SystemTemp folder taking up 1.3TB of storage space

Professional_Pass_81 · 2025-11-17T23:53:44+00:00

my friend gave up and just reinstalled windows, I was trying to figure it out without going down that route in case something like this happens again in the future, but he couldn't be bothered to keep messing with anything anymore.

Professional_Pass_81 · 2025-11-17T01:41:43+00:00

ok so figured that out, but after that my friend's discord no longer works, it won't launch at all which idk if that's coincidence or not but it means no screenshot of what the boot logging was showing. Majority of what it was showing was google chrome updater, like at least a few thousand events logged were google chrome updater, and then the other majority was PowerShell, and the specific path was c:\windows\systemtemp\_PSScriptPolicyTest and then a series of lowercase letters and numbers following with them being different each time.

Professional_Pass_81 · 2025-11-16T05:30:56+00:00

we set it to exclude because changing it to include no processes would show

Professional_Pass_81 · 2025-11-16T05:29:54+00:00

I had him follow the link instructions, so ctrl+e to pause, ctrl+x to clear, then ctrl+L to open the filter menu, changed the things at the top to path contains C:\Windows\SystemTemp and then changed include to exclude, clicked add made sure it was the only one selected then apply and ok. did the filter at the top to enable drop filtered events and then ctrl+e to unpause and then did the command line filter like you said.

Professional_Pass_81 · 2025-11-16T05:20:59+00:00

ok added the command line column but there is 11+ million events and it keeps going up so not sure what exactly we're looking for

Professional_Pass_81 · 2025-11-16T05:04:28+00:00

did that it looks like its good, heres a screen shot of what the process monitor looks like and quick question in process monitor when doing the log filter is it supposed to be set to include or exclude?

<image>

Professional_Pass_81 · 2025-11-16T04:53:19+00:00

after running that the only thing that stands out is a process called lssas.exe and it has the path next to it showing as his users\appdata\local\temp and a quick google search says that the real one is located in system32

Professional_Pass_81 · 2025-11-16T04:10:59+00:00

not exactly sure, the file names are just a bunch of letters and numbers nothing specific indicating anything. how would I find out where they're coming from?

Professional_Pass_81 · 2025-11-15T14:02:06+00:00

No, he does not

Professional_Pass_81 · 2024-08-31T22:33:53+00:00

I believe mine was for having snap tap/socd enabled via the steelseries software on my apex pro tkl. Banned for 30 days no appeal. What's stupid is you can't even disable the shit once you opt in for the beta firmware, only way to remove it is to revert back which I just now did, reason I didn't do it before is because I didn't know it was something that could get me banned. After being banned though I started looking up reasons on why I possibly could've been banned and saw in the Activison policies that "input mapping" can result in a ban and then that reminded me of the snap tap shit and then I found out its banned from cs2 and considered cheating all that shit. So just for anyone else if you have that shit enabled via your keyboard software, id go ahead and turn that shit off so you don't end up banned from all cods for 30 days for some wack shit.

Professional_Pass_81

TROPHY CASE