none
Frequent changes to files in Microsoft.NET folder RRS feed

  • Question

  • I am the change management officer at my company and our detection controls are seeing frequent additions and removals to files in C:\Windows\Microsoft.NET such as ngenrootstorelock.dat, ngennicupdatelock.dat, and ngennicupdatelock.dat (just three such examples). As stated above the change activity has to do with these files being created and later deleted, sometimes multiple times throughout the day.

    Since it is frequent and there have been no negative security effects so far I assume these are temporary and benign. However I would like to obtain a better understanding for why this is happening. Ideally I would take this understanding and tune our tool accordingly to ignore these changes.

    Tuesday, January 27, 2015 3:37 PM

Answers

  • Update:

    I just updated to .NET v4.5.2 and see these files. So I quickly use handle.exe from SysInternalsSite to check and here's the result:

    D:\>handle.exe -a ngennicupdatelock.dat
    
    Handle v3.51
    Copyright (C) 1997-2013 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    ngen.exe           pid: 2584   type: File           110: C:\Windows\Microsoft.NET\ngennicupdatelock.dat
    
    D:\>
    You can safely add exception to ignore these files.
    • Marked as answer by FIM-Guy Wednesday, January 28, 2015 4:55 PM
    Wednesday, January 28, 2015 3:03 AM
    Answerer

All replies

  • Although these name suggest NGEN, I can't find matching string using "findstr" command on Microsoft.NET folder. If you found it appear frequently, try disable all the "Microsoft .NET Framework NGEN v*.*" services and see if they appear again. If you still see them, you should be cautioned as all NGEN related activities should be stopped when these are disabled.

    Alternatively, when you see these files appear, you can fire up Process Explorer and use "Find" -> "Find Handle or DLL..." function to attempt finding handle with these filename, and then find out which process owns them. (There should be no use on using a lock file without putting exclusive write access on it. So finding for active handle when the file exist should work)

    Wednesday, January 28, 2015 1:52 AM
    Answerer
  • Update:

    I just updated to .NET v4.5.2 and see these files. So I quickly use handle.exe from SysInternalsSite to check and here's the result:

    D:\>handle.exe -a ngennicupdatelock.dat
    
    Handle v3.51
    Copyright (C) 1997-2013 Mark Russinovich
    Sysinternals - www.sysinternals.com
    
    ngen.exe           pid: 2584   type: File           110: C:\Windows\Microsoft.NET\ngennicupdatelock.dat
    
    D:\>
    You can safely add exception to ignore these files.
    • Marked as answer by FIM-Guy Wednesday, January 28, 2015 4:55 PM
    Wednesday, January 28, 2015 3:03 AM
    Answerer