Microsoft Windows' unknown processes and files: What's behind them?
The Windows system consists of thousands of files. Many of them have strange names, others have extensions that most users have never seen before. Normally you do not need to worry about these files.
Windows is designed to configure, optimize, and in many cases even repair itself. It is neither intended nor desired that the user intervenes in the system, deletes, or modifies files.
However, if you would like to know more about how Windows works internally, what tasks the individual components have, and how they work together, this is the right article for you.
We will highlight the files that stand out from the mass of files due to their name, size, or function.
Further reading: 13 important Windows settings to adjust immediately
Huge files in the system folder: Hibernation & Co.
Windows is normally installed on the C: drive in the “Windows” folder. However, the system folder, often also called the root directory, already contains various files created by the operating system. Some of these can grow to a considerable size.
However, you can only see these files if you have deactivated the setting “Hide protected system files (recommended)” in the “Folder options” of the Explorer in the “View” tab.
Foundry
Most space is taken up by hiberfil.sys, which can be several gigabytes in size. The name is a short form of “hibernate file,” which means hibernation file. If you select hibernate mode when shutting down the PC, Windows saves the current contents of the RAM in this file, including all active applications and open documents.
As soon as you switch the computer back on, you can immediately continue working from where you left off. The more RAM you have, the larger hiberfil.sys will be.
The file cannot be deleted via Explorer, but it can be deleted via the command prompt: To do this, type cmd in the search field of the taskbar and click on “Run as administrator.” Now enter the command
powercfg /h off
followed by the Enter key. Windows deletes the file without prompting you and deactivates hibernation. If desired, you can restore hibernation at any time with the command
powercfg /h on
at any time.
The operating system creates two swap files
The second conspicuously large file in the system folder is called pagefile.sys. This is the swap file that Windows always uses when there is not enough memory for the loaded programs and files. The operating system dynamically adjusts the size of pagefile.sys to the required memory.
You can use the “SwapFileControl” entry in the Windows registry to delete the swap file in the system directory and, if desired, create it again later.
You can use the “SwapFileControl” entry in the Windows registry to delete the swap file in the system directory and, if desired, create it again later.
IDG
You can use the “SwapFileControl” entry in the Windows registry to delete the swap file in the system directory and, if desired, create it again later.
IDG
IDG
If there is sufficient RAM in the PC, you could consider deactivating pagefile.sys (deletion does not work). Although this is possible, it is not recommended. This is because the internal memory management accesses the file from time to time, even if there is space in the RAM. If the file is no longer available, error messages, including possible system crashes, will be displayed.
Thirdly, swapfile.sys appears in the main folder. This is also a swap file, but it is used exclusively for Windows apps. So that the RAM is not burdened by dormant or sleeping apps, they are moved to the file on the hard drive/SSD.
Further reading: 4 just-added Windows 11 features that make your life easier
Windows adjusts the size of swapfile.sys as required: If no apps are active, it is usually 16MB in size. If several apps are running, it can grow up to 256MB.
You can remove the file via the registry: To do this, open the path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management
and create a new DWORD value called “SwapfileControl” after right-clicking in the right half of the window. Double-click on this and make sure that “0” is entered as the value.
This will cause swapfile.sys to disappear the next time you restart. Bear in mind that Windows apps may start more slowly as a result. To restore the file, delete the registry entry.
Windows with crash log and hard disk test
You will also find a file called DumpStack.log.tmp on C:. Windows logs system crashes in this file. In some cases, it slows down the start of the TOR network for anonymous surfing; without this file, the TOR browser sometimes connects much faster.
The DumpStack.log.tmp cannot simply be deleted as access is blocked. However, you can remove the block via the registry: To do this, go to the folder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
and set the value of the “Enable- LogFile” key to “0”. After a restart, you can delete the DumpStack.log.tmp with the Explorer. There are no negative side effects to be feared; however, some crash logs can be helpful for support staff.
Sometimes you will also find the small file bootTel.dat in the system directory. Windows creates these files when you check the hard disk/SSD for errors. If you want to start an error search, type with administrator rights
chkdsk
in the command prompt.
Huge folders and what’s behind them
According to Explorer or tools such as Treesize Free, WinSxS under C:\Windows is one of the largest Windows folders of all: It often takes up several gigabytes of storage space.
But this information is misleading. WinSxS collects thousands of hard links that refer to programs and system components on the hard drive. The total size of all linked files and programs appears as the folder size.
The WinSxS folder is the largest Windows folder on this computer. However, the impression is deceptive, because storage space is actually counted twice here.
The WinSxS folder is the largest Windows folder on this computer. However, the impression is deceptive, because storage space is actually counted twice here.
IDG
The WinSxS folder is the largest Windows folder on this computer. However, the impression is deceptive, because storage space is actually counted twice here.
IDG
IDG
Under no circumstances should you reduce the size of WinSxS by deleting subfolders and files. The folder contains, among other things, downloaded Windows updates and system files that Windows restores from here in the event of system errors.
If you remove these files, you can render your system unusable. You should therefore use Windows Disk Cleanup, which you can start by entering
cleanmgr in the search field of the taskbar. Click on “Clean up system files,” place a tick in front of each option and confirm with “OK.”
The SysWOW64 folder is also often quite large. It contains the WOW64 subsystem (Windows on Windows 64-bit), which is required to run 32-bit programs in a 64-bit Windows. You must not change this folder.
Mysterious processes in the Windows task manager
You can use the “SwapFileControl” entry in the Windows registry to delete the swap file in the system directory and create it again later if you wish.
You can use the “SwapFileControl” entry in the Windows registry to delete the swap file in the system directory and create it again later if you wish.
IDG
You can use the “SwapFileControl” entry in the Windows registry to delete the swap file in the system directory and create it again later if you wish.
IDG
IDG
If you open the Task Manager, you will find the entry with the name AggregatorHost.exe or Microsoft (R) Aggregator Host in the processes. The process belongs to a file that was still located in the C:\Windows\System32 folder in Windows 10. Windows 11 stores it in a subfolder of C:\Windows\WinSxS.
What this process does is unclear. Microsoft does not provide any information. Since “Aggregator” stands for “collect,” it seems plausible that the process connects various system components with elements such as notifications and preview images in the taskbar. In any case, this is not malware. As the file hardly takes up any memory, ignore it.
The case is clearer with taskhostw.exe: It is also a process; it is responsible for starting Windows services that are based on DLLs. It normally works unnoticed in the background. Users repeatedly report error messages in connection with this file, and the process also causes a CPU load that is stretched to the limit.
The Windows tools sfc.exe and DISM can help against this. Open the command prompt with administrator rights, type
sfc /scannow
and run the test. Then enter the three commands
DISM /Online /Cleanup-Image /Check-Health
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /Restore-Health
one after the other. This often solves the problems.
Explained: What are the hosts file and the MUI and PF files for?
The hosts file in the C:\Windows\System32\drivers\etc folder is characterized by the fact that it has no extension. This has to do with the fact that this file originally comes from the Unix world. Today, hosts exists not only on Windows computers, but also on Macintosh computers, Linux computers, and smartphones and tablets with the Android and iOS mobile operating systems.
The file dates back to the early days of the internet. Back then, it was needed to translate entries such as www.microsoft.com into addresses such as 20.231.239.246. Back then, the hosts files contained long tables with address assignments. Today, this file is probably empty on your system; URLs are now resolved via the DNS system.
Nevertheless, hosts still has a practical use: You can use it to prevent access to certain websites such as advertising servers. If you enter “0.0.0.0 www.werbeserver.com” in the hosts file, the entry of www.werbeserver.com will be redirected to the non-existent address 0.0.0.0.
The process ends with an error message. To edit the file, simply use the Editor app or the Hosts file editor from the Microsoft Powertoys (Microsoft Store).
Files with the extension MUI (Multilingual User Interface) are frequently encountered on Windows PCs. These are files for switching the operating system from, say, German to another language.
Instead of deleting such files, however, it is advisable to uninstall entire language packs. To do this, click on the Time and language > Language and region button in the Settings app.
Then click on the three dots to the right of the language you no longer need and press the “Remove” button.
PF files, i.e. files with the extension PF, only exist in the folder C:\Windows\Prefetch. When an application is opened for the first time, Windows automatically creates a suitable PF file. It is used to speed up the startup process of the program. If you delete the files, the operating system automatically creates the files again the next time you start the associated application.
Useful: The small freeware tool Winprefetchview lists the PF files on the computer and displays a range of file information.
Three copies of the msedge.dll file?
The Everything search tool reports three identical msedge.dll files. However, it is actually one and the same file that is referenced via hard links.
The Everything search tool reports three identical msedge.dll files. However, it is actually one and the same file that is referenced via hard links.
IDG
The Everything search tool reports three identical msedge.dll files. However, it is actually one and the same file that is referenced via hard links.
IDG
IDG
If you search for the msedge.dll file with a tool like Everything, three copies of it appear: one under C:\Program Files (x86)\Microsoft\Edge\Application[version number], one under C:\Program Files (x86)\Microsoft\EdgeCore[version number], and a third one under C:\Program Files (x86)\Microsoft\EdgeWebView\Application[version number].
However, the file actually only exists once, namely in the path C:\Program Files (x86)\Microsoft\Edge\Application\[version number].
The other two locations are hard links to the original. These also have the property of displaying the size of the original file, although it is only saved once in a different location.
This article was translated from German to English and originally appeared on pcwelt.de.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.
Author: Roland Freist
Roland Freist bearbeitet als freier IT-Fachjournalist Themen rund um Windows, Anwendungen, Netzwerke, Security und Internet.
Recent stories by Roland Freist:
Outlook: How to set up breaks between your meetingsHow to open the Windows Terminal with the command promptHow to turn on Windows’ hidden PC performance overlay