Welcome to WebmasterWorld Guest from

Forum Moderators: bill

Message Too Old, No Replies

In W2K, what is the "%system_dir%\Data" directory for?

50,000 files and growing!



8:46 pm on Jul 25, 2005 (gmt 0)

10+ Year Member

I'm starting to experience a space-crunch on my C drive, so I've gone hunting for fluff to delete.

In Windows 2000, there is a directory (in my case) located at "C:\WindowsNT\system32\Data". This dir has 46 files whose filenames start "CT", usually followed by a letter, 4 numbers, another letter and the extension ".DAT". The timestamps on the files are all from 2002, indicating to me that they are MS-installed system files, since my last re-install was in 2003. I accept these files as being both innocuous & necessary.

It's the other 50,000+ files, sucking up just shy of 3GB, that I'm really curious about...

Half of these files have a timestamp as their filename, with no extension, and (probably) average about 100KB in size. The other half have "thumb_" prepended to the filename, and (probably) average about 20KB. Example filenames are "2005-01-01_12-00-27" and "thumb_2005-01-01_12-00-27".

Like clockwork, these files have been generated every 5 minutes for almost the last year. (The only gaps I noticed were when I know the machine was off - like when I've been away on vacation.)

Searching has proven fruitless, thusfar. So, any idea what's creating these files? Why? What are they?

Given the age of the files, I can probably delete most all of them, but can you say that with certainty?

Enlightenment is greatly appreciated!


3:49 am on Jul 26, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Sounds very much like key-recorder screen-capture spyware generated date/time file names, default 5-min generation, with thumbnail versions.

"[windows]/system32/data" is a standard storage location.

Try adding image extensions and see if files are viewable. If so you may have a big cleaning and re-secure job ahead.

Unless you just forgot you installed such a utility.


11:28 am on Jul 26, 2005 (gmt 0)

10+ Year Member

If you haven't done so already you could try downloading Microsoft's free AntiSpyWare tool.


6:42 pm on Jul 26, 2005 (gmt 0)

10+ Year Member

Egad! How embarrassing!

> Try adding image extensions and see if files are viewable.

iamlost, you're right on the money - they're screen-captured JPEGs. (And it's been a bit of a "blast from the past" checking them out.)

You obviously have some knowledge on the subject; are you aware of how the images are created? The security products I use (and rather not publicly disclose, given the circumstances) currently give me a clean bill of health, and it turns out the last screen capture was a couple of months ago. I don't recall any reports of suspicious executables (registry changes & cookies are the usual complaint), so I'm curious; are there components of Windows itself that are capable of generating screen captures?

steve, thanks for the suggestion. I've shied away from Microsoft's offering, since I'm not cool with the "threat" that they may charge for future spyware definitions for their product. There's something about (possibly having to pay) paying the company that's (arguably) ultimately responsible for the trouble to fix it that doesn't sit right with me.

Thanks for the help, folks! :)


12:00 am on Jul 27, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

are there components of Windows itself that are capable of generating screen captures?

There's a "Print Screen" key remember? Basic hacking/cracking 101.

There are three possibilities:
* One: someone with access to your computer/network installed an actual monitoring program. There are lots of them. Do a search for spyware screen capture, child web monitor, employee computer monitor, etc.

Problem 1: these are genuine programs installed by some user.
Problem 2: some are recognised as "spyware" many are not.
Problem 3: many have options such as hide from system and encrypt or an innocuous name to hide them from child, employee, etc.
Problem 4: if you are on a network some can run remotely.

* Two: someone installed a trojan logger/screen capture program. Again there are lots of them. Do a search for trojan logger screen capture or similar.

* Three: it's all a bad dream. Wake up. It never happened.

A good antivirus/antispyware regime should find and eliminate most illegal installs and some "legal" ones; but not most "user approved" actions. Unless you have such AV programs on auto you should know if such a creature has ever been found. If on auto check back through their logs.

Your mention of long time screen capture with an end date a couple of months ago makes me suspicious of a user installed/stopped/removed application.

The concern is that your passwords and any private info (personal id data, CC number, bank acct access, love letters, etc.) are probably compromised. Of course if its just web design templates check out competitors!

There is no "easy" fix. If future computer data confidentiality is paramount I would backup data files, reformat, re-install applications from original disks, and re-install data files individually after verifying each.

I would also change all passwords, etc. that were ever used over that computer. And monitor for id theft, credit abuse, etc.

It's too hot to be at the keyboard anyway ... get some bottles of beverage, some sunscreen, a friend, and go enjoy the summer.


Featured Threads

Hot Threads This Week

Hot Threads This Month