The usoprivate folder and usoshared folder are two folders at location ‘C:\ProgramData‘ in windows 10. Common users of the Windows operating system don’t have very much idea about these folders. Even on the internet, there does not seem to be a consensus among the users regarding these folders. Some users report these folders as malware, while other claim that these are system folders and are harmless. Let’s explore these folders in detail.
What does USO mean?
USO is short for Update Session Orchestrator. All the processes or folders with ‘uso’ in their name are somehow part of the Windows Update services. The USO is a service that is responsible for updates in your system. Downloading, verifying, and installing the updates are the responsibilities of this service.
This folder is located in the C drive inside the ProgramData folder. Sometimes the folder is hidden. You might have to click on the Hidden item tick box under the view tab to see the folder. The access to the folder is restricted to the higher privileged user. It would help if you were an Administrator to open and look inside this folder. Inside this folder, you will find the usoprivate folder.
As you can see in the image, the USOPrivate folder was last modified a long time ago. Along with it, there is also the USOShared folder. Let’s have a look inside these folders.
On opening the USOPrivate folder, you should find only one folder: UpdateStore. Again on opening this folder, you should see three XML files. You can easily see the content of these files, open the file with any text editor of your choice, and you can view the content of these files.
If you open these files with any text editor, you will notice that these are just XML files without any executable code or script. There’s nothing suspicious about these files.
Another folder alongside USOPrivate that people claim to be malware is USOShared. This folder also requires Administrator privileges. It contains a lot of ETL files. ETL stands for Event Trace Logs. These log files are created by the Tracelog process, which keeps logs of the events from the kernel level of the Windows Operating System.
Technically, it is safe to remove the log files, and it does not affect the system performance in any way. Admin privileges are required to delete these files. But it is recommended not to alter any folder content until there is a strong reason.
The main difference between USOShared and USOPrivate folder is the type of data they contain. USOPrivate folder contains XML files with basic update info and links in them, while the USOShared folder contains ETL files that are system logs. It is clear that both folders serve a different purpose, even when they fall under the same Windows Update service.
USOPrivate MD5 Hash
MD5 stands for Mixed Digest 5. It is a cryptographic hash function that takes a string of data of arbitrary length and spits out a fixed-length string. These kinds of functions are widely used on the internet to confirm data integrity because a property of these functions, called the Avalanche effect. The Avalanche effect means the slightest change in the function’s input will change the output completely. That is why these functions are used to check if a file was altered in any way or not.
In Windows, a Utility tool is available to find the hashes of data, called “certutil”. Unfortunately, it can’t be used to hash a whole folder. But, there are workarounds you can use either hash each file or can compress the entire folder into a zip file and then feed it to the Hash function. Follow the given steps to find the MD5 hash of a file.
- open the folder where your target file is
- Press and hold ‘Shift‘ key and then Right click on the mouse.
- In the menu, click on ‘Open PowerShell Window here‘.
- A PowerShell window will show up with the directory opened in it.
- type ” certutil -hashfile <name_of_file> MD5 “
- the output MD5 hash digest will show up.
Is USOPrivate a threat?
Some people on the Internet claim that the USOPrivate folder is malware, While most people claim it to be harmless. As we saw ourselves, the folders only contained some XML files that did not have any kind of executable code. Therefore it can be concluded that the USOPrivate folder is not a Threat. It is just a system folder part of the Windows Update mechanism.
Still, if a user is unsure about the folders, they can always run an antivirus scan on the drive. If the antivirus software finds anything suspicious, then the appropriate measures should be followed as suggested by the antivirus itself.
Can I delete USOPrivate?
A straightforward answer to this question is Yes. You can indeed delete the USOPrivate folder just like any other folder; The system doesn’t even show a warning dialog box when you try to delete it, unlike the USOShared folder, which asks for admin privileges before deleting. But, keep in mind that it is neither necessary nor recommended.
What is PID?
It is a unique identification number for each process currently running in the OS.
What are XML files?
eXtensible Markup Language (XML) files, it was designed to store and transport data on the web.
What are Logs?
The record of events and activities occurring in the OS or any software stored for future references.
It can be concluded with confidence that both USOPrivate and USOShared are harmless and somewhat part of the Windows Update Services. Users should leave the folders in their state and should not try to alter them in any way. There is nothing to be worried about in those folders.