I was recently going through my windows lockdown procedure, cleaning up unnecessary files and noticed that every Windows 2003 Server I own has a wmpub directory in the root of my C drive. The only thing in the directory is an empty subdirectory named wmiislog.

Since I strongly believe that a clean system is conducive to security, and I especially hate clutter in my root dir, I tried deleting the folder, only to find that it was in use and could not be deleted. Annoyed with this empty directory I did some research to find out exactly what this was.

A quick search revealed that that directory belongs to the Multicast and Advertising Logging Agent. So if I used Windows Media Services, had IIS installed, and wanted to use multicast for logging, which is really only practical on an intranet, a dll file wmsiislog.dll would exist in this directory.

But how many media-streaming-IIS-using-multicast-logging people are there really out there? And why does everyone else need this directory?

It turns out the culprit is Windows File Protection (WFP). The dll file is protected by WFP and because of the way WFP works, it needs that directory there even if the file does not exist on the system. The reason is because WFP uses FindFirstChangeNotification on each directory that has a protected file. So the directory has to be there when WFP initializes. It doesn’t care if the file is there or not. This is the same reason why you can’t get rid of the Outlook Express or Netmeeting directories.
It’s lame and I hate the extra clutter on my system. It’s especially lame that every Windows 2003 Server has a c:\wmpub directory even though a tiny number of users actually use that feature. You can delete the directory in Safe Mode but it’s comes right back after rebooting.

The only solution to this is to basically patch WFP to not watch for those particular files, which is hardly a great solution. WFP is somewhat helpful, but considering that there are hacks out there to bypass it, I question its usefulness. I certainly do question its implementation.

So what did I finally do? I did an attrib +s +r +h on it and a cacls c:\wmpub /t /d everyone so now it’s just a black hole on my ntfs volume. And yes, unless I hide protected OS files, I can still see it.

Related posts

• No related posts.