System32 Folder Occupies 300 GB; Filled with Gibberish EXE Files

Of late, many users are complaining that the System32 folder is consuming colossal disk space (e.g., 150 GB – 300 GB) all of a sudden. On a user’s computer, more than 200,000 .exe files were generated. Those files were almost generated every minute, consuming over 200 GB on the C drive.

system32 gibberish exe filled up microstar international

Here’s a screenshot from another computer showing more than 150,000 files in System32, which is very unusual. And the total size of the files was 148 GB.system32 gibberish exe filled up microstar international

Cause

The MSI NBFoundation Service executable causes the above issue. The MSI software executable OmApSvcBroker.exe was compromised recently. The offending file path is below:

C:\Program Files (x86)\MSI\MSI NBFoundation Service\OmApSvcBroker.exe

It creates those 1074 KB gibberish executable files in the System32 folder or the OS partition’s root directory.

The incident happened only on May 18th, 2023. However, some users noted that the above executable stopped generating the junk .exe files with random characters in the file name.

The 1074 KB junk executables can be deleted. They’re created by an MSI executable (OmApSvcBroker.exe) which was compromised recently. For more information, check out the following links:

In the above VirusTotal.com link, a poster commented:



“A malware, which generates additional files under random names in .exe file format. Came from MSI’s Center, probably got breached in that day. It would run up to two processes from created files to create even more files – in the end, fills up hard-drive and Windows\System32 folder with 1,074 kb files. The signature is valid, belongs to “micro-star international co., ltd.”, which is used to bypass detections.”

Resolution

To prevent the junk files from filling up the hard drive, stop and disable the MSI NBFoundation file OmApSvcBroker.exe.

Open an admin Command Prompt and run this command:

schtasks /delete /tn "\OmApSvcBroker" /f

You should see the output “SUCCESS: The scheduled task “\OmApSvcBroker” was successfully deleted.

Restart Windows and delete the following file:

C:\Program Files (x86)\MSI\MSI NBFoundation Service\OmApSvcBroker.exe

Download Malwarebytes Antimalware and run a full scan.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

Leave a Comment