.prpro.scratch folder, What is?

[Cixert]

I am running several data recovery applications that take several hours to run.
When I get to the computer I see that "Renee Undeleter" warns about scratching and I also see the Windows 10 warning "no disk space".
I look at the disk drives and see that 8 are full except the attack drive to recover files.
All except the system drive contain a folder called ".prpro.scratch" with several GiB in size.
Inside there are hundreds of files without extension and all start with the letters PR like:
PR0A732D157825533C
PR0D2C74353D4D524C
PR0D5D2C05570B0007
They measure between 50 KiB and 1.5 GiB.
The system drive is also full, but in this case the folder has been created at the path:
C:\Users\username\AppData\Local\Temp\.prpro.scratch
with tens of GiB.
What could be causing this behavior?
Other programs I have running are EaseUS Data Recovery, iBoysoftDataRecovery, LC Photorecovery, Piriform Recuva and Ontrack Easy Recovery none of them cause any errors.

Edited February 20 by Cixert

[D.Draker]

Ever used this programme?

https://scratch.mit.edu/users/ProPurchase9258/

[Cixert]

2 hours ago, D.Draker said:

Ever used this programme?

https://scratch.mit.edu/users/ProPurchase9258/

No, I didn't know this one

Edited February 17 by Cixert

[Karla Sleutel]

On 2/16/2025 at 1:14 PM, Cixert said:

What could be causing this behaviour?

Looks like a temp folder for some software, but also could be an encrypting virus that was interrupted while encrypting your files.

[Cixert]

It has happened again. My suspicion is that it is a file recovery program, since the recovery drive is the only one that is not filled with these files.
This time Renee Undeleter and Ontrack Easy Recovery are closed.
So only the following are left open:
-EaseUS data Recovery.
-iBoysoftDataRecovery.
-LC Photorecovery Professional.
-Piriform Recuva.

Is possible to see in some Windows 10 log who creates these files?
In System Events I only see several errors related to the Microsoft Edge update.

-EventData

0

crashpad_log

No disponible

0

MicrosoftEdgeUpdate.exe

1.3.195.43

InstallError

0x80040902

\\?\C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log \\?\C:\Windows\TEMP\msedge_installer.log

0

f4b12a7c-ecc8-11ef-9d9c-90fba64b5ac7

262144

 

Edited February 17 by Cixert

[Cixert]

12 hours ago, Karla Sleutel said:

Looks like a temp folder for some software, but also could be an encrypting virus that was interrupted while encrypting your files.

In C:\Windows\Temp
I don't see any programs running, but I do see the following folders:

\Crashpad
-metadata
-settings.dat

\MsEdgeCrashpad
-metadata
-settings.dat
-throttle_store.dat

But these are old folders and files, 2024 February.

At this point I have been able to delete all the folders ".prpro.scratch" except the one located at:
C:\Users\user_name\AppData\Local\Temp

I deleted the files inside and they were recreated immediately afterwards.
Also created:
-MicrosoftEdgeUpdate.log

Edited February 17 by Cixert

[D.Draker]

On 2/16/2025 at 10:00 PM, Cixert said:

No, I didn't know this one

I only guess: PrPro means "professional" (edition?), "Scratch" is a software for 3d animations.

Neither of your mentioned software called "Scratch".

So then again, it could be a mimicking virus, like @Karla Sleutel already pointed out.

Windows TEMP folders usually have other name patterns.

[D.Draker]

23 hours ago, Cixert said:

It has happened again.

Could you copy that file somewhere else, on a much less valuable computer? Better with a good AV.

Then open the file in WinHex and look at the header. 

[Cixert]

Thanks for the help.
Finally the culprit was LC Technology - PhotoRecovery
When scanning a 3 TB MBR hard drive with logical sector 4096 bytes the program is not able to retain the location of the files found and generates an error copying each file to a temporary location in the .prpro.scratch folder.
Once Windows/temp is full it starts filling the first existing partition and once it is full the next one.
This is not a justifiable behavior and I don't know how Windows security allows this behavior without user intervention.
LC Technology - PhotoRecovery generates a log file with the errors and the behavior, here is an extract:

[Devices::Win32::DeviceManagerImpl::rescanDevices] this=[DeviceManagerImpl:]:     J:\\
02:05:18.504 (debug) (T:7828) DeviceManagerImpl.cpp:315 [Devices::Win32::DeviceManagerImpl::rescanDevices] this=[DeviceManagerImpl:]:     PD:USBSTOR\\DISK&VEN_TOSHIBA&PROD_EXTERNAL_USB&REV_0\\20221206018168F&0
02:05:18.507 (debug) (T:7828) DeviceManagerImpl.cpp:310 [Devices::Win32::DeviceManagerImpl::rescanDevices] this=[DeviceManagerImpl:]:   LD:STORAGE\\VOLUME\\{98433D34-E44C-11EF-9D97-90FBA64B5AC7}#000001635F83B800
02:05:18.510 (debug) (T:7828) DeviceManagerImpl.cpp:312 [Devices::Win32::DeviceManagerImpl::rescanDevices] this=[DeviceManagerImpl:]:     K:\\
02:05:18.512 (debug) (T:7828) DeviceManagerImpl.cpp:315 [Devices::Win32::DeviceManagerImpl::rescanDevices] this=[DeviceManagerImpl:]:     PD:USBSTOR\\DISK&VEN_TOSHIBA&PROD_EXTERNAL_USB&REV_0\\20221206018168F&0
02:05:18.514 (debug) (T:7828) DeviceManagerImpl.cpp:318 [Devices::Win32::DeviceManagerImpl::rescanDevices] this=[DeviceManagerImpl:]: ==END LOGICAL DEVICE MAP==
02:05:18.525 (debug) (T:7828) WorkDirectories.cpp:337 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: MP 0: Z:\\
02:05:18.528 (debug) (T:7828) WorkDirectories.cpp:359 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: Z: \[2,E\]=Z:
02:05:18.531 (debug) (T:7828) WorkDirectories.cpp:337 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: MP 0: B:\\
02:05:18.534 (debug) (T:7828) WorkDirectories.cpp:359 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: B: \[2,E\]=B:
02:05:18.538 (debug) (T:7828) WorkDirectories.cpp:337 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: MP 0: C:\\
02:05:18.541 (debug) (T:7828) WorkDirectories.cpp:359 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: C: \[1,E\]=C:
02:05:18.543 (debug) (T:7828) WorkDirectories.cpp:337 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: MP 0: D:\\
02:05:18.545 (debug) (T:7828) WorkDirectories.cpp:359 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: D: \[2,E\]=D:
02:05:18.547 (debug) (T:7828) WorkDirectories.cpp:337 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: MP 0: E:\\
02:05:18.549 (debug) (T:7828) WorkDirectories.cpp:359 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: E: \[2,E\]=E:
02:05:18.552 (debug) (T:7828) WorkDirectories.cpp:337 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: MP 0: F:\\
02:05:18.555 (debug) (T:7828) WorkDirectories.cpp:359 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: F: \[2,E\]=F:
02:05:18.558 (debug) (T:7828) WorkDirectories.cpp:337 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: MP 0: I:\\
02:05:18.561 (debug) (T:7828) WorkDirectories.cpp:359 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: I: \[2,E\]=I:
02:05:18.563 (debug) (T:7828) WorkDirectories.cpp:337 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: MP 0: J:\\
02:05:18.565 (debug) (T:7828) WorkDirectories.cpp:359 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: J: \[2,E\]=J:
02:05:18.567 (debug) (T:7828) WorkDirectories.cpp:337 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: MP 0: K:\\
02:05:18.569 (debug) (T:7828) WorkDirectories.cpp:359 [PRApp::WorkDirectories::initVolumeList] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:0)]]: K: \[2,E\]=K:
02:05:18.573 (debug) (T:7828) WorkDirectories.cpp:371 [PRApp::WorkDirectories::rebuildVolumeByPriority] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:9) [Volume: Root=B: WorkDir=B: Enabled=1 Priority=2] [Volume: Root=C: WorkDir=C: Enabled=1 Priority=1] [Volume: Root=D: WorkDir=D: Enabled=1 Priority=2] [Volume: Root=E: WorkDir=E: Enabled=1 Priority=2] [Volume: Root=F: WorkDir=F: Enabled=1 Priority=2]]]: B: \[2,E\]=B:
02:05:18.576 (debug) (T:7828) WorkDirectories.cpp:371 [PRApp::WorkDirectories::rebuildVolumeByPriority] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:9) [Volume: Root=B: WorkDir=B: Enabled=1 Priority=2] [Volume: Root=C: WorkDir=C: Enabled=1 Priority=1] [Volume: Root=D: WorkDir=D: Enabled=1 Priority=2] [Volume: Root=E: WorkDir=E: Enabled=1 Priority=2] [Volume: Root=F: WorkDir=F: Enabled=1 Priority=2]]]: C: \[1,E\]=C:
02:05:18.579 (debug) (T:7828) WorkDirectories.cpp:371 [PRApp::WorkDirectories::rebuildVolumeByPriority] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:9) [Volume: Root=B: WorkDir=B: Enabled=1 Priority=2] [Volume: Root=C: WorkDir=C: Enabled=1 Priority=1] [Volume: Root=D: WorkDir=D: Enabled=1 Priority=2] [Volume: Root=E: WorkDir=E: Enabled=1 Priority=2] [Volume: Root=F: WorkDir=F: Enabled=1 Priority=2]]]: D: \[2,E\]=D:
02:05:18.583 (debug) (T:7828) WorkDirectories.cpp:371 [PRApp::WorkDirectories::rebuildVolumeByPriority] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:9) [Volume: Root=B: WorkDir=B: Enabled=1 Priority=2] [Volume: Root=C: WorkDir=C: Enabled=1 Priority=1] [Volume: Root=D: WorkDir=D: Enabled=1 Priority=2] [Volume: Root=E: WorkDir=E: Enabled=1 Priority=2] [Volume: Root=F: WorkDir=F: Enabled=1 Priority=2]]]: E: \[2,E\]=E:
02:05:18.585 (debug) (T:7828) WorkDirectories.cpp:371 [PRApp::WorkDirectories::rebuildVolumeByPriority] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:9) [Volume: Root=B: WorkDir=B: Enabled=1 Priority=2] [Volume: Root=C: WorkDir=C: Enabled=1 Priority=1] [Volume: Root=D: WorkDir=D: Enabled=1 Priority=2] [Volume: Root=E: WorkDir=E: Enabled=1 Priority=2] [Volume: Root=F: WorkDir=F: Enabled=1 Priority=2]]]: F: \[2,E\]=F:
02:05:18.587 (debug) (T:7828) WorkDirectories.cpp:371 [PRApp::WorkDirectories::rebuildVolumeByPriority] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:9) [Volume: Root=B: WorkDir=B: Enabled=1 Priority=2] [Volume: Root=C: WorkDir=C: Enabled=1 Priority=1] [Volume: Root=D: WorkDir=D: Enabled=1 Priority=2] [Volume: Root=E: WorkDir=E: Enabled=1 Priority=2] [Volume: Root=F: WorkDir=F: Enabled=1 Priority=2]]]: I: \[2,E\]=I:
02:05:18.589 (debug) (T:7828) WorkDirectories.cpp:371 [PRApp::WorkDirectories::rebuildVolumeByPriority] this=[WorkDirectories: ScratchDir=.prpro.scratch Volumes=[(list:9) [Volume: Root=B: WorkDir=B: Enabled=1 Priority=2] [Volume: Root=C: WorkDir=C: Enabled=1 Priority=1] [Volume: Root=D: WorkDir=D: Enabled=1 Priority=2] [Volume: Root=E: WorkDir=E: Enabled=1 Priority=2] [Volume: Root=F: WorkDir=F: Enabled=1 Priority=2]]]: J: \[2,E\]=J:
02:05:18.591 (debug) (T:7828) WorkDirectories.cpp:371 [PRApp::WorkDirectories::rebuildVolumeByPriority] this=