PendingFileRenameOperations to delete a file

  • Thread starter Thread starter Andrew Aronoff
  • Start date Start date
A

Andrew Aronoff

I would like to delete an in-use file during the boot of W2K SP4.
Unfortunately, there does not appear to be any way to use INUSE.EXE to
do that, since this utility replaces files rather than deleting them.
(I do not want to replace a file with an empty file and then delete
the empty file. I want to delete the file in a single operation.)

I then looked into using the PendingFileRenameOperations REG_MULTI_SZ
value at:
HKLM\System\CurrentControlSet\Control\Session Manager

However, despite many attempts, I can't find the syntax to delete a
file.

In general, the syntax used by this value is:
\??\source file
!\??\target file

To delete a file, it would seem that the source line must be empty.
However, an empty string is not accepted by REGEDT32.EXE.

How can a file be deleted at boot via PendingFileRenameOperations? Is
there an easier method that does not require a third party app?

regards, Andy
--
**********

Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

**********
 
I would like to delete an in-use file during the boot of W2K SP4.
Unfortunately, there does not appear to be any way to use INUSE.EXE to
do that, since this utility replaces files rather than deleting them.
(I do not want to replace a file with an empty file and then delete
the empty file. I want to delete the file in a single operation.)

I then looked into using the PendingFileRenameOperations REG_MULTI_SZ
value at:
HKLM\System\CurrentControlSet\Control\Session Manager

However, despite many attempts, I can't find the syntax to delete a
file.

In general, the syntax used by this value is:
\??\source file
!\??\target file

To delete a file, it would seem that the source line must be empty.
However, an empty string is not accepted by REGEDT32.EXE.

How can a file be deleted at boot via PendingFileRenameOperations? Is
there an easier method that does not require a third party app?

regards, Andy
Click to expand...


Use tip 8107 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
Andrew Aronoff... wrote...

Jerold Schulman generously responded:
... Use tip 8107 in the 'Tips & Tricks' at http://www.jsiinc.com
Click to expand...

Unfortunately, tip 8107 pertains to the third party app,
"MOVEFILE.EXE" by Sysinternals.

However, using MOVEFILE allowed me to understand the syntax for
deleting a file with PendingFileRenameOperations and how to achieve it
with REGEDIT/REGEDT32.

1. Start REGEDT32 (W2K) or REGEDIT (WXP) and navigate to:
HKLM\System\CurrentControlSet\Control\Session Manager

2. W2K: Edit, Add Value..., Data Type: REG_MULTI_SZ, Value Name:
PendingFileRenameOperations, OK

WXP: Edit, New, Multi-String Value, [enter]
PendingFileRenameOperations

3. In the Data area, enter "\??\" + filename to be deleted. LFNs may
be entered without being embedded in quotes. To delete "C:\Long
Directory Name\Long File Name.exe", enter the following data:

\??\C:\Long Directory Name\Long File Name.exe

Then press OK.

4. The "destination file name" is a null (zero) string. It is entered
as follows:

W2K: Edit, Binary, select Data Format: Hex, click at the end of the
hex string, enter 0000 (four zeros), OK.

WXP: Right-click the value, choose "Modify Binary Data", click at the
end of the hex string, enter 0000 (four zeros), OK.

5. Close REGEDT32/REGEDIT and reboot to delete the file.

regards, Andy
--
**********

Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

**********
 
In said:
Andrew Aronoff... wrote...


Jerold Schulman generously responded:


Unfortunately, tip 8107 pertains to the third party app,
"MOVEFILE.EXE" by Sysinternals.

However, using MOVEFILE allowed me to understand the syntax for
deleting a file with PendingFileRenameOperations and how to
achieve it with REGEDIT/REGEDT32.
Click to expand...
[ ]
regards, Andy
Click to expand...

(contains un-wrapped long lines)

You should be able to do this with a REG file merge. The following
has a fully qualified file path of: \??\c:\TEMP\Kill-ME.eXe

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"=hex(7):5C,3F,3F,5C,63,3A,5C,54,45,4D,50,5C,4B,69,6C,6C,2D,4D,45,2E,65,58,65,00,00,00


Note that this is ANSI not UNICODE format and it has three trailing
nuls. One to terminate the string, one as nul (target) and a final string
terminator. Quick test: works. YMMV

Also REG.EXE may not be classed there as 3rd-party, but could do something
similar.
C:\>reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Session Manager" /v "PendingFileRenameOperations"

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
PendingFileRenameOperations REG_MULTI_SZ \??\c:\TEMP\Kill-ME.eXe\0\0\0

Both the REGEDIT4 file and reg.exe could be done from batch. REG.EXE would
be easier IMO.
 
Both the REGEDIT4 file and reg.exe could be done from batch. REG.EXE would
be easier IMO.
Click to expand...

Thanks. I hadn't thought of writing out a REGEDIT4 file and then
merging it. That can readily be incorporated into the scripts I'll be
using.

regards, Andy
--
**********

Please send e-mail to: usenet (dot) post (at) aaronoff (dot) com

**********
 
Back
Top