Hi, with Windows XP (about 12 years ago) Microsoft started to develop a REALLY NASTY habit: they began to install executable files outside of "%SystemRoot%\" and "%ProgramFiles%\", in "%ALLUSERSPROFILE%\" (since Windows Vista: "%ProgramData%\") and even "%USERPROFILE%\". Examples: * "%ALLUSERSPROFILE%\DRM\INDIVBOX.KEY" a DLL, installed there when a user runs the DRM individualisation process of Windows Media Player, see alias alias * "%COMMONAPPDATA%\Microsoft\PlayReady\Cache\...\MSPRindiv01.key" a DLL, used for Silverlight's PlayReady DRM * "%APPDATA%\Microsoft\Virtual PC\VPCKeyboard.dll" * "%LOCALAPPDATA%\Microsoft\SkyDrive\..." ... While this is a violation of Microsoft's own, about 18 years old "Designed for Windows" guidelines, it tears down the security boundary created with NTFS permissions/access rights and "privilege separation": unprivileged users cant write to "%SystemRoot%\" and "%ProgramFiles%\" and below, so all executables installed there are protected against tampering by unprivileged users (and programs/malware running under unprivileged user accounts). Executables installed in %USERPROFILE% are but NOT protected against tampering and can undermine at least the users safety. Marcus J. Ranum was SOO right, back in 2007, when he wrote in "Execution Control: Death to Antivirus" (see ): | It makes sense; security never has been important in Windows. JFTR: unfortunately not only Microsoft shows this bad habit: crapware like the versions of Google Chrome or Google Drive that are offered to "end users" installs into "%LOCALAPPDATA%\Google\Chrome\Application\...", "%LOCALAPPDATA%\Google\Update\..." and even subdirectories of "%TEMP%", Dropbox installs into "%APPDATA%\Dropbox\...", SoftMaker Office creates a DLL with the user registration data in "%APPDATA%\SoftMaker" (and fails MISERABLY if execution is denied there), Mozilla Firefox and Thunderbird download their updaters to "%APPDATA%\Mozilla\..." (and fail MISERABLY if execution is denied there), extensions like Mozilla Lightning install DLLs below "%APPDATA%\Mozilla\..." (and fail MISERABLY if execution is denied there), ... I recommend that the developers responsible for these crimes against computer safety and security learn the meaning of the word "DATA" before they are allowed to pester unsuspecting users with more of their (by the very design) unsafe and insecure programs. stay tuned Stefan Kanthak PS: it's getting worse^Wmore complicated (and as everybody with a sane mind knows: complexity reduces/ruins safety and security)! With Windows Vista Microsoft introduced "user account control" (really: they surrendered to all those incapable and incompetent developers who were and are unable and unwilling to write Windows software that runs without administrative rights, as requested in their own, then about 11 year old "Designed for Windows" guidelines) and "UAC virtualization", which redirects write access failures (and after that, read accesses too) of "legacy applications", i.e. 32-bit processes run by unprivileged interactive users (cf. and ) below "%SystemRoot%\", "%ProgramFiles%\" and "%ProgramData%\" to "%LOCALAPPDATA%\VirtualStore\". | However, any file with an executable extension, including .exe, | .bat, .scr, .vbs, and others, is excluded from virtualization. The list of predefined "executable" extensions (as found within %SystemRoot%\System32\Drivers\LUAFV.SYS) is: .acm, .asa, .asp, .aspx, .ax, .bat, .cer, .chm, .clb, .cmd, .cnt, .cnv, .com, .cpl, .cpx, .crt, .dll, .drv, .exe, .fon, .grp, .hlp, .hta, .ime, .inf, .ins, .isp, .its, .js, .jse, .lnk, .msc, .msi, .msp, .mst, .mui, .nls, .ocx, .pal, .pcd, .pif, .reg, .scf, .scr, .sct, .shb, .shs, .sys, .tlb, .tsp, .url, .vb, .vbe, .vbs, .vsmacros, .ws, .wsc, .wsf and .wsh BUT: .key (see above) is missing! To modify this list, edit [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Luafv\Parameters] "ExcludedExtensionsAdd"=multi: "ExcludedExtensionsRemove"=multi: