I just did a clean install of avast! 4.7.1043 under Windows XP Pro SP2. I happened to notice that avast! created the following directory:
C:\Program Files\avast!\%SystemRoot%
When I say “%SystemRoot%”, I mean it literally–that is the directory name. Under that directory, there is a TEMP directory with a file named Perflib_Perfdata_bb0.dat in it. Under that directory, there is a avast4 directory with Webshlock.txt in it.
It seems to me that avast! is failing to expand the %SystemRoot% variable, and so is failing to locate the actual %SystemRoot%\Temp directory. As a result, avast! is creating and using its own temporary directory.
When I run the command echo %SystemRoot%, I get C:\WINDOWS returned, so it’s not that my environment variables are screwed up. The C:\WINDOWS\Temp directory also exists, so that’s not it.
I also just noticed that avast! was using this directory as well:
I think I found the problem. I haven’t even tried fixing it yet, but I just know this is the problem… Somehow, my TEMP and TMP registry values under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment were changed from expandable string values to regular string values (i.e. from REG_EXPAND_SZ to REG_SZ). I could still echo %SystemRoot% and get a valid result (I assume) because %SystemRoot% is hard-coded or something… But how this got changed is also a mystery. And an annoying one.
Good find, I wouldn’t have even though of that, but all mine (Temp, Tmp, Path, Prompt, etc. are all REG_EXPAND_SZ, see image if other Types might also have changed.
If a variable has data that is already expanded (e.g. TEMP set to C:\WINDOWS\TEMP), it won’t matter whether the variable is REG_SZ or REG_EXPAND_SZ. It only matters if the data uses a variable (e.g. TEMP set to %SystemRoot%\Temp).
I’m not sure what piece of %$#@ software screwed up my env vars, but I think it happened a few days ago, based on the date of creation for the aforementioned temp directory.