Windows NTFS and undeletable files



  • This happened to me a while ago (say 3-4 weeks) so I dunno if this still happens.

     Well it was about when I had decided to re-install Windows XP because well things were not working anymore (example I had no access to the IExplorer configuration menu because I didn't have enough permissions, and I was the computer administrator). I usually don't like the full format technique since I'd loose 200G of stuff on the HDD and no I don't partition because I dont' like to. So what I usually end up doing is boot off a win98 recovery floppy disk and go erase windows/ and program files/ and keep the rest of the directories (thus obtaining an almost format).

    Well the win98 bootdisk doesn't work so well anymore with an NTFS harddrive, so I decided to use BartPE. Took me about 30 min to make one, I boot everything's going fine .. untill I try to remove the flash player (macromedia) that comes with windows.

    This file is NOT deletable. I mean really is not deletable. Same happened to some random X.0 file in my cygwin installation. I could not erase them. I tried 3 different "surefire delete programs" none of them worked. I checked for any filelocks, nothing. But there's just NO way to erase it. Everytime it complains about the file beeing in use / permissions / write protected / blah blah.

    I even tried my ubuntu live cd, but mountntfs wouldn't work, even with --force.

    The file in question was C:\Windows\system32\Macromed\Flash\Flash8b.ocx so yeah.. it drove me nuts for about 3 days, I still don't know WTF.

    I just installed Windowds on top of it and it seems to have worked .. bah.



  • [quote user="rtaranu"]

    The file in question was C:\Windows\system32\Macromed\Flash\Flash8b.ocx so yeah.. it drove me nuts for about 3 days, I still don't know WTF.

    I just installed Windowds on top of it and it seems to have worked .. bah.

    [/quote]

    And this, IMHO, is why only bad things can happen when you install applications (and yes, IMO, flash is an app) in the operating system directory. For all it's other shortcomings, DOS didn't have this problem. Dunno about Mac, but you never hear of this in the *nix world. Boo Mr. Gates.



  • Boo *Gates*?  Why the hell does Flash install itself into C:\Windows\System32 anyway?  I mean what *possible* reason could there be by which Flash would need to install itself there?  What the hell were the programmers thinking???

     In short... WTF Macromedia?

    Boo Maceronimedia!



  • I've seen two files that were hard to delete.  One was a file in the Recycling bin.  The file wouldn't show up in the GUI (even with show hidden, etc checked) but when you tried to empty the recycling bin it would tell you it couldn't delete the file.  I was able to delete it from the command promt.  The other I could not delete from the command prompt.  But I could rename the file and then delete the renamed file.  Go figure.



  • [quote user="rtaranu"]The file in question was C:\Windows\system32\Macromed\Flash\Flash8b.ocx so yeah.. it drove me nuts for about 3 days, I still don't know WTF.[/quote]Ok, now that's weird - I had the exact same problem about 2 weeks ago - none of the filemangers on my BartPE CD would delete the file, so I ended up moving it to the root of the drive, and then reinstalling Windows. Afterwards, I was able to delete it from the new installation.



  • I once had an undeletable file on my desktop. It was a corrupted (partially downloaded) .exe. Whenever I tried to delete it I would be informed that the file was in use. Eventually, with the help of one of Sysinternals' utilities (I forget which one), I found that explorer.exe had the file locked!

    I was then able to force explorer.exe to close the file and delete it... So W(hy)TF was explorer holding the file open?!



  • [quote user="Albatross"]

    Boo Maceronimedia!

    [/quote]

    Yeah, but it was a cool song when it first came out. Remember, everyone was doing the Maceronimedia!

    (If you don't like this joke, it was still better than the cheesy pasta joke I was about to make) 



  • [quote user="mallard"]

    ... I found that explorer.exe had the file locked!

    I was then able to force explorer.exe to close the file and delete it... So W(hy)TF was explorer holding the file open?!

    [/quote]

     Looking for an icon to display insinde the exe, then failing, then keeping the file handle open forever in frustration.

    (Sometimes the explorer behavior is just that great)
     



  • I'm not sure if this will work in XP, and it may not even work in 2000, but in NT, you can delete verifier.exe in (%WINDIR%\system32) and it will always come back.

    (Disclaimer:  It doesn't hurt to back up the file somehow before trying the following.)

    At a command prompt, cd to the system32 directory and do:

    del verifier.exe
    dir verifier.exe

    Looks like it's gone, right?

    Now try running it.  It's still there!  And sure enough, after you try running it, you can confirm its resurrection:

    dir verifier.exe

    (Second disclaimer:  The above is from memory.  And I don't feel like closing all my applications and rebooting into Windows XP just to confirm it.)



  • [quote user="R.Flowers"][quote user="Albatross"]

    Boo Maceronimedia!

    [/quote]

    Yeah, but it was a cool song when it first came out. Remember, everyone was doing the Maceronimedia!

    (If you don't like this joke, it was still better than the cheesy pasta joke I was about to make) 

    [/quote]


    It's just as well...most people prefer their pasta with marinara anyway.



  • [quote user="Reweave"]

    [quote user="mallard"]

    ... I found that explorer.exe had the file locked!

    I was then able to force explorer.exe to close the file and delete it... So W(hy)TF was explorer holding the file open?!

    [/quote]

     Looking for an icon to display insinde the exe, then failing, then keeping the file handle open forever in frustration.

    (Sometimes the explorer behavior is just that great)
     

    [/quote]

    I used to have that occasinally with AI and EPS files. Explorer locked the file.

    I think that's actually Adobe's fault because the Illustrator team never (never!) truly made a smooth port for Windows: there remain glitches.

    I'd try the killing of explorer.exe, but explorer.exe isn't all that great at restoring all tray icons. Some programs don't show up anymore and run invisibly.



  •  

    ermm you just go into safe mode and then delete the previously running file, what's the big deal?

      if it's part of a running process owned by the system chances are windows thinks it needs it, and will restart it right away if you go into the admin panel and stop it.

     

     



  • [quote user="VGR"]

    I'm not sure if this will work in XP, and it may not even work in 2000, but in NT, you can delete verifier.exe in (%WINDIR%\system32) and it will always come back.

    (Disclaimer:  It doesn't hurt to back up the file somehow before trying the following.)

    At a command prompt, cd to the system32 directory and do:

    del verifier.exe
    dir verifier.exe

    Looks like it's gone, right?

    Now try running it.  It's still there!  And sure enough, after you try running it, you can confirm its resurrection:

    dir verifier.exe

    (Second disclaimer:  The above is from memory.  And I don't feel like closing all my applications and rebooting into Windows XP just to confirm it.)

    [/quote]
    <font face="tahoma,arial,helvetica,sans-serif">I don't know if this is because of SP2 or not, but I have similar experiences like that before... One of them is when I was replacing notepad.exe with another text editing app named notepad.exe... Everytime that file is modified (I think this is also true for every file in the System32 directory), Windows quickly replaced it with the original notepad.exe.

    I guess this is Windows' approach for file security / integrity... Just wait 'till I get my hands on the directory where the original files are stored...



    </font>



  • [quote user="xrT"]<font face="tahoma,arial,helvetica,sans-serif">

    I guess this is Windows' approach for file security / integrity... Just wait 'till I get my hands on the directory where the original files are stored...

    </font>[/quote]

     Look for .cab files.
     



  • [quote user="dhromed"]

    [quote user="xrT"]<font face="tahoma,arial,helvetica,sans-serif">

    I guess this is Windows' approach for file security / integrity... Just wait 'till I get my hands on the directory where the original files are stored...

    </font>[/quote]

     Look for .cab files.
     

    [/quote]Or just turn off Windows File Protection or whatever it's called.



  • [quote user="xrT"]
    <font face="tahoma,arial,helvetica,sans-serif">I don't know if this is because of SP2 or not, but I have similar experiences like that before... One of them is when I was replacing notepad.exe with another text editing app named notepad.exe... Everytime that file is modified (I think this is also true for every file in the System32 directory), Windows quickly replaced it with the original notepad.exe.

    I guess this is Windows' approach for file security / integrity... Just wait 'till I get my hands on the directory where the original files are stored...

    </font>[/quote]

    My computer has a directory on the c: drive called i386 which appears to be a copy of the install CD or something.  Try there... YMMV

     

    ~Doc Honcho~* 



  • [quote user="VGR"]

    I'm not sure if this will work in XP, and it may not even work in
    2000, but in NT, you can delete verifier.exe in (%WINDIR%\system32) and
    it will always come back.

    [/quote]

    Windows File Protection. why should i be trusted to think for myself?

    http://support.microsoft.com/kb/222193 



  • @R.Flowers said:

    (If you don't like this joke, it was still better than the cheesy pasta joke I was about to make)
    Hmm... cheesy pasta!

    WhyTF does my WinExplorer say it can't let me safely remove a USB drive because it is in use by an app, if the only app is Explorer itself?

    Also, IIRC Vista has some problems with folders with the same name as a parent folder. Can't remember what the problem was exactly and I can't reboot right now, so...



  • @Albatross said:

    Boo Gates?  Why the hell does Flash install itself into C:\Windows\System32 anyway?  I mean what possible reason could there be by which Flash would need to install itself there?  What the hell were the programmers thinking???

     In short... WTF Macromedia?

    Boo Maceronimedia!

    Well, to be fair, it is a systemwide browser plug-in. It needs to be in some central place where all browsers can load it up. Not that that excuses the System folder, but in XP I'm not sure if MS had adopted the "All Users" user profile yet...

    Edit: the real WTF is that Macromedia has been bought out by Adobe for like ... 4 years now.



  • Ok, you're doing some weird hacky stuff here... let's step-by-step it...

    @rtaranu said:

    I usually don't like the full format technique since I'd loose 200G of stuff on the HDD and no I don't partition because I dont' like to.

    Partition? Why not just restore from backup? (Mostly hypothetical, I'm sure you don't back up. BUT JESUS CHRIST DO BUDDY!)

    @rtaranu said:

    So what I usually end up doing is boot off a win98 recovery floppy disk and go erase windows/ and program files/ and keep the rest of the directories (thus obtaining an almost format).

    "Usually?" NTFS has been the default disk format since Windows 2000.

    Anyway, what you're doing sounds like ... just screwing with stuff randomly. Make sure you delete the invisible contents on the root of your drive, too. If you're going to delete the OS using the hack-and-slash method, you need to be sure you got all of it. But what happens when the new OS is in place and you re-create your user? Does Windows overwrite your user profile with the new one, or is it smart enough to give the new one a name like "rtaranu-1"?

    Here's the thing: I understand your annoyance, but what you're doing isn't even approaching the supported way of installing Windows. You should *expect* problems doing this.

    The supported way would have been to back-up your files, wipe the drive, reinstall Windows, then restore your files.

    @rtaranu said:

    This file is NOT deletable. I mean really is not deletable

    The crazy-ass way you "reinstalled" Windows probably didn't change any of the fucked permissions you had before, you realize that, right? Since you didn't re-format the disk.

    @rtaranu said:

    Everytime it complains about the file beeing in use / permissions / write protected / blah blah.

    Ok, here's the secret to erasing a file like that. I'm telling you this so you can use it to make your computer an even more spaghetti-fied mess in the future. (Note: writing this in Windows 7, some steps might be slightly different in XP):

    1) Right-click the file, go to Properties
    2) Click Security tab
    3) Add the group "Everyone" to the list at the top (*should* be available in XP)
    4) Give "Everyone" Deny permissions down the list
    5) Reboot
    6) Delete the file (you may have to give yourself permissions to do this)

    Should work. It works because the OS is subject to its own file permissions, so if you deny access to the file to everyone, you deny it to the system itself-- thus Windows can't ever make the file "in-use", thus you can delete it. This is super-handy against tough viruses, as well.

    Note: the above process *won't* stop Windows File Protection from restoring the file later, if it is indeed one of the files that WFP monitors. (But I doubt it is.)

    @rtaranu said:

    The file in question was C:\Windows\system32\Macromed\Flash\Flash8b.ocx so yeah.. it drove me nuts for about 3 days, I still don't know WTF.

    If you just reinstalled with a backup, you'd be done in like 45 minutes.



  • @Zecc said:

    WhyTF does my WinExplorer say it can't let me safely remove a USB drive because it is in use by an app, if the only app is Explorer itself?

    Explorer runs plug-ins. If you have any installed, get rid of them-- they're usually buggy pieces of crap.



  • @blakeyrat said:

    Well, to be fair, it is a systemwide browser plug-in. It needs to be in some central place where all browsers can load it up. 
     

    Use the registry to store the location of your plugin or whatever file you think others might need access to.   Isn't that what it's for?   If you need to find the file you just read a registry key which tells you where to find it.  No need to clutter up C:\Windows  with a gazillion non-OS files.

     



  • @El_Heffe said:

    @blakeyrat said:

    Well, to be fair, it is a systemwide browser plug-in. It needs to be in some central place where all browsers can load it up. 
     

    Use the registry to store the location of your plugin or whatever file you think others might need access to.   Isn't that what it's for?   If you need to find the file you just read a registry key which tells you where to find it.  No need to clutter up C:\Windows  with a gazillion non-OS files.

     

    No, I agree. My post says as much, in the second sentence you didn't get around to reading. I'll be kind today and just assume you saw my pre-edit post in the email thread, and aren't just completely misreading everything I type like you do in every other thread I post in.



  •  Additionally, this is a 4+ year old thread.



  • @rtaranu said:

    I had decided to re-install Windows XP because well things were not working anymore
     

     Actually there's no need for all those gyrations.  There's a way to do a non-destructive re-nstall of Windows XP.  I've used this a few times and it works well.

    http://www.informationweek.com/news/windows/showArticle.jhtml?articleID=189400897">



  • @blakeyrat said:

    @Albatross said:

    Boo *Gates*?  Why the hell does Flash install itself into C:\Windows\System32 anyway?  I mean what *possible* reason could there be by which Flash would need to install itself there?  What the hell were the programmers thinking???

     In short... WTF Macromedia?

    Boo Maceronimedia!

    Well, to be fair, it is a systemwide browser plug-in. It needs to be in some central place where all browsers can load it up. Not that that excuses the System folder, but in XP I'm not sure if MS had adopted the "All Users" user profile yet...

    Edit: the real WTF is that Macromedia has been bought out by Adobe for like ... 4 years now.

    All users did exist in XP.



  •  I really can't decide what is TRWTF here:

    1) That it is a 4-year-old necro
    2) That flash installs COM dlls to system32 (there is absolutely no reason to put them there, any com dll is registered in the registry and the loader will find them wherever they are)
    2.5) That anyone asumes that if it was installed anywhere else it would change the fact that it's non-deleteable
    3) That the OP does reinstalling by manually deleting his windows folder
    4) That he doesn't like partitioning
    5) That he blames OS-level file locking semantics on a file system
    6) That windows doesn't allow deleting a file that's in use
    7) That i'm actually replying to this
    8 ) Community Server



  • @blakeyrat said:

    But what happens when the new OS is in place and you re-create your user? Does Windows overwrite your user profile with the new one, or is it smart enough to give the new one a name like "rtaranu-1"?
    Actually, it first tries appending the machine name to the user name (user.MACHINE). I think if that fails (already exists), it also appends a number.



  • Oops, looks like it was me who resurrected it. I mean.. darned spammers!



  • @bdew said:

     I really can't decide what is TRWTF here:

    1) That it is a 4-year-old necro
    2) That flash installs COM dlls to system32 (there is absolutely no reason to put them there, any com dll is registered in the registry and the loader will find them wherever they are)
    2.5) That anyone asumes that if it was installed anywhere else it would change the fact that it's non-deleteable
    3) That the OP does reinstalling by manually deleting his windows folder
    4) That he doesn't like partitioning
    5) That he blames OS-level file locking semantics on a file system
    6) That windows doesn't allow deleting a file that's in use
    7) That i'm actually replying to this
    8 ) Community Server

    9) No-one realized the original problem was a GPO setting.



  • @firedup said:

    For all it's other shortcomings, DOS didn't have this problem
     

    Except its default "SET TEMP=C:\DOS"



  • @blakeyrat said:

    Should work.
    It doesn't on Home versions of XP (Simple file sharing is always on, and you can't disable it). Also, IIRC, the plugin has some weird permissions set, and you first have to take ownership before you can change it's ACLs.



  • Sometimes when you open a folder Explorer opens some of the files to load icons (for example from EXE files) and other information and "forgets" to close them. If you then try to delete the file, you can't because it's in use by Explorer.

    About the removing of removable media, if it's open in Explorer on XP and Windows 7 it closes automatically when ask Windows to safely remove it. But Windows Vista has a bug where it just tells you that it's still in use. Just close the Explorer window(s) and safely remove again.



  • @pbean said:

    About the removing of removable media, if it's open in Explorer on XP and Windows 7 it closes automatically when ask Windows to safely remove it. But Windows Vista has a bug where it just tells you that it's still in use. Just close the Explorer window(s) and safely remove again.
     

    I just yank it.



  • @dhromed said:

    I just yank it.
    I used to do the same until I corrupted some files.

    Also, the pope is now tolerating the use of condoms "in some cases". The world as we know it is ending!



  • @Zecc said:

    @dhromed said:
    I just yank it.
    I used to do the same until I corrupted some files.
     

    You irresponsible man! That why you should get yourself tested regularly.



  • @dhromed said:

    @Zecc said:

    @dhromed said:
    I just yank it.
    I used to do the same until I corrupted some files.
     

    You irresponsible man! That why you should get yourself tested regularly.

    I am not irresponsible! I check every 30 boots or so, avoid FAT, and always unmount cleanly.


  • @Zecc said:

    WhyTF does my WinExplorer say it can't let me safely remove a USB drive because it is in use by an app, if the only app is Explorer itself?

    Fixed in Win7. Yep, that was annoying Vista fail.


  • @ender said:

    @blakeyrat said:
    Should work.
    It doesn't on Home versions of XP (Simple file sharing is always on, and you can't disable it). Also, IIRC, the plugin has some weird permissions set, and you first have to take ownership before you can change it's ACLs.

    Home version has CACLS which is a command line utility to edit ACLs.

    And yes, XP/Vista/7 Home sucks.



  • @Zecc said:

    @dhromed said:

    I just yank it.
    I used to do the same until I corrupted some files.

    Also, the pope is now tolerating the use of condoms "in some cases". The world as we know it is ending!

    Food for thought:

    1. Pope "approves" use of condoms when dealing with HIV-positive male prostitute.

    2. (as reported by italian newspapers) Many Vatican employees visit gay bars and enjoy services of said male prostitutes.



  • @Zecc said:

    Oops, looks like it was me who resurrected it. I mean.. darned spammers!

    There are still some files with tricky names that can't be deleted with usual Explorer means. For example, if the total path is too long, or the file name is reserved for legacy reasons.

     You may encounter a file with '.' in the end of its name. The period will be deleted when the filename is passed to the kernel, unless you use special format for the filename:

     \\.\C:\path\filename

    The filenames prepended with \\.\ are not subject to any legacy perprocessing (such as trailing period removal) and don't have 260 character total length limit (though each path component still has 256 character length limit). You can pas such names to CMD.



  • @alegr said:

    There are still some files with tricky names that can't be deleted with usual Explorer means. For example, if the total path is too long, or the file name is reserved for legacy reasons.
    Yeah, once I did this.  Don't try to delete those files using normal means.  It's not good.



  • NO NO NO -- The proper way to erase files on an NTFS partition in Windows NT is to remove the hard drive from the computer and use a 3000 gaus bulk tape eraser on the drive, going through at least 5 on-off cycles.   That will ensure that the file is irrecoverable.  The whole drive in fact. 



  • @Medezark said:

    That will ensure that the file is irrecoverable.  The whole drive in fact. 
     

    How many gauss would you need to make the drive, like, physically irrecoverable?

    Perhaps I should quantify the desired distortion (folded? pretzel? pancaked?), but perhaps you can give me some ballpark figures.



  • @Lingerance said:

    @bdew said:

     I really can't decide what is TRWTF here:

    1) That it is a 4-year-old necro
    2) That flash installs COM dlls to system32 (there is absolutely no reason to put them there, any com dll is registered in the registry and the loader will find them wherever they are)
    2.5) That anyone asumes that if it was installed anywhere else it would change the fact that it's non-deleteable
    3) That the OP does reinstalling by manually deleting his windows folder
    4) That he doesn't like partitioning
    5) That he blames OS-level file locking semantics on a file system
    6) That windows doesn't allow deleting a file that's in use
    7) That i'm actually replying to this
    8 ) Community Server

    9) No-one realized the original problem was a GPO setting.
    10) Recovery console with rmdir /S windows should've done the trick, IIRC


  • @danixdefcon5 said:

    10) Recovery console with rmdir /S windows should've done the trick, IIRC

    If you boot to Vista/2008/Win7 install DVD, until it shows a list of available volumes, press Shift+F10, you get to CMD shell.


  • @Medezark said:

    NO NO NO -- The proper way to erase files on an NTFS partition in Windows NT is to remove the hard drive from the computer and use a 3000 gaus bulk tape eraser on the drive, going through at least 5 on-off cycles.   That will ensure that the file is irrecoverable.  The whole drive in fact. 

    I'm afraid it's not strong enough for the modern HDD. It may fry the electronics, though.

    A modern drive with "secure erase" feature can be erased instantly, by overwriting its internal encryption key. This makes all information unrecoverable.



  • @dhromed said:

    @Medezark said:

    That will ensure that the file is irrecoverable.  The whole drive in fact. 
     

    How many gauss would you need to make the drive, like, physically irrecoverable?

    Perhaps I should quantify the desired distortion (folded? pretzel? pancaked?), but perhaps you can give me some ballpark figures.

    Hmm --

    #1 Take Drive to the Tokamak (sp?) Magnetic Reactor

    #2 Place in Reactor Compartment and turn reactor on

    #3 .......

    #4 Profit!!



  • @alegr said:

    @Medezark said:

    NO NO NO -- The proper way to erase files on an NTFS partition in Windows NT is to remove the hard drive from the computer and use a 3000 gaus bulk tape eraser on the drive, going through at least 5 on-off cycles.   That will ensure that the file is irrecoverable.  The whole drive in fact. 

    I'm afraid it's not strong enough for the modern HDD. It may fry the electronics, though.

    A modern drive with "secure erase" feature can be erased instantly, by overwriting its internal encryption key. This makes all information unrecoverable.

     

    I'd like to note that simply opening up the drive and emptying your vacuum cleaner over it will render it unusable for common scenarios, such as yanking it, putting it in another machine and just copying all data.



  • I've stumbled upon this problem time and again. I'm not sure exactly what mechanism is at play here (e.g. even if I install another copy of Windows XP along with the first, thus having WINDOWS and WINDOWS.0 directories) and boot from the second one, the Flash files in the first WINDOWS are still undeletable...

    ...UNLESS I manually reset all individial security settings for the affected files (must turn off simple file sharing, delete ALL possible ownership and inheritance dependencies and finally assign ownership and full R/W rights to the current user/admin)

    I recall that infamous DownAdUp virus also used to fuck up the ownership/security settings on its own files, which made them effectively undeletable even by BartPE-like environments, and even by Avast Boot CD (apparently whatever hack they do exploits some bug present in most NTFS subsystems).

    If you want a sure-fire way to delete such files however, a Linux Live CD is your best option.


Log in to reply