Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

DEL /a: /e /z whatever.ext

That is me (my email address)
I figured that. It just doesn't look like a Windows "principal". In those places, I see myself vefatica (JJ\vefatica).

If that's really you, the currently logged-on user, you seem to have shown that that user owns the file and has full access to it but can't delete it. I'm lost.
 
I figured that. It just doesn't look like a Windows "principal". In those places, I see myself vefatica (JJ\vefatica).

If that's really you, the currently logged-on user, you seem to have shown that that user owns the file and has full access to it but can't delete it. I'm lost.

From the first image in DEL /a: /e /z whatever.ext

What if I removed the permissions from "Charles Galloway ([email protected])", then tried to del_file again? calling the 2 MS utilities...
 
I dunno. What username did you give to those two utilities the first time? What username would you give if you used them again? As I said, I'm lost.
 
I'm guessing that Windows has been upgraded, and that whole Backup tree was created by the Windows Installer service. It may be possible to delete the whole thing with the Disk Cleanup tool, in its more advanced "Clean up system files" mode.

Other, more technical, approaches: Boot a copy of Windows PE from e.g. a flash drive, and delete from that OS. Or temporarily move the hard drive to a different computer as a secondary drive. Neither of these will work if the hard drive is encrypted, though.
 
I dunno. What username did you give to those two utilities the first time? What username would you give if you used them again? As I said, I'm lost.
Code:
:Delfile [cFile]
  :: try to delete the file
  iff exist %cFile then
    del /a: /e /z %cFile
    iff exist %cFile then
      :: file not able to be deleted, see about ownership?
      :: take full ownership of the file
      C:\WINDOWS\system32\takeown.exe /f %cFile
      C:\WINDOWS\system32\icacls.exe %cFile /grant %USERNAME%:F
      :: try to delete the file one more time
      del /a: /e /z %cFile
      iff exist %cFile then
        echo %cFile still exists, quitting.....
        quit
      endiff
    endiff
  endiff
::

What does c:\Windows\System32\whoami.exe report?

Code:
[C:\Users\csgal\OneDrive\Desktop\OEClassic]c:\Windows\System32\whoami.exe
desktop-c293qau\csgal
 
Code:
:Delfile [cFile]
  :: try to delete the file
  iff exist %cFile then
    del /a: /e /z %cFile
    iff exist %cFile then
      :: file not able to be deleted, see about ownership?
      :: take full ownership of the file
      C:\WINDOWS\system32\takeown.exe /f %cFile
      C:\WINDOWS\system32\icacls.exe %cFile /grant %USERNAME%:F
      :: try to delete the file one more time
      del /a: /e /z %cFile
      iff exist %cFile then
        echo %cFile still exists, quitting.....
        quit
      endiff
    endiff
  endiff
::



Code:
[C:\Users\csgal\OneDrive\Desktop\OEClassic]c:\Windows\System32\whoami.exe
desktop-c293qau\csgal
That doesn't look much like
1648088989534.png

See why I'm confused.

If you remove /E from the DEL command, it might tell you why it failed.

What's the value of %USERNAME%?

What if you used C:\WINDOWS\system32\icacls.exe %cFile /grant csgal:F (instead of using %USERNAME)?
 
That doesn't look much like
View attachment 3627
See why I'm confused.

yes I do. I know I have a onedrive by that name and email address..... not sure how it got there

If you remove /E from the DEL command, it might tell you why it failed.

It will take a long time to generate the del_me.btm; Will do it overnight.... and post here...

What's the value of %USERNAME%?

Code:
[C:\Users\csgal\OneDrive\Desktop\Z_Del_me]set user*
USERDOMAIN=DESKTOP-C293QAU
USERDOMAIN_ROAMINGPROFILE=DESKTOP-C293QAU
USERNAME=csgal
USERPROFILE=C:\Users\csgal

What if you used C:\WINDOWS\system32\icacls.exe %cFile /grant csgal:F (instead of using %USERNAME)?

It should pick up tbhe value of %USERNAME - and I don't see why it would be anything besides what I posted earlier...
 
@vefatica and @Charles Dye :

Code:
[C:\Users\csgal\OneDrive\Desktop]del_me.btm
Deleting C:\Backup\Windows\System32\IntelIHVRouter08.dll
TCC: (Sys) C:\Users\csgal\OneDrive\Desktop\del_me.btm [28]  Access is denied.
 "C:\Backup\Windows\System32\IntelIHVRouter08.dll"
     0 files deleted       1 failed
Press any key when ready...

SUCCESS: The file (or folder): "C:\Backup\Windows\System32\IntelIHVRouter08.dll" now owned by user "DESKTOP-C293QAU\csgal".
processed file: C:\Backup\Windows\System32\IntelIHVRouter08.dll
Successfully processed 1 files; Failed processing 0 files
Deleting C:\Backup\Windows\System32\IntelIHVRouter08.dll
TCC: (Sys) C:\Users\csgal\OneDrive\Desktop\del_me.btm [36]  Access is denied.
 "C:\Backup\Windows\System32\IntelIHVRouter08.dll"
     0 files deleted       1 failed
Press any key when ready...
"C:\Backup\Windows\System32\IntelIHVRouter08.dll" still exists, quitting.....

[C:\Users\csgal\OneDrive\Desktop]

The UDF is:

Code:
:Delfile [cFile]
  :: try to delete the file
  iff exist %cFile then
    del /a: /z %cFile
    pause
    iff exist %cFile then
      :: file not able to be deleted, see about ownership?
      :: take full ownership of the file
      C:\WINDOWS\system32\takeown.exe /f %cFile
      C:\WINDOWS\system32\icacls.exe %cFile /grant %USERNAME%:F
      :: try to delete the file one more time
      del /a: /z %cFile
      pause
      iff exist %cFile then
        echo %cFile still exists, quitting.....
        quit
      endiff
    endiff
  endiff
::

Full permissions for the file above are:
SYSTEM
Charles Galloway ([email protected])
TrustedInstaller
 
I suggest you take over the whole tree:
Code:
takeown /r /f c:\backup
icacls c:\backup /t /grant %username%:f

It's possible that you may need write access to the parent directory as well as the file itself.
 
If it were a horse race I'd put my money on csgal. Charles Galloway ([email protected]) doesn't look like a Windows username to me. If it is one, I wonder if it's in some special (and not an admin). Does ControlPanel\UserAccounts give any insight into this?
 
Then who's this guy (that WHOAMI was talking about)?

It might be from a Win7 box, as I had the repair store transfer some files over to my Win10 box, the latter of which I am posting from now.

Win10 box
Users
csgal
default
public
 
I suggest you take over the whole tree:
Code:
takeown /r /f c:\backup
icacls c:\backup /t /grant %username%:f

It's possible that you may need write access to the parent directory as well as the file itself.

Those 2 commands did allow me to remove some empty folders/dirs, but the problem in #40 above still remains....

@vefatica - - - also......
 
Capture.JPG


Any way I can delete this file using the command line?
 
Charles Windows doesn’t care where the file is. It only cares about the name of the file that's already loaded in memory. You have two files with the same name Windows doesn’t care which one is loaded all it understand is one of them is loaded thus it wont allow you to delete the backup copy. TCC and Windows are doing what the API tells it to do which is deny the delete.

Boot win10 into safe mode chose a mode that doesn’t allow internet access (no router drivers etc.) rename the backup copy IntelHVRouter08.dll to IntelHVRouter08.dl_

Reboot into normal mode if internet access is working delete the backup file you renamed.

google “boot win10 into safe mode” should show you the following:

How to boot in Safe Mode in Windows 10
  1. Hold down the Shift button as you click "Restart." ...
  2. Choose "Troubleshoot" on the Choose an option screen. ...
  3. Choose "Startup Settings" and then click Restart to get to the final selection menu for Safe Mode. ...
  4. Enable Safe Mode with or without internet access.
Hopefully that should work
 
Last edited:
What exactly do you mean, @Kachupp? Using TCC (which loads TAKECMD.DLL) I had no problem deleting a copy of a loaded DLL.

Code:
v:\> copy d:\tc28\takecmd.dll
D:\tc28\takecmd.dll => V:\takecmd.dll
     1 file copied

v:\> del takecmd.dll
Deleting V:\takecmd.dll
     1 file deleted            6,004,736 bytes freed

The same goes for system files.

Code:
v:\> copy c:\Windows\System32\shell32.dll
C:\Windows\System32\shell32.dll => V:\shell32.dll
     1 file copied

v:\> del shell32.dll
Deleting V:\shell32.dll
     1 file deleted            7,647,232 bytes freed
 
I just tried this and yes as usual you are correct. It failed at first because the my dll had the hidden attribute set. So was about to delete the post then thought nah the reboot option may still help
 
I don'[t understande sicne i had /Z on the DEL command....

also would /B be effective on files like I posted above in my screen capture?
 
@Charles G

I think also that the Safe Mode COULD be a solution for you.

Another hint COULD be that you boot your system with a linux boot stick or so - which is able to mount your windows drive (partition). There you could try to delete those files. Even backup software has such boot media sometimes (know that from Acronis which I used years ago) ... there I could boot, start a file manager and could delete files on windows partition.

Just some ideas, I will be not responsible, if you destroy your windows partition.
 
Last edited:
I am taking my timne going through the c:\backup\ tree deleting what I can or movin g files e;lsewhere - then once that is done will post if needed.... thanks everyone
 
The other thing I do is use SysInternals' PsExec and start a TCC instance running under the SYSTEM account
(using alias sysprompt=`psexec -sidw "%_cwd" "%_cmdspec"` in an elevated prompt).
 
I doubt even SYSTEM can do anything with things owned by Trusted Installer.
 

Similar threads

Back
Top