11

I'm trying to delete an executable, but it fails with the error Access is denied even adding /F to force it as del /F system.exe. I'm using an elevated Command Prompt.

Attempting to delete the file through Windows Explorer yields the following:

error message

I went into the Security properties of the executable. Highlighted are the odd permission entries which may be stopping me from deleting this file:

advanced security settings

Originally, it did not let me delete the entries; the option was greyed out. I performed takeown /F C:\ProgramData\994146\system.exe, deleted the entries, added ones which gave me full permissions, and closed the dialogue box. The error persisted. When I reopened the Advanced Security Settings, the entries were back.

The parent folder of system.exe, 994146, is completely invisible in ProgramData. I have "show hidden files" on ProgramData. I had to manually type the path in Windows Explorer's address bar. I am also not sure how to edit the properties of 994146 since I can not select it in the file hierarchy.

Improve this question
5
  • you say "even" with /F it's not like /F is some powerful thing. What about something many find effective, like unlocker?(google unlocker) or any of the normal techniques one uses when they can't delete a file in windows, like using process explorer to see if any process is locking the file.. You know - techniques that people tend to find work.. Techniques that are listed whenever anybody asks how to delete a file that windows won't let you delete
    – barlop
    Commented Aug 22, 2015 at 1:08
  • 1
    And why do you write "batch delete" in the title, and then you write "I'm trying to delete an executable," . Batch is like a bat file, rather than command line. This is one command, not a batch file
    – barlop
    Commented Aug 22, 2015 at 1:11
  • 1
    If you have malware like this, you really ought to backup your data and wipe the machine.
    – Joel Coehoorn
    Commented Aug 22, 2015 at 2:43
  • I am curious if you "even" checked if system.exe is in task manager? (given that it showed in process explorer)
    – barlop
    Commented Aug 22, 2015 at 9:09
  • possible duplicate of How can I remove malicious spyware, malware, viruses or rootkits from my PC?
    – DavidPostill
    Commented Aug 22, 2015 at 13:42

5 Answers 5

Reset to default
10

Put bad processes on ice:

  1. Download and run Process Explorer (from Microsoft) as Admin
  2. In the Options > VirusTotal.com menu enable Check VirusTotal.com and accept the license agreement
  3. A new column will appear titled VirusTotal with a number like 0/57. The first number indicates how many virus scanners think the process is infected. The second number indicates how many scanned the file. 0/57 would indicate a clean process while 19/57 would indicate 19 scanners think the process is bad.
  4. For any processes flagged as infected, right-click and Suspend (do not kill)
  5. Once all suspicious processes have been suspended, kill them one at a time
  6. If any new infected processes re-appear, suspend them and don't kill them
  7. Change the file permissions on your unwanted executable to regain Full Control, then delete it
  8. Once you've deleted the file, you need to immediately move into scanning your computer for malware

If this doesn't work, then break out the fire:

  1. Download and run Process Monitor (also from Microsoft) and run as Admin
  2. On the Filter menu click Filter...
  3. Create a filter condition to match your file as follows: enter image description here
  4. Click Add then OK
  5. Change the permissions on your file
  6. Review Process Monitor's output. You'll see that explorer.exe accesses the file (that's you, changing the permissions). Look for any other processes that touches the file...most likely the last process to do so. This is most likely going to be your malicious process.
  7. Use Process Explorer to suspend that process (the PID value shown by Process Monitor is also shown by Process Explorer)
  8. Try changing the permissions/deleting the file again
Improve this answer
16
  • 1
    How do you know it's the only remnant? What makes you so sure there's not a rootkit that you can't even see?
    – Joel Coehoorn
    Commented Aug 22, 2015 at 2:47
  • 1
    @Gnomechild The large number of events in Process Monitor is normal. The fact csrss.exe is involved means you have a serious infection. You need to move into full scale malware removal efforts. You have more going on than you originally thought.
    – I say Reinstate Monica
    Commented Aug 22, 2015 at 3:17
  • 1
    @Gnomechild That's not correct. This process is critical to Windows operation. Trust me, if something running inside (i.e. "injected") in this process is preventing you from deleting a bad file, you've got a serious infection. Act accordingly.
    – I say Reinstate Monica
    Commented Aug 22, 2015 at 3:23
  • 1
    I am curious.. I suppose that ythe reason you suspend them first, is the reason stated here superuser.com/questions/325603/… which is that they may act as watchdogs on each other.. Considering though that if you suspended them one by one they could still act as watchdogs for each other, and that you can I suppose get around that by suspending them all at the same time.. How would that be any better than killing them all at the same time?
    – barlop
    Commented Aug 22, 2015 at 9:23
  • 2
    @barlop You're correct that this is an anti-watchdog technique. I've not enjoyed the same success by killing the processes simultaneously. It only takes a millisecond for a watchdog process to see its buddy dead and respawn it. Compared to the suspend-and-kill approach, it's tough to kill a number of process that fast. I've yet to have a process take action against suspending its buddies, but I suppose that day is coming.
    – I say Reinstate Monica
    Commented Aug 22, 2015 at 13:36
7

Just run these commands:

takeown /F * /R /D Y
icacls . /T /C /grant administrators:F System:F everyone:F
del * /s /q
Improve this answer
4
  • That's awesome, very very thanks
    – sorosh_sabz
    Commented Oct 29, 2021 at 7:24
  • Good answer, but note that this acts on all of the current directory, unlike the OP's question which was about a specific file.
    – adentinger
    Commented Jan 19, 2022 at 14:56
  • 1
    ERROR: Invalid argument/option - '*'. Type "TAKEOWN /?" for usage.
    – Turkeyphant
    Commented Mar 29, 2022 at 14:36
  • 1
    takeown /F * /R /D Y I think
    – trker
    Commented May 4, 2022 at 0:52
3

To Delete a specific file:

When del /f <FILE> producing an Access Denied error, you need to firstly take owner and grant access using takeown and icacls in the command line utilities.

Take owner:

takeown.exe /F <FILE-PATH>

Note: Make sure to change <FILE-PATH> to the full name of the desired file.

Output example:

SUCCESS: The file (or folder): "[FILE-PATH]" now owned by user "PC-NAME\USER-NAME".

Grant user access right:

icacls.exe <FILE-PATH> /grant PC-NAME\USER-NAME:F

Note: Make sure to change <FILE-PATH> and PC-NAME\USER-NAME accordingly (don't miss the :F).

Output example:

processed file: [FILE-NAME]
Successfully processed 1 files; Failed processing 0 files

Delete the file:

del /f <FILE-PATH>
Improve this answer
2
  • The question states that that had already been tried.
    – Chenmunka
    Commented Mar 18, 2022 at 7:04
  • What if takeown.exe /f gives ERROR: Access is denied.?
    – bers
    Commented Jan 10 at 8:03
1

This is my "chown.bat" (unix folks will laugh at me using that name). I've cobbled it together from various solutions... Each time one doesn't work, I add more stuff. The SetACL stuff I only discovered in 2014 or 2015. This has never failed me:

    for /r %fn in (*.*)  SetACL -on "%fn" -ot file -actn clear -clr dacl,sacl
    takeown /F * /R /D  Y
    icacls   *.* /T /C /grant YOURUSERACCOUNTNAMEHERE:(D,WDAC)
    icacls    .  /T /C /grant administrators:F System:F everyone:F

SetACL is a 3rd party utility that needs to be in your path.

Improve this answer
5
  • Comment submitted as an edit: [This solution worked, thank you! However, I had to change your FOR line in 2 ways. At least on Windows 10, the %variable seems to have to be a single letter. So your "%fn" became just "%f" if that line is run at the command line. (And note that if you put those lines in a batch file, that variable has to have double % signs, as in "%%f", which is what I have above.) Finally, I needed to add "DO" before the "SetACL". See above. And many thanks again for finally getting me to where I could just delete an executable]
    – Mokubai
    Commented Jul 6, 2017 at 7:02
  • Thanks! I use TakeCommand (TCC.EXE) as a command-line, so I may have minor variances in my implementations :) It's nice to know someone went through it with a fine-tooth comb to make it more compatible to more common command-lines. I might just change my local BAT file to reflect your edits just for giggles :)
    – ClioCJS
    Commented Jul 7, 2017 at 6:52
  • Also, for TakeCommand, instead of YOURUSERACCOUNTNAMEHERE, one can get away with %_winuser% -- not sure if that works elsewhere.
    – ClioCJS
    Commented Jul 7, 2017 at 6:54
  • Unfortunately that doesn't work for me.
    – Turkeyphant
    Commented Mar 29, 2022 at 14:38
  • "This has never failed me" - well, try it on any file in "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\00", and you may see "SetACL error message: The call to SetNamedSecurityInfo () failed. Operating system error message: Access is denied."
    – bers
    Commented Jan 10 at 8:08
-3

In my case, the solution to this particular problem was to run Kaspersky's TDSSKiller; it may have been a trojan. Unfortunately, I'm not sure specifically what TDSSKiller did to remove the affected file.

Improve this answer
1
  • 1
    It's one piece of anti malware software and no one piece of anti malware software has any magic power to eliminate absolute any trojan. I'm not necessarily suggesting using more than one, maybe one should, maybe not, but i'm just saying your claim is either extravagent or meaningless. "should completely eliminate" (what does 'should' mean. So when you run an anti malware program and it doesn't do it you scratch you head and say it should have? ) And you give no argument to support your claim either.
    – barlop
    Commented Aug 23, 2015 at 14:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .