What is $WINDOWS.~BT Folder On your PC Hard Drive

Windows installation directory (Most probably C:/) will be filled up by the new program installation or desktop files in you PC. Once you have found that, it consuming some storage without any installations or files, It might look suspicious. You have cleared the Temp folder and cleaned junk files, but nothing pays. This might be due to a windows folder called $WINDOWS.~BT. It is an OS upgrade folder where the new windows upgrade files are downloaded and kept. The files will be downloaded step by step every time you are on an internet connection and it uses about 6 or 7GB space in your hard drive for the installation files only.

As I said, it is a storage space of the downloaded new windows versions, you can always delete them if you are not planning to upgrade your OS. The gradual download process will create a huge dump of files which consumes some of your valuable storage space. So let’s have a look at this guide on What is $WINDOWS.~BT folder on your hard drive and How to delete it to free up the storage.

What is $WINDOWS.~BT Folder On your Hard Drive

The $WINDOWS.~BT folder is a usual folder like any other folders and can be deleted any time as you decide. But, don’t be excited too much. If you try to update your windows again, it will recreate the same folder in the exact location and again start to download the windows installation files. All you is some failed update processes on Windows update history window.


Fed up of this issue and want to delete that creepy folder to free up the disk space. Go to the Windows Updates in your control panel and click on ‘Installed Updates’.

Windows 7 and 8 users will find an update called KB3035583 on the window. In addition, Windows 7 users will find another update file namely KB 2952664. Windows 8 or 8.1 users face an update KB 2976978 file. All of them must be uninstalled and hidden respectively according to your OS.


Now, all setup for deleting the $WINDOWS.~BT folder. But, you may need the admin privileges to delete the folder if you get any errors while trying to delete it. If you are facing any problems to delete it, you may try the Disk cleanup.

  1. Hold Windows key+R to open the Run
  2. Type %windir%\system32\cleanmgr.exe in the run box.
  3. Select the Windows drive
  4. Allow it to scan the drive if prompted.
  5. Once the scan completed, click the ‘Clean up System files’ button. It will allow to run the scan again.Disk-Cleanup-for-clearing-the-windows-update-files
  6. Once the scan is complete, look for the ‘Temporary Windows installation files’ option. You will find that it is very big in size and will free up a lot of space. So, check it and Begin the clean up the process.


Now, you have completely removed that folder and you got some big amount of disk space for your files. A long process but a very effective way to cut the root of that folder which consumes a large amount of disk space.

What about the $WINDOWS.~BT Folder On Windows 10

I have mentioned that the $WINDOWS.~BT folder is for storing the upgrade files of the latest windows updates. Then, why there is a folder in windows 10 which is the latest version?. It is quite a brilliant question. Once you have upgraded to the Windows 10 OS, It will save some files of the previous versions of windows to help the Downgrade process. Those files will be located on the same folder and it also uses some amount of your storage. If you are damn sure that, you are not going to downgrade the OS, you can simply delete it to free up your disk space. and use the disk cleanup to clean it up completely.

Muhammed Swalih is a Blogger by profession who also has a great taste in Web Development, SEO, Graphic Designing, etc.

1 Comment
  1. Reply
    Big DC Apr 7, 2016 at 5:26 pm

    So digging through all the blogs about this folder over the last couple years, it seems most are very misguided on its intent. Here’s what data I found during a recent forensic assessment on a friends PC:

    -foremost, I found a very large Nodejs. The overall intent was to link to numerous ‘local’ folders.
    – another script was set to run on prior to all the rftp from local, to clean all log files and RTP back to host.
    – numerous sysfiles and emulators to run as various Hosts servers\AppServers and platforms. If you can’t see a clear intent with this compilation…you may want to contine reading.
    – Some logs were left that the scripts had missed. All containg active data for over a year since install, 3/2015.
    – Evidence of active data-streams via well known exploits, malware and Tx tools.
    – Including Powershell,, RDP, FTP, TCP/IP over WiFi, SMB, Kernel sockets, SQL injections and many more.
    – Clear log and visual evidence that WinFirewall rules had been changed, giving a remot connection to anyone, for anything via any service. It was a ‘passthough’ authentication.\
    – On this share there were many ‘content’ servers set up and active. Including SMB offering unrestricted r+w+x attributes to all drives.
    – Superuser privileges, under the cloak of any P2P, or S2S like; Skype, IRC, XBox, iPhone, IPtunneling.
    – Evidence of authintication by TFTP, SSH, session/cookie hijacking, mimekatz, XSSing, logging of event data for streaming like keyloggers, mouse click coordinates.
    – Paresing personal data, writing or \\commenting out the existance of local security policy and users/groups definitions on local PC.

    There was so much more and nothing other than malicious execs and empty logfiles. No beta setups. Not one service complemented the old or any service outside of an Enterprise Web-Host server or applicable service. The $ is a manual attribute as are the hidden global symlinks on local or defined in well known malicious .css and .xml files.

    This is a complete overtaking of the local drives and ultimate ownership over the catalyst fs. You can remove the $ and chown all files except one; a small boot/exe that re-spawns all their scripts back to an operational independence over your entire system.

    Only thought I have to get rid of it? Redefining the attributes of the exe file thats owned by Trusted Installer. I have some tools that will let me view and define remote owned files and binaries. Then Put them all in an ISO, that should allow you to package and remove the entire Dir, else, it will maintain it’s inherent threat indefinitely.

    Good luck all. -D

Leave a reply