Mysterious directories can be leftovers from previous installations
Yet another email message arrived in my Inbox this week from a frustrated systems administrator at a Fortune 500 company. He had been tasked with cleaning up small problems that had occurred during his corporation's enterprisewide rollout of Windows XP as the company's client OS. Overall, he told me, the rollout was successful, with just less than 1 percent of the client computers requiring additional manual intervention. Dealing with those computers was his responsibility, and given the size of the company, he needed to work with computers scattered over a wide geographic area.
The specific problem he contacted me about was an error message that appeared during the upgrade process on a couple dozen computers. The message reported that a previous application installation was incomplete and that the user should log off, reboot, and log back on to complete the installation. I did a little quick research and found an explanation for the problem. Artifacts from program installations had been left in one or more of four registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionRunServicesOnce, and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.
Cleaning up the affected keys was a simple matter of making sure that all of the keys, if they existed, were empty.
The systems administrator passed this advice to his various local administrators and found that clearing those keys solved his upgrade problems. He sent back a quick note of thanks, which included more than a little bit of concern. His IT organization was careful about what programs were installed on client computers in the company, and he didn't think his users had violated corporate IT policies regarding software installations. He was worried that the artifacts in the registry keys were symptoms of a virus that had attacked the computers that failed the upgrade.
My first response to his concern was to ask him what his local administrators had cleared from the registry keys. I thought that knowing what had been in the keys might give us a clue about whatever application had caused the problem. Unfortunately, his local administrators had followed his directions to the letter and simply cleared the keys.
I returned to researching the problem. We had the local administrators search the affected computers' temp directories for artifacts of earlier installations and instructed them to clean out the temp directories afterward. On a whim, I suggested that the administrators also look in the root directory of each of these computers for any unrecognized folders. The administrators reported that they found directories named $!$!$!$! in their root directories.
At this point, the systems administrator was really worried, but I was able to ease his mind. Those oddly named directories are artifacts of a Microsoft Internet Explorer (IE) installation. In all likelihood, the original problem was caused by an earlier IE upgrade that hadn't cleaned up after itself correctly. Given the large number of computers that his organization had upgraded, the fact that such a small number of computers had this minor problem was encouraging. However, this incident demonstrates that administrators have one more thing to keep track of when they upgrade their current software. It also underscores the truth of the maxim "Things are not always what they seem."