Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What is '\Program Files\XEROX\NWWIA', and how do I get rid of it?

What is ‘\Program Files\XEROX\NWWIA’, and how do I get rid of it?

OK, this is one of the weirdest situations I’ve seen come up in a
long time.

The short answer is that it does appear to be something related to “Windows
Image Acquisition”, which is a common component of Windows. Why it shows up
empty, and why it remains protected by the operating system is as best we can
tell, a mystery.

Become a Patron of Ask Leo! and go ad-free!

For what it’s worth, it benign. It’s on lots of systems, including my

Using SysInternals Process Explorer I was able to
tell that the windows logon process has the directory open. But I was able to
find no reference to it in the registry. And apparently when
you do manage to delete it, the system file protection service dutifully
restores it.

There’s a long thread on the subject out at the discussion
forum titled Deleting Ghost/Empty Directories that has
many theories and a couple of ways to delete it, if that’s really important to

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

47 comments on “What is '\Program Files\XEROX\NWWIA', and how do I get rid of it?”

  1. Talking to Microsoft about this xerox dir. they said it is only on oem versons of windows XP. If you reload with a retail verson this dir. is not listed… This was tested by myself and posted to Microsoft.

    The nwwia is a xerox driver for a printer

  2. This is an old problem that XP inherited from Windows NT. My computer came with an OEM install of XP Home, but I clean installed a retail version of XP Pro over it, so if only the OEM versions are supposed to have it, why does retail OS have it as well? Did SP2 stick ’em on???

    WHY MSFT still has these stupid Xerox directories is beyond me.

  3. If I’m right! This has something to do with Microsofts self healing system32 folder.Nothing can be deleted from this directory, but things can be renamed….with a script. For example at the college I work for we didn’t want students to be able to play solitare from a RIS image. So we created an image with out it. This script deletes a files from the sys32 folder and renames all the games to notepad.exe, and if you are wondering yes we can tell when a new student tries to play a game when he stupidly asks, why does solitare open notepad.

    del C:\WINDOWS\system32\sol.exe
    copy C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\sol.exe /y

    del C:\WINDOWS\system32\spider.exe.exe
    copy C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\spider.exe /y

    del “C:\Program Files\Windows NT\Pinball\PINBALL.EXE”
    copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\Windows NT\Pinball\PINBALL.EXE” /y

    del %SystemRoot%\System32\winmine.exe
    copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\winmine.exe /y

    del “C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe”
    copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe” /y

    del “C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe”
    copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe” /y

    del “C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe”
    copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe” /y

    del “C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe”
    copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe” /y

    del “C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe”
    copy C:\WINDOWS\system32\notepad.exe “C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe” /y

    del %SystemRoot%\System32\mshearts.exe
    copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\mshearts.exe /y

    del %SystemRoot%\System32\freecell.exe
    copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\freecell.exe /y

    be very careful with this script because you can not reverse it, because notepad is the system editor for windows. I’ll try to come up with a solution to rename this directory. And then we might be able to delete it.

  4. Here’re the simple facts of the matter: this particular folder (and others) are protected by the Windows File Protection (WFP) which is a part of the System File Checker (created mainly to avoid unwanted/irreversible changes to critical system files and an inheritance from NT/2K).
    You cannot remove this directory or any others protected by WFP without first disabling WFP (which of course will leave system files and directories -meant- to be protected, completely unprotected by the WFP and SFC)

    How to disable Windows File Protection which allows you to delete the xerox\nwwia directory:

  5. This can be deleted, and is one of the system processes that is keeping it open, try removing weird looking ones you dont trust. if u end process and it pops back up and it looks weird. just let it be,

    or you can restart your computer and try 2 delete the file before you do anything else which is open other programs etc, that might correspond with the process.

  6. Okay I have xerox as well, could someone just tell me if its a virus or anything!lol! P.S i checked out that website and it was in japanese (i think!) :-)

  7. The Xerox folder is to do with the scanning software built into XP – it’s licensed from Xerox. If you have plugged in a scanner, a webcam, or a digital camera at any time that’s likely why it’s popped up. It’s not malicious, but it is part of the XP system files. Just ignore it.

  8. I removed the annoying directory (spyware). It uses a clone called winlogon and loads itself into the real windows winlogon. It is then undetectable by antivirus and anti spyware.
    Step 1:
    Restart windows is safemode without network
    Search your windows and internet directories for these files and “delete”. (Be sure to empty the recycle bin too and be sure to check for hidden and system files):
    and the two executables files
    in addition locate a trojan called MSWebcheck_Monitor and delete these files too:
    You may or may not find them. But you need to double check for them anyway.
    Step 3:
    Run Regedt32.exe or regedit.exe
    Find the all files that begin with webche* and “delete” these keys
    Step 4: Go to control panel and open the system icon and turn off “system restore” . By turning it off all the restore points will be deleted. These files need to be deleted because they have been infected as well. And for whatever reason windows seems to like to tap into these restored files.
    Step 5: Restart your windows in normal mode and viola! and open your windows explorer. You should no longer and will “never” see the ghost directories again.
    Step 6: Turn your restore back on and make a restore point for today.
    The conclusion is that even though the xerox directories seem legit, if you don’t have a xerox device attached, the directories are not needed. Good Luck, let me know how it goes…

  9. I forgot to add to step 3:
    Search and delete from the registry and and all keys begining with xrx. The five files are also described in step 1.

  10. Thanks man! Ill be trying this, that xerox folder just WONT go lol. I re-installed windows with a total wipe of the drive to find after a couple of weeks it was back! Corse, i didnt re-install windows because of this, i had major system problems.

  11. My problem is that I have a great xerox printer. I have had it for a couple of years, before I got windows xp, and in order to upgrade it for use on windows xp you have to delete all xerox files. Well….haven’t been able to do that in order to install it. I will have to try the tips given and see if I can delete it long enough to install what I need.

  12. download this program from called process explorer. open it click on find and find handle. search for nwwia. it will be in the winlogon.exe. right click on C:\program files\xerox\nwwia and click close handle. you can now delete the xerox folder

  13. Thanks tedstyle November 19, 2005 02:20 AM
    It worked great.
    I got rid of the mystery xerox/nwwia folders!

    Can you be my personal IT assistant? jk :’)

  14. Just do an advanced search under system folders, hidden folders, and sub folders for “sfcfiles.dll”. Then highlight each file, one at a time, and hit F2 and change the name to “sfcfilesold.dll”. You will get a warning from windows that this is a necesary file but just ignore it. Restart your computer and then you can delete Xerox and nwwia. I learned this on


  15. This folder and \Program Files\microsoft frontpage\version 3.0\bin both reappear, even if deleted in safe mode from command prompt. Is the situation similar for the frontpage folder (also completely empty with no other folders in it and no frontpage of any version installed on the PC) as it is with the xerox one?

  16. Thanks for setting my mind at ease!

    I don’t like that it’s there, but so long as it is not actually spyware / a trojan / other malware I’m not going to bother getting rid of it.

  17. I deleted it in safe mode but it just came back when I rebooted in normal mode. I swear when I removed it and surfed in safe mode my adware stopped; I assumed it had something to do with it…I guess not.

  18. I did the following: Re-named the .dll files, I’ve used 12 Ghosts Shredder to then remove those after reboot. It still wouldn’t let me remove Xerox, or nwwia folders. I’ve just stopped the WIA snap in. Hope that works, and if not.. Maybe I have to turn off system restore??

  19. Quoting the article you just commented on “For what it’s worth, it benign. It’s on lots of systems, including my own.”

    That means no, it’s not dangerous.

  20. Well Xerox is actually an update or some sort of secrutity for MS Office. It will come with it so dont worry it i snothing bad.

  21. (dont email me) Can somenody tell me plain and simple if it’s a virus and if i SHOULD get rid of it? A friend of mine got freaked out when i said i had it and he said it was a hacking file and hasn’t spoke to me since

  22. Here’s what you do:

    I owe this solution to ‘twister’, who lives/posts here:

    This will give you added power over your Xtremely Pesky operating system. I did the
    following and have had NO problems

    Do a find on ‘sfcfiles’. You need to do the advanced search option, and check ‘Search
    system folders’, ‘Search hidden files’, and ‘Search sub folders’.

    Results will be sfcfiles.dll, in one or more places. Change all their names (highlight
    the file and hit F2) to sfcfilesold.dll.

    XP may tell you that you are being very very BAD, so tell XP to go piss up a rope…lol……..

    Restart, and voila, you can delete nwwia, xerox etc.

  23. Ref. may find an empty C:\Program Files\Xerox directory. What’s that for?

    This directory is being watched by Windows File Protection, because it needs to protect the file xrxflnch.exe should it ever show up. (Why does the directory have to exist in order for Windows File Protection to be able to watch it? I’m told it’s a limitation of the Windows File Protection engine. I suspect it may have something to do with the fact that the FindFirstChangeNotification function can’t watch a directory that doesn’t exist.)

    Why is xrxflnch.exe so special? I don’t know. My guess is that it’s some file that is frequently overwritten by setup programs and therefore needs to be protected.

  24. hahaha…I’m bookmarking this site!! I haven’t laughed so much from reading a thread about a ‘wtf is this file/folder’ posting.
    And yes, i was cleaning up my itsy bitsy master drive when I came upon and tried to delete that NWWIA folder….pffft, oh well, it can stay. I’ve had no troubles with it.

  25. Above adivice about changing name of sfcfiles, did NOT help. XEROX map is still not deleteable, it says its being used by something when I try to delete it. Any advice? As a matter of act I cant change any files from READ ONLY to editable.

  26. Just saw that my sfcfiles got recreated automatically by windows after reboot, so now I have both those one and the ones with ‘OLD’ at the end. what what?

    Hash: SHA1

    Folks, let me really clear about something:


    It’s benign. It’s not hurting anything. There’s simply no reason to waste a
    bunch of time trying to delete it.

    Obviously you *should* be able to delete it – the fact that it’s so difficult
    is definitely a bug or problem of some sort. But it just doesn’t mater. Just
    leave it there, ignore it, and get on with more important things in your life.

    Version: GnuPG v1.4.6 (MingW32)


    Hash: SHA1

    Sigh. Please read the comment immediately preceding yours.

    In my opinion: you don’t.

    I’m closing comments on this article since we just seem to be going around in



    Version: GnuPG v1.4.6 (MingW32)


  29. I gave you the legit answer to this question and you removed it from your site. I can fire up my old laptop and show you the date created for that folder, and i challenge you to find one prior to it. I made the folder and subfolder. Just trying to let people know it’s harmless.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.