Share via

Details on $SysReset folder (concerned with child items)

LoudCloudDragon_caseyDB 191 Reputation points
2022-03-27T21:21:59.06+00:00

187321-sysreset.png

As always, there is a lot of very scary sounding files/logs/etc but I can pretty much isolate this into two sections: Intune (this box is AAD Joined via AutoPilot) and the second, Windows RE (I did perform a restore some time ago).

My question is thrice folded: A) is my above assumption accurate? I initiated a Reset/Restore Point, b/c of that And this being an AAD Joined device, this (variable like looking) folder was created in the root of C:? Part B) what are the other seemingly unused (yet interesting folders)? Looking for an MS Doc on the matter so please Link me up Contoso!

Part C) This is what REALLY prompted me to come seeking advice.... Drill down one level through "Scratch" folder and there is a single somewhat alarming file there ... csrss.exe... Why Microsoft? Why scare me like this and make me second guess years upon years of experience?

Doesn't that little mayhem maker already have a home in Sys32? Why is it out of its cage? If it needs to be there, could there be a symbo link / shortcut or something other that the exe (which I have hazed myself to a trained point of "attack if not sys32....).

Thank you all

LCD

Windows for business | Windows Client for IT Pros | User experience | Other
Microsoft Security | Intune | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,931 Reputation points
    2022-04-01T12:43:33.82+00:00

    Hi @LoudCloudDragon_caseyDB

    Windows creates the $SysReset folder when you perform a System Refresh or Reset on your Windows 10 computer. This folder contains information ranging from log files to migration XML documents, all of which provide useful information to a forensic investigator.

    This $SysReset folder also contains an additional folder called Logs which contains a .etl file. It also creates a .etl file of a different name (sysreset_exe_BootUX.etl) inside C:\Recovery\Logs which can help a user to find and collect the report and error.

    Here is a thread that discusses the same topic and might be helpful for you .

    What is a $SysReset folder and should I delete it?
    https://answers.microsoft.com/en-us/windows/forum/all/what-is-a-sysreset-folder-and-should-i-delete-it/462afe56-1505-40e0-907b-446d2ca85bc1

    Hope this resolves your Query!!

    --
    --If the reply is helpful, please Upvote and Accept it as an answer–

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.