I know this may be a tricky question but on my Windows 11 machine Some folders are being created every time I boot the system. I delete them and they get created again and all of them are empty.
I disabled all startup programs but folders get created.
Is there anyway/Tool to know how/who/what created a folder?
As the last resort I will disable all services one by one and reboot but this will take forever and may not even help.
Also my antivirus does not report of any virus/malware.
Any ideas?
To trace which process is creating these folders, you could use the free Process Monitor.
You will need to use the Boot Time Logging option of Process Monitor, delete these folders, boot, then search within the log for one of the newly-created folder. This will identify the process that created it.
Be warned that Boot Time Logging slows down very noticeably the boot process, so ensure it is not still turned on for your next boot.
Reference: How To Enable System Boot Time Logging using Process Monitor Tool.
By default, whoever creates the item (file, folder, etc) becomes the owner. You can check the owner by
Right-click the folder and click Properties. Under the Security tab, click Advanced and the owner will be displayed here, near the top. The general tab will also show the Creation date (but this can be changed so not useful in the case of something malicious)
Open a PowerShell terminal and type the following command, substituting your folder for the <FolderPath>:
Get-ACL <FolderPath> | Select-Object Owner
As for the folders themselves, there are many legitimate processes which cause random folders to be created. Hidden folders in the root of the C: drive, for example, are created by the Windows Updte process ($Windows.~WS or similar) as well as installers for a lot of standard software (NVidia, Intel, to name a couple).
