Process from OUTLOOK.EXE deleting home folder files

  • Thread starter Thread starter jtsm
  • Start date Start date
J

jtsm

Hi There,

I have a strange issue where users files from their homedrives are being
deleted at seeminly random times. After running procmon on the machine and
capturing it deleting the files. It appears to be coming from OUtlook.exe,
has anyone heard of this type of issue before?

Thanks
 
What kind of files are you referring to?

Which kind of configuration are we talking about here?
 
Any file type found on the root of the home folder (also mapped)

Using Outlook 2007 SP2 on an XP Pro SP3 machine.

process monitor example..

11:00:58.9604484 AM OUTLOOK.EXE 4760 IRP_MJ_CREATE H:\ SUCCESS Desired
Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory,
Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
AllocationSize: n/a, OpenResult: Opened File System Domain\DomUser 0
11:00:58.9641865 AM OUTLOOK.EXE 4760 IRP_MJ_CREATE H:\ SUCCESS Desired
Access: Read Data/List Directory, Synchronize, Disposition: Open, Options:
Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
AllocationSize: n/a, OpenResult: Opened File System Domain\DomUser 0
11:00:58.9655311
AM OUTLOOK.EXE 4760 IRP_MJ_DIRECTORY_CONTROL H:\* SUCCESS Type:
QueryDirectory, Filter: *, 2: . File System Domain\DomUser 0
11:00:58.9717682 AM OUTLOOK.EXE 4760 IRP_MJ_CREATE H:\ SUCCESS Desired
Access: Read Data/List Directory, Synchronize, Disposition: Open, Options:
Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
AllocationSize: n/a, OpenResult: Opened File System Domain\DomUser 0
11:00:58.9732938
AM OUTLOOK.EXE 4760 IRP_MJ_DIRECTORY_CONTROL H:\Agenda_July2009.doc SUCCESS Type:
QueryDirectory, Filter: Agenda_July2009.doc, 2: Agenda_July2009.doc File
System Domain\DomUser 0
11:00:58.9824123
AM OUTLOOK.EXE 4760 IRP_MJ_CREATE H:\Agenda_July2009.doc SUCCESS Desired
Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory
File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete,
AllocationSize: n/a, OpenResult: Opened File System Domain\DomUser 0
11:00:58.9869961
AM OUTLOOK.EXE 4760 IRP_MJ_QUERY_INFORMATION H:\Agenda_July2009.doc SUCCESS Type:
QueryAttributeTagFile, Attributes: A, ReparseTag: 0x0 File
System Domain\DomUser 0
11:00:58.9884530
AM OUTLOOK.EXE 4760 IRP_MJ_SET_INFORMATION H:\Agenda_July2009.doc SUCCESS Type: SetDispositionInformationFile, Delete: True File System Domain\DomUser 0
11:00:58.9910112
AM OUTLOOK.EXE 4760 IRP_MJ_CLEANUP H:\Agenda_July2009.doc SUCCESS File
System Domain\DomUser 0
11:00:58.9915610
AM OUTLOOK.EXE 4760 IRP_MJ_CLOSE H:\Agenda_July2009.doc SUCCESS File
System Domain\DomUser 0

And the delete in the log is...

11:00:58.9884530
AM OUTLOOK.EXE 4760 IRP_MJ_SET_INFORMATION H:\Agenda_July2009.doc SUCCESS Type: SetDispositionInformationFile, Delete: True File System Domain\DomUser 0

has proven very hard to track the cause...

Thanks
 
Back
Top