Sunday, October 7, 2007

Registry: Delete a File on Reboot

When a file is in use, we can use PendingFileRenameOperations to rename the file on the next reboot.

PendingFileRenameOperations accepts pairs of file paths.
The 1st path is the file to be renamed.
The 2nd path is the new file path.
If we put an empty string as the 2nd path, Windows will delete the file.

However, Registry Editor will remove any empty string it found. So, one way to get around it is to modify the binary data.

1. Start -> Run
2. Type in regedit, and press ENTER
3. Goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
4. Create a new Multi-String value: PendingFileRenameOperations
5. Enter \??\filepath as the data (e.g. \??\C:\Windows\virus.exe)
6. Press OK
7. Right-click on the key, click Modify Binary Data
8. At the end of the hex string, add 0000 (4 zeros which represent an empty string)
9. Press OK
10. Restart your computer

PendingFileRenameOperations to delete a file
Windows 2000 Registry Reference - PendingFileRenameOperations

No comments: