0

Since I managed to remove a driver installed from Internet which turned out to be a virus, there's a new volume inside my Windows 11 file explorer which is called "RAMDrive (Z:)".

However, this volume appears neither within diskmgmt.msc nor in diskpart after I type lis vol.

It is filled with .tmp files which constantly change, so it really seems to be a volume containing my random access memory data. Is that even possible?

Furthermore, since then my PC has started running much slower and the RAM is often full. On the other hand, the volume takes up only 737MB of space and no more than 40MB are usually used, whereas I have 16GB of RAM.

I don't know whether this volume is taking uo space from my RAM or just displaying it and I could find no information on Google.

So, how can I safely remove it?

Thanks in advance, Simone.

RAMDrive

Pellegatta Simone
  • 21
  • 9
  • 1
    What third-party software do you have that might be creating a RAMDrive? There is no organic method of creating a virtual drive within your memory without third-party software. Unless you are running into out of memory exceptions the RAMDrive is unlikely to be the culprit of your performance issues. – Ramhound Jan 18 '22 at 17:23
  • @Ramhound I have actually run into *out of memory* exceptions a few times these days... Never happened before! – Pellegatta Simone Jan 18 '22 at 17:27
  • Anyway, I did not install any software to create a *RAMDrive*, at least not on purpose. – Pellegatta Simone Jan 18 '22 at 17:28
  • 1
    Does not change the fact there is software running on your system that is creating it. If you are unable to identify it, you will have to perform a Reset, and sadly choose the option that will result in a clean install. – Ramhound Jan 18 '22 at 17:29
  • @Ramhound let's say I already uninstalled the software which created my RAMDrive (might have been the virus (?)), can't I just somehow delete the volume without an hard reset? – Pellegatta Simone Jan 18 '22 at 17:31
  • 2
    A RAMDrive is volatile - it will collapse at reboot… so something must be re-creating it & re-populating it each time. That's what you have to find. – Tetsujin Jan 18 '22 at 17:34
  • @Tetsujin thanks, I'll try to figure it out (any suggestions on how to do it would be appreciated)... but is there any way I can be sure it actually is a RAMDrive, apart from the label? – Pellegatta Simone Jan 18 '22 at 17:37
  • See https://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit – Tetsujin Jan 18 '22 at 17:44
  • Your screenshot of the contents of the RAMDrive is illegible. – Ramhound Jan 18 '22 at 18:52
  • I managed to find a solution! After finding out that the volume did not appear in safe mode, I enabled the boot log from msconfig and scrolled through it, until I found a process called HPRAMDiskCPL.exe in system32 which was a bit sus. I deleted it and after rebooting the RAMDrive finally disappeared (I think I did not completely remove the program but it does not really matter). If one of you two wants to summarize the content of these comments as an answer, I am going to accept it. Thank you so much! – Pellegatta Simone Jan 18 '22 at 19:26

1 Answers1

0

I managed to find a solution!

After finding out that the volume did not appear in safe mode, I enabled the boot log from msconfig and scrolled through it, until I found a process called HPRAMDiskCPL.exe in system32 which was a bit sus. I deleted that file and after rebooting the RAMDrive finally disappeared (I think I did not completely remove the program but it does not really matter).

Then, following this guide under the section Disabling HP RAM Disk Manager, I completely deleted the registry key HKLM\System\CurrentControlSet\Services\Ramdrive and I also deleted the ramdrive.sys driver under C:\Windows\System32\drivers.

Finally, since many programs did not work anymore after removing the RAMDrive, I had to update my environment variables and set both TMP and TEMP back to "%USERPROFILE%\AppData\Local\Temp" (local variables) and "C:\Windows\Temp" (system variables).

Everything seems to work fine now.

Pellegatta Simone
  • 21
  • 9