dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6444
share rss forum feed


Sentinel
Premium
join:2001-02-07
Florida
kudos:1

What is $extend?

I just ran an anti-virus scan and saw this in my log...

* avast! Scan Report
* This file is generated automatically
*
* Scan name: Full system scan
* Started on: Monday, September 23, 2013 10:04:43 AM
* VPS: 130923-0, 09/23/2013
*

C:\$Extend\$RmMetadata\$TxfLog\$Tops [E] Access is denied (5)
C:\pagefile.sys [E] The process cannot access the file because it is being used by another process (32)
Infected files: 0
*

OK, so I have a few questions.

1. What is this file and is it dangerous?
2. Why can't i see the entire $extend folder? (I have settings set to show system files)
3. How come I have never seen this in my log before if it has always been there and is not dangerous?


ZZZZZZZ
Premium
join:2001-05-27
PARADISE
kudos:1
»msdn.microsoft.com/en-us/library···85).aspx

looks like a stream file.
--
Sarcasm is the body's natural defense against stupidity.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to Sentinel
said by Sentinel:

2. Why can't i see the entire $extend folder? (I have settings set to show system files)

Because it's a special (meta) file in NTFS.
--
Don't feed trolls--it only makes them grow!


Sentinel
Premium
join:2001-02-07
Florida
kudos:1
Interesting. I never heard of these before. So there are a whole bunch of files that we can't see at all even though we change the setting to show all files including system files? Nice. So we have no way of seeing what is actually on our systems.

OK, so that (kinda) answers # 1 and 2, but what about #3? Why have I never seen this before in an anti-virus scan? Were they not there before or has the AV program changed and can now see them?


dib22

join:2002-01-27
Kansas City, MO
said by Sentinel:

Why have I never seen this before in an anti-virus scan?

Did you change form an admin user, to a limited user recently?


norwegian
Premium
join:2005-02-15
Outback

1 edit
reply to Sentinel

said by Sentinel:

Were they not there before or has the AV program changed and can now see them?

Because quite often what the scanner does and what you see are 2 different things.
Considering streams in the past bypassed Avast protection, I'd say they have been scanning it for some time with no end user knowledge.

Maybe an engine and definitions update needs it to show more stream content for detection, troubleshooting or something else?

You would need to ask the makers of the why's and why not's of the program and it's functions.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Sentinel
Premium
join:2001-02-07
Florida
kudos:1
reply to dib22
Nope. Same settings as always.
Does everyone else see these files? For those of you that use the same AV as me, do you see these log entries too? If so then I'll feel more comfortable.


lordpuffer
RIP lil
Premium
join:2004-09-19
Rio Rancho, NM
kudos:2
Reviews:
·CableOne

1 edit

1 recommendation

said by Sentinel:

Does everyone else see these files? For those of you that use the same AV as me, do you see these log entries too? If so then I'll feel more comfortable.

I just ran a full system scan on my Win 7 64 bit, Home Premium PC using avast! Pro Antivirus.

There were no results in the log indicating $Extend. Basically, it found nothing.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

reply to Sentinel
All file systems have files in which they store the data that the file system needs to be a file system: file-to-block maps, free space maps, dates and times, permissions, .... nothing to be alarmed about.

(If you like to tie your brain in knots, the list of files is a file that can be looked up in the list of files)

Generally speaking, NTFS does not expose the metadata files. But something seems to have happened reently; this is the second posting I've seen here about $Extend. New bug?

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to ZZZZZZZ
said by ZZZZZZZ:

looks like a stream file

It's a file called $Tops that is in a directory called $TxfLog which is in a directory called $RmMetadata which is in a directory called $Extend. No sign of any named stream.

It's evidently (by its name) somethng to do with transactional operations, probably transactional NTFS.


Sentinel
Premium
join:2001-02-07
Florida
kudos:1
reply to dave
lordpuffer,
Interesting to me that your AV did not show the file listed as being denied. Either means that you don't have that file, or it is not access denied on your machine. Either way that is odd to me.

dave,
Good to hear that I am not the only one. That does make me feel better. I'm not worried about it yet. Just trying to understand it better. I get uneasy when I don't change anything and something changes. Something somewhere must have changed; either the way it sees things, reports things or allows things to be seen or something, I'm guessing.


norwegian
Premium
join:2005-02-15
Outback
reply to dave
said by dave:

...this is the second posting I've seen here about $Extend.

If I've kept up with topics, the other was about 7-Zip's low level access?
»[WIN7] What are these folders?

psloss
Premium
join:2002-02-24
Lebanon, KS
reply to dave
said by dave:

Generally speaking, NTFS does not expose the metadata files. But something seems to have happened reently; this is the second posting I've seen here about $Extend. New bug?

Given this thread started with a security software banner, it might be another little escalation in the arms race between the good guys and the bad guys. Some of the bad guys are definitely working with NTFS metadata (ZeroAccess is notorious), although they're often now going to need the interactive user to help them out with admin rights to do anything significant.


dib22

join:2002-01-27
Kansas City, MO
reply to Sentinel
Not what you want to hear but the only machine I have avast on is running windows 8, but no I do not see $Extend in any summary or logs.


Sentinel
Premium
join:2001-02-07
Florida
kudos:1
reply to Sentinel
In case anyone else is curious about this I found a workaround here:
»social.msdn.microsoft.com/Forums···gramming

Basically it has to do with transactional NTFS (whatever that is). And you can't get rid of it but you can shrink it by resetting it. After which it is about 1 mb on my machine.

From that link:
quote:
You can work around this problem by resetting the RM (resource manager). This will blow away all the $Rm data and re-create everything from scratch, after which $Tops will be negligable.

1 --- Before resetting the RM make sure there are no transactions in progress, and if there are its best to just wait for them to complete. To check type "fsutil resource info c:\". The output of the field 'Running Transactions' will show non-zero if there are transactions in progress.
2 --- To reset the RM type "fsutil resource setautoreset true" and then reboot.

I still don't know why I have it and others don't or how to even see it. The only time it shows itself is during anti-virus scans. Otherwise I don't even have a program that allows me to see that it is there.

Anyone know of a way to see if these files are there?


Exidor
Premium
join:2001-05-04
Brampton, ON
Re: Anyone know of a way to see if these files are there?

7-Zip File Manager?

»Re: [WIN7] What are these folders?