Dell driver (Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE) is deleting my files

LazNiko,

The chipset drivers will not delete your files. I think that is just the way the backup program works. What is the issue that you are having with the computer? Is the computer functioning properly?

Hi Jesse,

The computer hardware is functioning properly, but my files are being deleted regularly by DELL's driver file. That's the problem. The file is  C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE . 

Every time when I recover my files from backup, they got deleted again after a few days.

I found this driver's log file, in which there are some DeleteFile failure lines (highlighted in blue). So there is surely file deletion action done by this program, some of them failed and being logged. The others of them, unfortunately, were successful and not being logged.

And more importantly, the time of those deletion lines [28/07/17 18:27:29] matches the time captured by my folder monitoring program: "Deleted (28/7/2017 18:27:29)" (see my 1st post). So I'm 100% sure the driver was deleting my files in C:\BACKUP and C:\DATA.

I believe the driver is supposed to delete its own temp folder at some point, but would it be possible due to a bug logic or typo (or whatever reasons) that it turns out deleting the folder in C:\.

===========

਍਍[28/07/17 18:27:26] Update Package Execution Started

[28/07/17 18:27:26] Original command line: "C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE" /s
[28/07/17 18:27:26] DUP Framework EXE Version: 3.4.1.76
[28/07/17 18:27:26] DUP Release: 8J86FA01
[28/07/17 18:27:26] Initializing framework...
[28/07/17 18:27:26] User Command: unattended
[28/07/17 18:27:26] DUP Capabilities Value: 39845887 (0x25FFFFF)
[28/07/17 18:27:26] DUP Vendor Software Version: 15.3.39.250
[28/07/17 18:27:26] Local System/Model Compatible with this Package? Yes
[28/07/17 18:27:27] Local System OS Version: 10.0.0.0
[28/07/17 18:27:27] OS Compatible with this Package? Yes
[28/07/17 18:27:27] Local System OS Language: ZH
[28/07/17 18:27:27] Language Compatible with this Package? Unknown
[28/07/17 18:27:27] (DupAPI::ExtractPayloadTo): *** Error finding short path for target path
[28/07/17 18:27:27] Identified Behavior : unattended
[28/07/17 18:27:27] Temporary payload log file name: C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\DUP32F6.tmp
[28/07/17 18:27:27] Translated Command Line : msiexec.exe /i setup.msi /qn /l C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\DUP32F6.tmp
[28/07/17 18:27:27] Path : C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01
[28/07/17 18:27:27] Identified Behavior : unattended
[28/07/17 18:27:27] Append Vendor Software Log: C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\DUP32F6.tmp
[28/07/17 18:27:27]
--- Start of Vendor Software Log ---

[28/07/17 18:27:27] Unicode payload log file detected.
[28/07/17 18:27:27]
[28/07/17 18:27:27]
--- End of Vendor Software Log ---

[28/07/17 18:27:27] Vendor Software Return Code: 1619
[28/07/17 18:27:29] (FileUtility::DeleteDirectoryTree): *** DeleteFile() has reported failure. The error message reported by the system is: The process cannot access the file because it is being used by another process.
[28/07/17 18:27:29] (FileUtility::DeleteDirectoryTree): *** DeleteDirectoryTree() has reported failure. The error message reported by the system is: The process cannot access the file because it is being used by another process.
[28/07/17 18:27:29] (FileUtility::DeleteDirectoryTree): *** DeleteDirectoryTree() has reported failure. The error message reported by the system is: The process cannot access the file because it is being used by another process.
[28/07/17 18:27:29] (FileUtility::DeleteDirectoryTree): *** DeleteDirectoryTree() has reported failure. The error message reported by the system is: The process cannot access the file because it is being used by another process.
[28/07/17 18:27:29] (MUPXMLParser::GetResultName): *** Vendor Return Code is not found in Mup.xml
[28/07/17 18:27:29] Name of Exit Code:
[28/07/17 18:27:29] (DupAPI::GetReturnCode): *** Unable to find DUP value for:
[28/07/17 18:27:29] Exit Code set to: 1 (0x1)
[28/07/17 18:27:29] Result: FAILURE
[28/07/17 18:27:29] (MUPXMLParser::GetResultName): *** Vendor Return Code is not found in Mup.xml
[28/07/17 18:27:29] Name of Exit Code:
[28/07/17 18:27:29] (DupAPI::GetReturnCode): *** Unable to find DUP value for:
[28/07/17 18:27:29] Execution terminated at date-time 28/07/17 18:27:29
[28/07/17 18:27:29] ######

Hello LazNiko and Jesse

Same problem on two XPS 13 in our company.

I renamed today the Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE in .EXE1 to see if my folders still disappear after that.

Hello.

I think we found the reason :

Whe the setup is done from the directory C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\PCDr\Downloads, the result is my folders deseapper.

But when the setup runs from C:\Users\my name\AppData\Roaming\PCDr\Downloads\ the reult is ok and my folders still exist.

So i deleted the C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE file and now everything is ok.

Here is the log file : 08/02 --> error and folders deleted ; 08/03 --> ok

[08/02/17 10:46:37] Update Package Execution Started
[08/02/17 10:46:37] Original command line: "C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE" /s
[08/02/17 10:46:37] DUP Framework EXE Version: 3.4.1.76
[08/02/17 10:46:37] DUP Release: 8J86FA01
[08/02/17 10:46:37] Initializing framework...
[08/02/17 10:46:37] User Command: unattended
[08/02/17 10:46:37] DUP Capabilities Value: 39845887 (0x25FFFFF)
[08/02/17 10:46:37] DUP Vendor Software Version: 15.3.39.250
[08/02/17 10:46:37] Local System/Model Compatible with this Package? Yes
[08/02/17 10:46:37] Local System OS Version: 10.0.0.0
[08/02/17 10:46:37] OS Compatible with this Package? Yes
[08/02/17 10:46:37] Local System OS Language: FR
[08/02/17 10:46:37] Language Compatible with this Package? Yes
[08/02/17 10:46:37] (DupAPI::ExtractPayloadTo): *** Error finding short path for target path
[08/02/17 10:46:37] Identified Behavior : unattended
[08/02/17 10:46:37] Temporary payload log file name: C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\DUPAA19.tmp
[08/02/17 10:46:37] Translated Command Line : msiexec.exe /i setup.msi /qn /l C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\DUPAA19.tmp
[08/02/17 10:46:37] Path : C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01
[08/02/17 10:46:37] Identified Behavior : unattended
[08/02/17 10:46:37] Append Vendor Software Log: C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\DUPAA19.tmp
[08/02/17 10:46:37]
--- Start of Vendor Software Log ---

[08/02/17 10:46:37] Unicode payload log file detected.
[08/02/17 10:46:37]
[08/02/17 10:46:37]
--- End of Vendor Software Log ---

[08/02/17 10:46:37] Vendor Software Return Code: 1619
[08/02/17 10:46:42] (FileUtility::DeleteDirectoryTree): *** FindFirstFile() has returned an invalid handle. The error message reported by the system is: Accès refusé.
[08/02/17 10:46:42] (FileUtility::DeleteDirectoryTree): *** DeleteDirectoryTree() has reported failure. The error message reported by the system is: Accès refusé.
[08/02/17 10:46:42] (MUPXMLParser::GetResultName): *** Vendor Return Code is not found in Mup.xml
[08/02/17 10:46:42] Name of Exit Code:
[08/02/17 10:46:42] (DupAPI::GetReturnCode): *** Unable to find DUP value for:
[08/02/17 10:46:42] Exit Code set to: 1 (0x1)
[08/02/17 10:46:42] Result: FAILURE
[08/02/17 10:46:42] (MUPXMLParser::GetResultName): *** Vendor Return Code is not found in Mup.xml
[08/02/17 10:46:42] Name of Exit Code:
[08/02/17 10:46:42] (DupAPI::GetReturnCode): *** Unable to find DUP value for:
[08/02/17 10:46:42] Execution terminated at date-time 08/02/17 10:46:42
[08/02/17 10:46:42] ######

਍਍[08/03/17 11:34:23] Update Package Execution Started
[08/03/17 11:34:23] Original command line: "C:\Users\c.sanchez\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE" /s
[08/03/17 11:34:23] DUP Framework EXE Version: 3.4.1.76
[08/03/17 11:34:23] DUP Release: 8J86FA01
[08/03/17 11:34:23] Initializing framework...
[08/03/17 11:34:23] User Command: unattended
[08/03/17 11:34:23] DUP Capabilities Value: 39845887 (0x25FFFFF)
[08/03/17 11:34:23] DUP Vendor Software Version: 15.3.39.250
[08/03/17 11:34:23] Local System/Model Compatible with this Package? Yes
[08/03/17 11:34:23] Local System OS Version: 10.0.0.0
[08/03/17 11:34:23] OS Compatible with this Package? Yes
[08/03/17 11:34:23] Local System OS Language: FR
[08/03/17 11:34:23] Language Compatible with this Package? Yes
[08/03/17 11:34:23] Extraction-miniunz path: C:\PROGRA~3\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\miniunz.exe
[08/03/17 11:34:23] Extraction-arguments: -x C:\Users\CC5E1~1.SAN\AppData\Roaming\PCDr\DOWNLO~1\CHIPSE~1.EXE -o -d C:\PROGRA~3\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01
[08/03/17 11:34:24] Extraction-GetExitCode: 0
[08/03/17 11:34:24] Identified Behavior : unattended
[08/03/17 11:34:24] Temporary payload log file name: C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\DUPC560.tmp
[08/03/17 11:34:24] Translated Command Line : msiexec.exe /i setup.msi /qn /l C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\DUPC560.tmp
[08/03/17 11:34:24] Path : C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01
[08/03/17 11:34:24] Identified Behavior : unattended
[08/03/17 11:34:27] Append Vendor Software Log: C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\DUPC560.tmp
[08/03/17 11:34:27]
--- Start of Vendor Software Log ---

[08/03/17 11:34:27] Unicode payload log file detected.
[08/03/17 11:34:27] === Logging started: 03/08/17 11:34:27 ===
Action start 11:34:27: INSTALL.
Action start 11:34:27: FindRelatedProducts.
Action ended 11:34:27: FindRelatedProducts. Return value 1.
Action start 11:34:27: PreventDowngrading.
MSI (s) (68:70) [11:34:27:137]: Product: Logiciel Thunderbolt(TM) -- Newer version already installed

Newer version already installed
Action ended 11:34:27: PreventDowngrading. Return value 3.
Action ended 11:34:27: INSTALL. Return value 3.
MSI (s) (68:70) [11:34:27:139]: Product: Logiciel Thunderbolt(TM) -- Installation failed.

MSI (s) (68:70) [11:34:27:140]: Windows Installer a installé le produit. Nom du produit : Logiciel Thunderbolt(TM). Version du produit : 15.3.39.250. Langue du produit : 1033. Fabricant : Intel Corporation. Réussite de l’installation ou état d’erreur : 1603.

=== Logging stopped: 03/08/17 11:34:27 ===

[08/03/17 11:34:27]
--- End of Vendor Software Log ---

[08/03/17 11:34:27] Vendor Software Return Code: 1603
[08/03/17 11:34:27] Name of Exit Code: DEP_SOFT_ERROR
[08/03/17 11:34:27] Exit Code set to: 3 (0x3)
[08/03/17 11:34:27] Result: FAILURE
[08/03/17 11:34:27] Name of Exit Code: DEP_SOFT_ERROR
[08/03/17 11:34:27] Execution terminated at date-time 08/03/17 11:34:27
[08/03/17 11:34:27] ######

I did remove the .EXE file from C:\WINDOWS\system32\config\systemprofile\AppData\Roaming\PCDr\Downloads but a few days later Dell will automatically download the EXE file to the original path and run it again. I bet this is part of the driver checking and update process.

So removing the .EXE file from that path isn't a real fix to the problem.

Although the .EXE file was run every day, it doesn't delete folders on each run. It deletes folders once in every 3-7 days. I'm not sure what triggers that.

I'm seeing the exact same issue, but it's deleting a c:\dev\XXXX folder for me. There appears to be something wrong with this file.

Obviously this is not an individual case. Could @DELL-Jesse L or anyone from Dell help look into this for us?  

I have the same issue,  it deleted an apache-tomcat folder that I had in the Drive C: like 4 times. I Have  turned on the windows audit to know the process that was deleting my folder and it was

"C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Downloads\Chipset_Driver_8J86F_WN32_15.3.39.250_A01.EXE"

the audit result and the .exe firm and certificate images

1drv.ms/.../s!AsjZrUmMJ54mg9c-GbeMlMT-pq2Wtg

1drv.ms/.../s!AsjZrUmMJ54mg9c_-CBKMobptA2vKQ

Same here, over the last 5 working days (I believe the first time it happened was Thursday, August 17, 2017) it has repeatedly deleted a folder containing 10K+ files that I had to restore from backup every day. A monumental waste of my time.

I got so fed up with my files disappearing that I ran a SysInternals Process Monitor trace and let's just say that I have caught this driver installer with its pants down, this process traverses files under c:\data\dropbox and deletes them all!

Why the installer is running every day is beyond me. Also, why it is only deleting this folder under c:\data and not other ones under c:\data is not clear. The only thing I can think of is that I have this folder ALWAYS open in file explorer.

Other people are reporting similar problems, see superuser.com/.../virus-suspicious-process-deletes-many-folders-and-files-via-various-processes

I had a look at the update of the various Dell update utilities running on my system (why so many). Dell Command Update's history and activity log don't show they have executed anything.

The installer is signed by Dell Inc, I have checked it with virus scanners and it comes through clean.

Dell Support assist shows 'Powered by PC_Doctor', which explains the PCDR in the path of the driver, so my guess is that this schedules the daily update. However, the process ID shown for the parent process (that started the driver installer) is not for a process that is currently running, so I cannot say for sure what started this installer.

Does anyone have any idea about where the log file for this driver installer can be found. I looked in %temp% and c:\windows\temp, but there is nothing there that matches the timestamp.

The Windows Event log shows the following every day

-----------------------------------------------------

System event log entries (every day at a random time, event ID 7045)

A service was installed in the system.

Service Name:  PCDSRVC{3B54B31B-D06B6431-06020200}_0 - PCDR Kernel Mode Service Helper Driver

Service File Name:  c:\program files\dell\supportassist\pcdsrvc_x64.pkms

Service Type:  kernel mode driver

Service Start Type:  demand start

Service Account:  

-----------------------------------------------------

as well asll

-----------------------------------------------------

Beginning a Windows Installer transaction: C:\ProgramData\dell\drivers\Chipset_Driver_8J86F_WN32_15.3.39.250_A01\setup.msi. Client Process Id: 16568.

-----------------------------------------------------

I am happy to delete this problematic file, but my fear is that it will come back an delete files again. As it is impossible to trace what it has deleted over time more and more files will just disappear from my system.

It is pretty clear who is at fault here, now Dell will need to take ownership and sort this out. I am paying for premium support and will contact my Dell support rep.

Actually, that superuser.com post was created by me as I originally thought it was a virus but it turns out a problem of the Dell driver so I reported the same issue here. But the discussion on that post also gives some info about the issue.

You could find the driver log file at this directory:

C:\Windows\System32\config\systemprofile\AppData\Roaming\PCDr\Update\Logs

I did delete the .EXE file and it did come back again some day later. I think Dell's driver update tool will check and download the file if it's not there.

Come on DELL. How can you allow your driver to kill user's files secretly and randomly?!  

Please give some response. It's totally not acceptable to let this issue continue.

I thought as much, there was a lot of overlap in the StackExchange question.

As mentioned in my previous update, I have reached out to my Dell support rep. It did really help that I sent them a Process Monitor log file proving beyond the shadow of a doubt that their driver installer is deleting massive amounts of files on my system.

If I didn't have daily backups, I'd be completely ruined because of this fault.

The fact that this happened, and the loss of my productive hours, is inexcusable. However, my Dell rep took ownership immediately, escalated it and has this driver black listed. They are currently talking to the responsible programmers to see what happened, and to make sure this doesn't happen again.

I don't know exactly what 'blacklisting' does, I just hope that it means it won't magically re-appear on my system.

The good news is that - as I have now deleted the driver installer - my files are no longer being deleted.

Being a software architect, I'd love to see what role the 'Currently open explorer window' plays. It appears that the driver installer gets that directory somehow and starts deleting its contents.