(solved) moving locked files/directory during next reboot

[MattHiggs]

hello autoit scripters.  I am currently working on a repair script which needs to be able to delete a directory which is pretty constantly used in order to replace its contents.  I was thinking about using "delete during next reboot" in order to accomplish this, and to this point, the only way I can see this being done is by modifying the registry (create PendingFileRenameOperations registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager).  Is there another way that this can be done.  Which way would be more effective?  What type of registry key would be used?  Can anyone provide an example?  Thanks.

Edited November 11, 2016 by MattHiggs

[orbs]

@MattHiggs,

using the said registry key can be tricky. you have to maintain trailing @LF and empty string for target path (if you wish to delete rather than move/rename). _WinAPI_MoveFileEx() can handle that for you - read the help file carefully.

occasionally i encountered issues with that, especially files located in the system32 folder. if reliability is a must, i'd suggest using a scheduled task to run at startup, as the local SYSTEM account, executing a simple batch file to:

1) delete the said folders

2) delete the task

3) delete the batch file itself

in this order!

Edited October 31, 2016 by orbs

[MattHiggs]

4 hours ago, orbs said:

@MattHiggs,

using the said registry key can be tricky. you have to maintain trailing @LF and empty string for target path (if you wish to delete rather than move/rename). _WinAPI_MoveFileEx() can handle that for you - read the help file carefully.

occasionally i encountered issues with that, especially files located in the system32 folder. if reliability is a must, i'd suggest using a scheduled task to run at startup, as the local SYSTEM account, executing a simple batch file to:

1) delete the said folders

2) delete the task

3) delete the batch file itself

in this order!

Yeah that was the concern.  Preferably, I would rather just avoid editing the registry all together: too many things can go wrong and the registry is just one of those things that I am not as knowledgeable on.  As for the scheduled task, I had considered it.  I always figured that "at startup" meant after the system had booted and was at logon screen, but if you have been able to use this method to delete files located in the system32 folder (which is exactly what I am trying to do), then it sounds like that is perfect.  Thanks you sir.

[MilesAhead]

I have found an easy way to do things like run a program that deletes every index.dat file on the Windows system partition, using the RunOnce registry key.  I wrote a small freeware to set it conveniently called RunItOnce.  The program it runs will run before login.  So it should not be interactive at all.  You may download RunItOnce from my page

 

It just so happens the utility is written in AutoIt3.

 

Edit:  The beauty of using the RunOnce key in the Registry is the system gets the info, then removes it from the Registry for you.  You don't have to worry about cleaning up after yourself.  RunItOnce will set the RunOnce key of the user whose account is active when RunItOnce is run.  IOW, it uses the Users RunOnce Registry key, not Administrator.  But it should work fine for deleting system files since they are not considered to be "in use by the system" prior to login.  At least it had no problem running a program that deleted every index.dat file on C: for me.  Try it and see.  But I would definitely make an image backup first!!

 

 

Edited October 31, 2016 by MilesAhead

[MattHiggs]

On 10/31/2016 at 7:44 PM, MilesAhead said:

I have found an easy way to do things like run a program that deletes every index.dat file on the Windows system partition, using the RunOnce registry key.  I wrote a small freeware to set it conveniently called RunItOnce.  The program it runs will run before login.  So it should not be interactive at all.  You may download RunItOnce from my page

 

It just so happens the utility is written in AutoIt3.

 

Edit:  The beauty of using the RunOnce key in the Registry is the system gets the info, then removes it from the Registry for you.  You don't have to worry about cleaning up after yourself.  RunItOnce will set the RunOnce key of the user whose account is active when RunItOnce is run.  IOW, it uses the Users RunOnce Registry key, not Administrator.  But it should work fine for deleting system files since they are not considered to be "in use by the system" prior to login.  At least it had no problem running a program that deleted every index.dat file on C: for me.  Try it and see.  But I would definitely make an image backup first!!

 

 

Thank you sir, for both the info and the URL to your site with many, many useful utilities.  Have you considered putting the URL in your signature?  That way other members of the autoit community can see, access, and download the utilities from it without you having to repeatedly post it.  There are probably a lot of scripters out there that would find them useful.

[MilesAhead]

On 11/4/2016 at 6:27 AM, MattHiggs said:

Thank you sir, for both the info and the URL to your site with many, many useful utilities.  Have you considered putting the URL in your signature?  That way other members of the autoit community can see, access, and download the utilities from it without you having to repeatedly post it.  There are probably a lot of scripters out there that would find them useful.

Good idea.  Awhile back I lost a domain I had for several years.  I guess putting the new one in my sig slipped my mind.

[MattHiggs]

Hey all.  I found another, easier way of performing these types of operations.  It is a "sysinternals" tool: MoveFile

Description is as follows:

Schedule file rename and delete commands for the next reboot. This can be useful for cleaning stubborn or in-use malware files

[JLogan3o13]

You seem to be averse to using Task Scheduler or editing the registry. Just curious, how do you believe MoveFile is working its magic? Use the tool and then look under that PendingFileRenameOperations Value

[j0kky]

Back in the days I worked with virus-removal tools, there was an optimal solution called The Avenger which was able to delete rootkits too on reboot. But I don't know how it works because it is not an open source.