Well this has been happening to a co-worker for about 2 years. It happens with XP, Vista, and Win 7.

While he is in the middle of doing things machine would blue screen then reboot. Upon inspection the windows folder is totally empty. He would reinstall (he even tryed using a virtual machine on a linux box) and it would eventually happen again.

Now I am unable to reproduce it... meaning I am unable to delete the contents of the windows folder (locally and remotely) as I get the file is in use error on a lot of them and when I try on the dll cache the File Protection window pops up (never happens on his machine).

I have even tried Unlocker remotely thinking someone was selecting all the files from a admin share and using Unlocker to unlock files and mark them for deletion on a reboot which of course didn't work.

I have had his event logs going to our Syslog server and after it happened the log doesn't show anything suspicious... it even has the blue screen event.

I am at my whits end trying to figure it out... I am fairly certain someone is doing it because it only happens to him and only his login.

We are operating on a Windows 2003 AD domain (one thing we tried was removing all his admin credentials and changing all Domain Admin passwords to a 20 character random with numbers and characters and yes it still happens).

I am not sure where to start looking or trying to figure this out.

Any ideas on how someone or something is deleteing all the contents of the windows folder?