory. What’s that for?
This directory is being watched by Windows File Protection, because it needs to protect the file xrxflnch.exe should it ever show up. (Why does the directory have to exist in order for Windows File Protection to be able to watch it? I’m told it’s a limitation of the Windows File Protection engine. I suspect it may have something to do with the fact that the FindFirstChangeNotification function can’t watch a directory that doesn’t exist.)
Why is xrxflnch.exe so special? I don’t know. My guess is that it’s some file that is frequently overwritten by setup programs and therefore needs to be protected.
hahaha…I’m bookmarking this site!! I haven’t laughed so much from reading a thread about a ‘wtf is this file/folder’ posting.
And yes, i was cleaning up my itsy bitsy master drive when I came upon and tried to delete that NWWIA folder….pffft, oh well, it can stay. I’ve had no troubles with it.
yes, it works ! change sfcfiles to sfcfilesold, reboot win and delete xerox and nwwia
Above adivice about changing name of sfcfiles, did NOT help. XEROX map is still not deleteable, it says its being used by something when I try to delete it. Any advice? As a matter of act I cant change any files from READ ONLY to editable.
Just saw that my sfcfiles got recreated automatically by windows after reboot, so now I have both those one and the ones with ‘OLD’ at the end. what what?
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Folks, let me really clear about something:
YOU DON’T NEED TO DELETE IT.
It’s benign. It’s not hurting anything. There’s simply no reason to waste a
bunch of time trying to delete it.
Obviously you *should* be able to delete it – the fact that it’s so difficult
is definitely a bug or problem of some sort. But it just doesn’t mater. Just
leave it there, ignore it, and get on with more important things in your life.
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFGTerPCMEe9B/8oqERAkIGAJ9OUpFui6b7fMx7qR2yetS7454mowCfe3h0
s4QMGPvU4lx6MaE2jeobMzs=
=YPD2
—–END PGP SIGNATURE—–
but, how do i delete it?
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Sigh. Please read the comment immediately preceding yours.
In my opinion: you don’t.
I’m closing comments on this article since we just seem to be going around in
circles.
Thanks,
Leo
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (MingW32)
iD8DBQFGZYw+CMEe9B/8oqERAtV7AJ40Sk5fd6WvUbh8W3KIbtsecP5/HACfZNMa
lunxTYOtB4juFkIbaHYWHFQ=
=jShF
—–END PGP SIGNATURE—–
do not found the discussion helpful due to this virus i am not able to listn the songs on my pc
this is not a virus. it is harmless. there is probably a different reason you can’t listen to music.
I gave you the legit answer to this question and you removed it from your site. I can fire up my old laptop and show you the date created for that folder, and i challenge you to find one prior to it. I made the folder and subfolder. Just trying to let people know it’s harmless.