Ask Leo! by Leo A. Notenboom

What is '\Program Files\XEROX\NWWIA', and how do I get rid of it?

Search First! Then browse: Categories | Full Archive | By Date | Newsletter

Home » Windows » Windows Oddities

Comments

All Comments on: What is '\Program Files\XEROX\NWWIA', and how do I get rid of it?

Read the article that everyone's commenting on.
RSS feed Subscribe to the RSS Feed for comments on this article.

Comment Page:  1  |  2  |  3  |  4  |  5 

Talking to Microsoft about this xerox dir. they said it is only on oem versons of windows XP. If you reload with a retail verson this dir. is not listed... This was tested by myself and posted to Microsoft.

The nwwia is a xerox driver for a printer

Posted by: Greg at September 30, 2004 9:37 PM

This is an old problem that XP inherited from Windows NT. My computer came with an OEM install of XP Home, but I clean installed a retail version of XP Pro over it, so if only the OEM versions are supposed to have it, why does retail OS have it as well? Did SP2 stick 'em on???

WHY MSFT still has these stupid Xerox directories is beyond me.

Posted by: flatliner at October 8, 2004 4:55 PM

Here this should explain the whole mystery:

http://support.microsoft.com/default.aspx?scid=kb;ja;418634

Or, maybe not!

:P

Posted by: Stevland at October 13, 2004 3:51 PM

If I'm right! This has something to do with Microsofts self healing system32 folder.Nothing can be deleted from this directory, but things can be renamed....with a script. For example at the college I work for we didn't want students to be able to play solitare from a RIS image. So we created an image with out it. This script deletes a files from the sys32 folder and renames all the games to notepad.exe, and if you are wondering yes we can tell when a new student tries to play a game when he stupidly asks, why does solitare open notepad.

del C:\WINDOWS\system32\sol.exe
copy C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\sol.exe /y

del C:\WINDOWS\system32\spider.exe.exe
copy C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\spider.exe /y

del "C:\Program Files\Windows NT\Pinball\PINBALL.EXE"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\Windows NT\Pinball\PINBALL.EXE" /y

del %SystemRoot%\System32\winmine.exe
copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\winmine.exe /y

del "C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe" /y

del "C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe" /y

del "C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe" /y

del "C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe" /y

del "C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe" /y

del %SystemRoot%\System32\mshearts.exe
copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\mshearts.exe /y

del %SystemRoot%\System32\freecell.exe
copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\freecell.exe /y

be very careful with this script because you can not reverse it, because notepad is the system editor for windows. I'll try to come up with a solution to rename this directory. And then we might be able to delete it.

Posted by: mak at November 18, 2004 3:04 PM

Here're the simple facts of the matter: this particular folder (and others) are protected by the Windows File Protection (WFP) which is a part of the System File Checker (created mainly to avoid unwanted/irreversible changes to critical system files and an inheritance from NT/2K).
You cannot remove this directory or any others protected by WFP without first disabling WFP (which of course will leave system files and directories -meant- to be protected, completely unprotected by the WFP and SFC)

How to disable Windows File Protection which allows you to delete the xerox\nwwia directory:
http://www.winguides.com/registry/display.php/790/

Posted by: Simple solution at November 26, 2004 9:33 PM

This can be deleted, and is one of the system processes that is keeping it open, try removing weird looking ones you dont trust. if u end process and it pops back up and it looks weird. just let it be,

or you can restart your computer and try 2 delete the file before you do anything else which is open other programs etc, that might correspond with the process.

Posted by: Jyles at March 17, 2005 11:08 PM

Okay I have xerox as well, could someone just tell me if its a virus or anything!lol! P.S i checked out that website and it was in japanese (i think!) :-)

Posted by: Balmung at May 19, 2005 8:00 AM

It's benign. I just ignore it. Some people seemed to get really worked up about it, but really ... it's harmless.

Posted by: Leo at May 19, 2005 8:05 AM

The Xerox folder is to do with the scanning software built into XP - it's licensed from Xerox. If you have plugged in a scanner, a webcam, or a digital camera at any time that's likely why it's popped up. It's not malicious, but it is part of the XP system files. Just ignore it.

Posted by: sarah at May 31, 2005 3:42 PM

I removed the annoying directory (spyware). It uses a clone called winlogon and loads itself into the real windows winlogon. It is then undetectable by antivirus and anti spyware.
Step 1:
Restart windows is safemode without network
Search your windows and internet directories for these files and "delete". (Be sure to empty the recycle bin too and be sure to check for hidden and system files):
xrxwiadr.dll
xrxscnui.dll
xrxwbtmp.dll
and the two executables files
XrxFTPLt.exe
xrxflnch.exe
in addition locate a trojan called MSWebcheck_Monitor and delete these files too:
webcheck.dll
loadwc.exe
You may or may not find them. But you need to double check for them anyway.
Step 3:
Run Regedt32.exe or regedit.exe
Find the all files that begin with webche* and "delete" these keys
Step 4: Go to control panel and open the system icon and turn off "system restore" . By turning it off all the restore points will be deleted. These files need to be deleted because they have been infected as well. And for whatever reason windows seems to like to tap into these restored files.
Step 5: Restart your windows in normal mode and viola! and open your windows explorer. You should no longer and will "never" see the ghost directories again.
Step 6: Turn your restore back on and make a restore point for today.
The conclusion is that even though the xerox directories seem legit, if you don't have a xerox device attached, the directories are not needed. Good Luck, let me know how it goes...

Posted by: db at June 20, 2005 1:06 PM
Comment Page:  1  |  2  |  3  |  4  |  5 
Read the article that everyone's commenting on.
RSS feed Subscribe to the RSS Feed for comments on this article.
Post a Comment

To post a comment on "What is '\Program Files\XEROX\NWWIA', and how do I get rid of it?", please return to that article's main page.

Question? Ask Leo!

http://ask-leo.com/comments_002129.php
Copyright © 2003-2009 Puget Sound Software, LLC and Leo A. Notenboom

Terms, Conditions & Privacy
Product Reviews, Recommendations and Affiliate Links Disclosure