45

If I have an encrypted RAR file which will only open using a password, and I opened a file directly from within WinRAR by double clicking the file inside WinRAR, I assume that WinRAR will create a temporary version somewhere in the drive (temp folder?) before opening it using the default application assigned by the user in the system.

Does WinRAR make sure to delete all traces of the file once the archive is closed? or will it keep the temp file somewhere in the file system?

Nean Der Thal
  • 587
  • 2
  • 5
  • 12
  • 2
    Your assumption is correct, Winrar creates a temporary version. I don't know about the rest. But even assuming that Winrar deletes the traces, they physically remain on your drive and might be retrieved (Like any deleted file) Unless Winrar is doing something sophisticated. – Hello World May 12 '14 at 05:25
  • If you're really paranoid, extract your Archive to a ramdisk and manually delete the files when done. – Hello World May 12 '14 at 05:26
  • 1
    Can you be sure that extracting to a ramdisk or to a Truecrypt image does not result in temporary files elsewhere? – SPRBRN May 12 '14 at 08:20
  • 5
    @SPRBRN You don't need to trust anyone's claims here, or even WinRAR's own documentation (if it has any on this topic) - you can check yourself with [Process Monitor](http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx). – Iszi May 12 '14 at 13:46
  • 1
    For the record, the temporary files are stored at `%USERPROFILE%\AppData\Local\Temp`. – Salman von Abbas Oct 18 '15 at 00:19

1 Answers1

54

Very good question. Yes, by default, WinRAR leaves traces of temporarily extracted files.

WinRAR does indeed create temporary files when opening them directly from the archive. It also performs a normal deletion once WinRAR is closed. However, deleted files do physically stay on the disk after you delete them. Normal delete operations only delete the file from the filesystem index.

Think of it like trying to remove a page from a book by striking its title from the index page - the page stays in the book.

WinRAR has a nice feature that securely wipes (removes the index, and the page itself from the book) temporarily extracted files after WinRAR is closed. By default, this feature is turned off. You can turn it on from the security settings window.

winrar-secure-wipe

By default, it's set to 'Never', you don't want that. The option 'Always' securely wipes all temporarily extracted files, while the option 'Encrypted only' wipes temporarily extracted files only if they belong to an encrypted archive.

Important notes: WinRAR will also create temporary files when extracting files by dragging them to the destination. However, using the "Extract here" option doesn't create temporary files.

As mentioned below, it's also important to make sure that you don't close WinRAR before closing your file. I've just tested this behavior a Microsoft Word document and a PDF file. The .docx file persisted in the temp folder, while the .pdf file was wiped as soon as WinRAR was closed. So make sure you understand that this behavior isn't very reliable if you close WinRAR or if it crashes.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • 4
    However, using the "Extract here" option doesn't create temporary files. (I'm 99% sure about this, I'll verify and edit) - I can verify this, as I use this option when my SSD (where all tmp goes) is out of space. – Zsolt Szilagy May 12 '14 at 15:12
  • 12
    It's also questionable what happens if WinRAR crashes before deleting (unlikely, but possible) or if the program you opened the file in is still open and has a lock on it when WinRAR is closed (more likely). – Bob May 12 '14 at 15:20
  • 1
    @Bob Indeed. I've just tested it and in some cases the file was kept in the temp folder. – Adi May 12 '14 at 21:51
  • @Bob this blows the whole concept of security when it comes to temp file being held as a prisoner by a program. I also assume that there is no native windows API that WinRAR can use to tell windows to delete the file as soon as it is free :/ – Nean Der Thal May 13 '14 at 01:30
  • @MeNoTalk Another issue is if the computer loses power or otherwise crashes (bluescreen?). Then the only hope would be if WinRAR remembered and wiped on next start (I don't think it does). In general, putting unencrypted temporary files on disk is a bad idea - it's much safer to only keep them on a (transparently) encrypted file system, or in RAM. There's also the issue of the opening program making its own temporary/working copy (I believe MS Office does this). – Bob May 13 '14 at 02:36
  • @Adi - When you say the action`Always` performs a secure wipe, are you aware of the algorithm used? – Motivated Nov 10 '15 at 06:38
  • @Adi - How does this fare with applications such as 7zip? – Motivated Nov 10 '15 at 07:50
  • @Motivated Unfortunately, I don't have access to the source code, and WinRAR doesn't have that information in their documentation. However, I don't think it's needed to know that. One pass of zeros is usually enough to delete the meat of the data, and subsequent passes don't add much security. I think what would be interesting to see if it wipes leftovers outside the temp folder, such as caches or thumbnails. As for 7zip, it doesn't have that feature. It was requested multiple times, but the other is neglecting to comment on it. Other software, WinZIP, has had the wipe option for 6 years now. – Adi Nov 10 '15 at 09:09