2014-04-05
Cross-posted from http://answers.microsoft.com/en-us/windows/forum/windows8_1-security/erniesitelist-and-ernieuserlist/00407bd2-e349-423c-a8e5-cb6127840ea5
Original Post dated April 21, 2014
EmieSiteList and EmieUserList
Microsoft Security - Privacy Concerns
I found two unknown directories on my PC in my user profile. I have, so far, been unable to identify what put them there, which process owns them, and when I delete them (using Admin escalated privileges) they come back after a few minutes or immediately after reboot.
c:\users\USERNAME\appdata\local\EmieSitelist\container.dat
c:\users\USERNAME\appdata\local\EmieUserlist\container.dat
C:\Users\USERNAME\AppData\LocalLow\EmieSiteList\container.dat
C:\Users\USERNAME\AppData\LocalLow\EmieUserlist\container.dat
It was time, anyway, so I wiped the drive using factory low-level overwriting and performed a clean install of Windows 8.1 Pro using a freshly downloaded ISO from Microsoft; one with an ESD distribution, written to a new just out-of-the-bedamned-hardshell-plastic
flashdrive..
I just completed the clean install, in this sequence:
Boot to flashdrive and let Windows create partitions then install. Reboot. Check AppData; no folders found.
Activate. Check AppData; no folders found.
Run first Update; install everything except Bing Bar and Desktop. Check AppData; no folders found. Reboot. Check AppData; no folders found.
Add Feature Windows Media Center. Check AppData; no folders found. Reboot. Check AppData; no folders found.
Run Updates a second time. Check AppData; no folders found. Reboot. Check AppData; no folders found.
Remove MS C++ v12 x86 and x64 installed during Update. Check AppData; no folders found. Reboot. Check AppData; no folders found.
Download from MSDN (http://msdn.microsoft.com/en-us/vstudio/default) Redistributables MS C++ x86 and x64, 2005, 2008, 2010, and 2012.4 versions, and install in sequence. Check AppData after each install; no folders found. Reboot after each install and check AppData; no folders found.
Run Updates a third time. Response was No Updates Available. Check AppData; no folders found.
Reboot. Check AppData; all four sub-directories are now present.
These sub-directories and dat-files are not, so far, present in the AppData\Roaming directory.
There is nothing except Microsoft Windows 8.1 Pro WMC and the 10 MS C++ packages installed; and MS Silverlight and AMD (videocard) Catalyst Control Center on the machine. Windows Defender is present but is installed as part of Windows 8 and 8.1;
and its' updates are provided via the MS Update process. All - repeat ALL of these items are provided by Microsoft.
My questions are: What are the Emie directories for; what program created them, and what does the various container.dat files "contain"? And . . . if not absolutely necessary, How do I get rid of them and keep them from coming back?
First attempt at Solution:
Permissions are Full for System, USERNAME, and group Administrators. The USERNAME is the Owner, and Effective Permissions for each of the 3 is Full.
Open Command Prompt (Admin)
C:\Windows\system32>cd\
C:\>attrib -r -h +s C:\Users\USERNAME\AppData\Local\EmieSiteList\container.dat
C:\>attrib -r -h +s C:\Users\USERNAME\AppData\Local\EmieSiteList
C:\>attrib -r -h +s C:\Users\USERNAME\AppData\Local\EmieUserList
C:\>attrib -r -h +s C:\Users\USERNAME\AppData\Local\EmieUserList\container.dat
C:\>attrib -r -h +s C:\Users\USERNAME\AppData\LocalLow\EmieUserList\container.dat
C:\>attrib -r -h +s C:\Users\USERNAME\AppData\LocalLow\EmieUserList
C:\>attrib -r -h +s C:\Users\USERNAME\AppData\LocalLow\EmieSiteList
C:\>attrib -r -h +s C:\Users\USERNAME\AppData\LocalLow\EmieSiteList\container.dat
C:\>
BOTH Files and Directories are no longer Hidden. The Directories still show that the files within are READ-Only, but checking the actual file shows that it is no longer R-O.
I then deleted each of the 4 directories and closed Windows (File) Explorer.
After less than 3 minutes reading pages on the internet (at Microsoft's Ask Windows Community), I opened Windows Explorer to check and found that the sub-directories had re-created themselves in both the Local and LocalLow directories.
The container.dat files were back in the Local sub-dir and after another few minutes, also back in the LocalLow sub-dir.
Both the sub-directories and the container.dat files are once again Super-Hidden.
Analysis using Windows utilities and SysInternals and NirSoft tools have not identified which object or process or service owns these objects.
ADDED: My system is a home system, not connected to any work domain via VPN or otherwise. WHY is the Windows Update Team not spending time to implement condition-and-error-checking to ensure that unneeded updates, services, and changes are not made
without the system owner/operator permission? Further, WHY is this particular issue so hard to find info about; what is being kept from customers and why?