Helping people with computers... one answer at a time.

\Program Files\XEROX\NWWIA appears to be a harmless "ghost" file, and there is no need to delete it.

What is '\Program Files\XEROX\NWWIA', and how do I get rid of it?

OK, this is one of the weirdest situations I've seen come up in a long time.

The short answer is that it does appear to be something related to "Windows Image Acquisition", which is a common component of Windows. Why it shows up empty, and why it remains protected by the operating system is as best we can tell, a mystery.

For what it's worth, it benign. It's on lots of systems, including my own.

Using SysInternals Process Explorer I was able to tell that the windows logon process has the directory open. But I was able to find no reference to it in the registry. And apparently when you do manage to delete it, the system file protection service dutifully restores it.

There's a long thread on the subject out at the Annoyances.org discussion forum titled Deleting Ghost/Empty Directories that has many theories and a couple of ways to delete it, if that's really important to you.

Article C2129 - July 17, 2004 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

47 Comments
Greg
September 30, 2004 9:37 PM

Talking to Microsoft about this xerox dir. they said it is only on oem versons of windows XP. If you reload with a retail verson this dir. is not listed... This was tested by myself and posted to Microsoft.

The nwwia is a xerox driver for a printer

flatliner
October 8, 2004 4:55 PM

This is an old problem that XP inherited from Windows NT. My computer came with an OEM install of XP Home, but I clean installed a retail version of XP Pro over it, so if only the OEM versions are supposed to have it, why does retail OS have it as well? Did SP2 stick 'em on???

WHY MSFT still has these stupid Xerox directories is beyond me.

Stevland
October 13, 2004 3:51 PM

Here this should explain the whole mystery:

http://support.microsoft.com/default.aspx?scid=kb;ja;418634

Or, maybe not!

:P

mak
November 18, 2004 3:04 PM

If I'm right! This has something to do with Microsofts self healing system32 folder.Nothing can be deleted from this directory, but things can be renamed....with a script. For example at the college I work for we didn't want students to be able to play solitare from a RIS image. So we created an image with out it. This script deletes a files from the sys32 folder and renames all the games to notepad.exe, and if you are wondering yes we can tell when a new student tries to play a game when he stupidly asks, why does solitare open notepad.

del C:\WINDOWS\system32\sol.exe
copy C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\sol.exe /y

del C:\WINDOWS\system32\spider.exe.exe
copy C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\spider.exe /y

del "C:\Program Files\Windows NT\Pinball\PINBALL.EXE"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\Windows NT\Pinball\PINBALL.EXE" /y

del %SystemRoot%\System32\winmine.exe
copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\winmine.exe /y

del "C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe" /y

del "C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe" /y

del "C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe" /y

del "C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe" /y

del "C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe"
copy C:\WINDOWS\system32\notepad.exe "C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe" /y

del %SystemRoot%\System32\mshearts.exe
copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\mshearts.exe /y

del %SystemRoot%\System32\freecell.exe
copy C:\WINDOWS\system32\notepad.exe %SystemRoot%\System32\freecell.exe /y

be very careful with this script because you can not reverse it, because notepad is the system editor for windows. I'll try to come up with a solution to rename this directory. And then we might be able to delete it.

Simple solution
November 26, 2004 9:33 PM

Here're the simple facts of the matter: this particular folder (and others) are protected by the Windows File Protection (WFP) which is a part of the System File Checker (created mainly to avoid unwanted/irreversible changes to critical system files and an inheritance from NT/2K).
You cannot remove this directory or any others protected by WFP without first disabling WFP (which of course will leave system files and directories -meant- to be protected, completely unprotected by the WFP and SFC)

How to disable Windows File Protection which allows you to delete the xerox\nwwia directory:
http://www.winguides.com/registry/display.php/790/

Jyles
March 17, 2005 11:08 PM

This can be deleted, and is one of the system processes that is keeping it open, try removing weird looking ones you dont trust. if u end process and it pops back up and it looks weird. just let it be,

or you can restart your computer and try 2 delete the file before you do anything else which is open other programs etc, that might correspond with the process.

Balmung
May 19, 2005 8:00 AM

Okay I have xerox as well, could someone just tell me if its a virus or anything!lol! P.S i checked out that website and it was in japanese (i think!) :-)

Leo
May 19, 2005 8:05 AM

It's benign. I just ignore it. Some people seemed to get really worked up about it, but really ... it's harmless.

sarah
May 31, 2005 3:42 PM

The Xerox folder is to do with the scanning software built into XP - it's licensed from Xerox. If you have plugged in a scanner, a webcam, or a digital camera at any time that's likely why it's popped up. It's not malicious, but it is part of the XP system files. Just ignore it.

db
June 20, 2005 1:06 PM

I removed the annoying directory (spyware). It uses a clone called winlogon and loads itself into the real windows winlogon. It is then undetectable by antivirus and anti spyware.
Step 1:
Restart windows is safemode without network
Search your windows and internet directories for these files and "delete". (Be sure to empty the recycle bin too and be sure to check for hidden and system files):
xrxwiadr.dll
xrxscnui.dll
xrxwbtmp.dll
and the two executables files
XrxFTPLt.exe
xrxflnch.exe
in addition locate a trojan called MSWebcheck_Monitor and delete these files too:
webcheck.dll
loadwc.exe
You may or may not find them. But you need to double check for them anyway.
Step 3:
Run Regedt32.exe or regedit.exe
Find the all files that begin with webche* and "delete" these keys
Step 4: Go to control panel and open the system icon and turn off "system restore" . By turning it off all the restore points will be deleted. These files need to be deleted because they have been infected as well. And for whatever reason windows seems to like to tap into these restored files.
Step 5: Restart your windows in normal mode and viola! and open your windows explorer. You should no longer and will "never" see the ghost directories again.
Step 6: Turn your restore back on and make a restore point for today.
The conclusion is that even though the xerox directories seem legit, if you don't have a xerox device attached, the directories are not needed. Good Luck, let me know how it goes...

db
June 20, 2005 1:09 PM

I forgot to add to step 3:
Search and delete from the registry and and all keys begining with xrx. The five files are also described in step 1.

duyulayktusakmi
July 20, 2005 8:19 AM

COULD YOU DECIDE IF IT IS VIRUS OR NOT!

Leo
July 20, 2005 8:29 AM

It is not.

That guy
October 16, 2005 1:33 PM

If it bothers you to look at it, make it a hidden file. Works for me. :)

weedo
October 24, 2005 3:12 AM

Thanks man! Ill be trying this, that xerox folder just WONT go lol. I re-installed windows with a total wipe of the drive to find after a couple of weeks it was back! Corse, i didnt re-install windows because of this, i had major system problems.

Dori
November 12, 2005 10:46 PM

My problem is that I have a great xerox printer. I have had it for a couple of years, before I got windows xp, and in order to upgrade it for use on windows xp you have to delete all xerox files. Well....haven't been able to do that in order to install it. I will have to try the tips given and see if I can delete it long enough to install what I need.

tedstyle
November 19, 2005 2:20 AM

download this program from systernals.com called process explorer. open it click on find and find handle. search for nwwia. it will be in the winlogon.exe. right click on C:\program files\xerox\nwwia and click close handle. you can now delete the xerox folder

Bobby Jackson
November 24, 2005 9:06 PM

Thanks tedstyle November 19, 2005 02:20 AM
It worked great.
I got rid of the mystery xerox/nwwia folders!

Can you be my personal IT assistant? jk :')

ReMISoNe
December 5, 2005 3:48 AM

Thanks a lot for the tip with the Process Explorer, no more xerox on my disk :) :)

md
December 20, 2005 8:16 AM

Just do an advanced search under system folders, hidden folders, and sub folders for "sfcfiles.dll". Then highlight each file, one at a time, and hit F2 and change the name to "sfcfilesold.dll". You will get a warning from windows that this is a necesary file but just ignore it. Restart your computer and then you can delete Xerox and nwwia. I learned this on Annoyances.org.

MD

chris
December 22, 2005 2:23 AM

I found that the easiest thing is to boot windows in safe mode and then delete the folders through command prompt... Thats just me though.

not important
February 16, 2006 7:18 AM

tedstyle

God bless you!

Thank you!

Jin
February 17, 2006 5:13 PM

Yes!!
thank u!!!
it worked out great!!!

ChrisC
February 20, 2006 10:13 AM

This folder and \Program Files\microsoft frontpage\version 3.0\bin both reappear, even if deleted in safe mode from command prompt. Is the situation similar for the frontpage folder (also completely empty with no other folders in it and no frontpage of any version installed on the PC) as it is with the xerox one?

Brandon
March 5, 2006 12:34 PM

Yes, surprising to say that works for microsoft frontpage\version 3.0\bin as well. Thanks and good luck.

Trying
March 7, 2006 2:52 PM

Process Explorer can be found here: http://www.sysinternals.com/Utilities/ProcessExplorer.html
Go to the very bottem, and find your O/S.

Just follow tedstyle's directions. very straight forward.

fiat lux
March 21, 2006 11:36 AM

Thanks for setting my mind at ease!

I don't like that it's there, but so long as it is not actually spyware / a trojan / other malware I'm not going to bother getting rid of it.

Dan
April 13, 2006 6:19 PM

I deleted it in safe mode but it just came back when I rebooted in normal mode. I swear when I removed it and surfed in safe mode my adware stopped; I assumed it had something to do with it...I guess not.

Nick
June 19, 2006 9:26 AM

I did the following: Re-named the .dll files, I've used 12 Ghosts Shredder to then remove those after reboot. It still wouldn't let me remove Xerox, or nwwia folders. I've just stopped the WIA snap in. Hope that works, and if not.. Maybe I have to turn off system restore??

Zhelyo
August 14, 2006 9:59 AM

Is it dangerous if I leave it?

Leo Notenboom
August 14, 2006 11:05 AM

Quoting the article you just commented on "For what it's worth, it benign. It's on lots of systems, including my own."

That means no, it's not dangerous.

Kartik
August 31, 2006 11:20 PM

Well Xerox is actually an update or some sort of secrutity for MS Office. It will come with it so dont worry it i snothing bad.

joe
October 27, 2006 1:53 PM

(dont email me) Can somenody tell me plain and simple if it's a virus and if i SHOULD get rid of it? A friend of mine got freaked out when i said i had it and he said it was a hacking file and hasn't spoke to me since

Leo Notenboom
October 27, 2006 6:45 PM

It is not. It is benign.

becool
November 2, 2006 4:35 AM

Here's what you do:

I owe this solution to 'twister', who lives/posts here:

http://www.asendtechnologies.com/vb/showthread.php?t=6868

This will give you added power over your Xtremely Pesky operating system. I did the
following and have had NO problems

Do a find on 'sfcfiles'. You need to do the advanced search option, and check 'Search
system folders', 'Search hidden files', and 'Search sub folders'.

Results will be sfcfiles.dll, in one or more places. Change all their names (highlight
the file and hit F2) to sfcfilesold.dll.

XP may tell you that you are being very very BAD, so tell XP to go piss up a rope...lol........

Restart, and voila, you can delete nwwia, xerox etc.

wguru
December 15, 2006 5:04 PM

Ref. http://blogs.msdn.com/oldnewthing/archive/2004/11/16/258220.aspx

..you may find an empty C:\Program Files\Xerox directory. What's that for?

This directory is being watched by Windows File Protection, because it needs to protect the file xrxflnch.exe should it ever show up. (Why does the directory have to exist in order for Windows File Protection to be able to watch it? I'm told it's a limitation of the Windows File Protection engine. I suspect it may have something to do with the fact that the FindFirstChangeNotification function can't watch a directory that doesn't exist.)

Why is xrxflnch.exe so special? I don't know. My guess is that it's some file that is frequently overwritten by setup programs and therefore needs to be protected.

MeganD
January 27, 2007 2:24 PM

hahaha...I'm bookmarking this site!! I haven't laughed so much from reading a thread about a 'wtf is this file/folder' posting.
And yes, i was cleaning up my itsy bitsy master drive when I came upon and tried to delete that NWWIA folder....pffft, oh well, it can stay. I've had no troubles with it.

kmilewe
May 15, 2007 8:45 AM

yes, it works ! change sfcfiles to sfcfilesold, reboot win and delete xerox and nwwia

chanss
May 18, 2007 3:16 AM

Above adivice about changing name of sfcfiles, did NOT help. XEROX map is still not deleteable, it says its being used by something when I try to delete it. Any advice? As a matter of act I cant change any files from READ ONLY to editable.

chanss
May 18, 2007 3:32 AM

Just saw that my sfcfiles got recreated automatically by windows after reboot, so now I have both those one and the ones with 'OLD' at the end. what what?

Leo A. Notenboom
May 18, 2007 11:04 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Folks, let me really clear about something:

YOU DON'T NEED TO DELETE IT.

It's benign. It's not hurting anything. There's simply no reason to waste a
bunch of time trying to delete it.

Obviously you *should* be able to delete it - the fact that it's so difficult
is definitely a bug or problem of some sort. But it just doesn't mater. Just
leave it there, ignore it, and get on with more important things in your life.

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGTerPCMEe9B/8oqERAkIGAJ9OUpFui6b7fMx7qR2yetS7454mowCfe3h0
s4QMGPvU4lx6MaE2jeobMzs=
=YPD2
-----END PGP SIGNATURE-----

John Edwards
June 4, 2007 11:36 PM

but, how do i delete it?

Leo A. Notenboom
June 5, 2007 9:16 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sigh. Please read the comment immediately preceding yours.

In my opinion: you don't.

I'm closing comments on this article since we just seem to be going around in
circles.

Thanks,

Leo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGZYw+CMEe9B/8oqERAtV7AJ40Sk5fd6WvUbh8W3KIbtsecP5/HACfZNMa
lunxTYOtB4juFkIbaHYWHFQ=
=jShF
-----END PGP SIGNATURE-----

parag
February 4, 2010 9:26 PM

do not found the discussion helpful due to this virus i am not able to listn the songs on my pc

jonathan
March 30, 2010 6:53 PM

this is not a virus. it is harmless. there is probably a different reason you can't listen to music.

Folder
January 12, 2011 7:04 AM

I gave you the legit answer to this question and you removed it from your site. I can fire up my old laptop and show you the date created for that folder, and i challenge you to find one prior to it. I made the folder and subfolder. Just trying to let people know it's harmless.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.