Windows – File delete – access is denied even with /F

command linemalware-removalwindowswindows 10

I'm trying to delete an executable, but it fails with the error Access is denied even adding /F to force it as del /F system.exe. I'm using an elevated Command Prompt.

Attempting to delete the file through Windows Explorer yields the following:

error message

I went into the Security properties of the executable. Highlighted are the odd permission entries which may be stopping me from deleting this file:

advanced security settings

Originally, it did not let me delete the entries; the option was greyed out. I performed takeown /F C:\ProgramData\994146\system.exe, deleted the entries, added ones which gave me full permissions, and closed the dialogue box. The error persisted. When I reopened the Advanced Security Settings, the entries were back.

The parent folder of system.exe, 994146, is completely invisible in ProgramData. I have "show hidden files" on ProgramData. I had to manually type the path in Windows Explorer's address bar. I am also not sure how to edit the properties of 994146 since I can not select it in the file hierarchy.

Best Answer

Put bad processes on ice:

  1. Download and run Process Explorer (from Microsoft) as Admin
  2. In the Options > VirusTotal.com menu enable Check VirusTotal.com and accept the license agreement
  3. A new column will appear titled VirusTotal with a number like 0/57. The first number indicates how many virus scanners think the process is infected. The second number indicates how many scanned the file. 0/57 would indicate a clean process while 19/57 would indicate 19 scanners think the process is bad.
  4. For any processes flagged as infected, right-click and Suspend (do not kill)
  5. Once all suspicious processes have been suspended, kill them one at a time
  6. If any new infected processes re-appear, suspend them and don't kill them
  7. Change the file permissions on your unwanted executable to regain Full Control, then delete it
  8. Once you've deleted the file, you need to immediately move into scanning your computer for malware

If this doesn't work, then break out the fire:

  1. Download and run Process Monitor (also from Microsoft) and run as Admin
  2. On the Filter menu click Filter...
  3. Create a filter condition to match your file as follows: enter image description here
  4. Click Add then OK
  5. Change the permissions on your file
  6. Review Process Monitor's output. You'll see that explorer.exe accesses the file (that's you, changing the permissions). Look for any other processes that touches the file...most likely the last process to do so. This is most likely going to be your malicious process.
  7. Use Process Explorer to suspend that process (the PID value shown by Process Monitor is also shown by Process Explorer)
  8. Try changing the permissions/deleting the file again
Related Question