File delete - access is denied even with /F

Question

I'm trying to delete an executable, but it fails with the error Access is denied even adding /F to force it as del /F system.exe. I'm using an elevated Command Prompt.

Attempting to delete the file through Windows Explorer yields the following:

I went into the Security properties of the executable. Highlighted are the odd permission entries which may be stopping me from deleting this file:

Originally, it did not let me delete the entries; the option was greyed out. I performed takeown /F C:\ProgramData\994146\system.exe, deleted the entries, added ones which gave me full permissions, and closed the dialogue box. The error persisted. When I reopened the Advanced Security Settings, the entries were back.

The parent folder of system.exe, 994146, is completely invisible in ProgramData. I have "show hidden files" on ProgramData. I had to manually type the path in Windows Explorer's address bar. I am also not sure how to edit the properties of 994146 since I can not select it in the file hierarchy.

score 11 · Answer 1 · edited Aug 27 '23 at 20:01

11

Just run these commands:

takeown /F * /R /D Y
icacls . /T /C /grant administrators:F System:F everyone:F
del * /s /q

edited Aug 27 '23 at 20:01

Mikpa

103

answered Sep 16 '21 at 22:34

Matheus Barros

111

score 11 · Answer 2 · edited Mar 20 '17 at 10:17

Put bad processes on ice:

Download and run Process Explorer (from Microsoft) as Admin
In the Options > VirusTotal.com menu enable Check VirusTotal.com and accept the license agreement
A new column will appear titled VirusTotal with a number like 0/57. The first number indicates how many virus scanners think the process is infected. The second number indicates how many scanned the file. 0/57 would indicate a clean process while 19/57 would indicate 19 scanners think the process is bad.
For any processes flagged as infected, right-click and Suspend (do not kill)
Once all suspicious processes have been suspended, kill them one at a time
If any new infected processes re-appear, suspend them and don't kill them
Change the file permissions on your unwanted executable to regain Full Control, then delete it
Once you've deleted the file, you need to immediately move into scanning your computer for malware

If this doesn't work, then break out the fire:

Download and run Process Monitor (also from Microsoft) and run as Admin
On the Filter menu click Filter...
Create a filter condition to match your file as follows:
Click Add then OK
Change the permissions on your file
Review Process Monitor's output. You'll see that explorer.exe accesses the file (that's you, changing the permissions). Look for any other processes that touches the file...most likely the last process to do so. This is most likely going to be your malicious process.
Use Process Explorer to suspend that process (the PID value shown by Process Monitor is also shown by Process Explorer)
Try changing the permissions/deleting the file again

score 3 · Answer 3 · edited Mar 18 '22 at 06:49

To Delete a specific file:

When del /f <FILE> producing an Access Denied error, you need to firstly take owner and grant access using takeown and icacls in the command line utilities.

Take owner:

takeown.exe /F <FILE-PATH>

Note: Make sure to change <FILE-PATH> to the full name of the desired file.

Output example:

SUCCESS: The file (or folder): "[FILE-PATH]" now owned by user "PC-NAME\USER-NAME".

Grant user access right:

icacls.exe <FILE-PATH> /grant PC-NAME\USER-NAME:F

Note: Make sure to change <FILE-PATH> and PC-NAME\USER-NAME accordingly (don't miss the :F).

Output example:

processed file: [FILE-NAME]
Successfully processed 1 files; Failed processing 0 files

Delete the file:

del /f <FILE-PATH>

score 2 · Answer 4 · answered Jan 22 '16 at 07:24

This is my "chown.bat" (unix folks will laugh at me using that name). I've cobbled it together from various solutions... Each time one doesn't work, I add more stuff. The SetACL stuff I only discovered in 2014 or 2015. This has never failed me:

    for /r %fn in (*.*)  SetACL -on "%fn" -ot file -actn clear -clr dacl,sacl
    takeown /F * /R /D  Y
    icacls   *.* /T /C /grant YOURUSERACCOUNTNAMEHERE:(D,WDAC)
    icacls    .  /T /C /grant administrators:F System:F everyone:F

SetACL is a 3rd party utility that needs to be in your path.

Erik Humphrey · Accepted Answer · 2022-03-19T07:15:20.117

-3

In my case, the solution to this particular problem was to run Kaspersky's TDSSKiller; it may have been a trojan. Unfortunately, I'm not sure specifically what TDSSKiller did to remove the affected file.

edited Mar 19 '22 at 07:15

answered Aug 22 '15 at 05:02

Erik Humphrey

226
1
2
11