tomman |
Posted on 20-01-24, 16:59
|
Dinosaur
Post: #622 of 1315 Since: 10-30-18 Last post: 58 days Last view: 18 hours |
Is there a difference if you delete stuff from the shell (Explorer), or from a (elevated) command prompt? Also, there are ways to run stuff as users higher than TrustedInstaller - IIRC Sysinternals has a tool for that. As for files coming back after deletion on Win2K, that's System File Protection kicking in to protect your OS from yourself, which was introduced on that release (and backported somehow to WinME). If only somehow I could delete NetMeeting from WinXP - it has no use nowadays, I have small HDDs/disk images for my XP boxes/VMs, and yet there is no official way to get rid of NetMeeting and friends: SFP will get in the way, restoring shit as soon as you delete it. But malware has no problems rendering your shit unbootable (hi Sality!) Licensed Pirate® since 2006, 100% Buttcoin™-free, enemy of All Things JavaScript™ |
Kawaoneechan |
Posted on 20-01-24, 20:24
|
You spin me right round baby right round like a record baby
Post: #465 of 599 Since: 10-29-18 Last post: 195 days Last view: 4 hours |
Posted by tomman... I considered that possibility when I saw one of the KYM examples was a batch file but dismissed it. Please hold. |
funkyass |
Posted on 20-01-24, 21:10
|
Post: #128 of 202
Since: 11-01-18 Last post: 660 days Last view: 15 days |
would the OS running off of Fat32 make a difference? |
Kawaoneechan |
Posted on 20-01-24, 21:15
|
20% cooler than thou art
Post: #466 of 599 Since: 10-29-18 Last post: 195 days Last view: 4 hours |
Elevated CMD start in System32 which makes it a bit easier. So I start one up in my Win10 VM and type "del *.*", confirm... and get pages upon pages of "Access denied". So yeah, I'm thinking it played by the same rules. Posted by funkyassIf it has no way of setting permissions and ownership on the filesystem level, it'd have to make do with what 2000 did: refuse to touch the System32 folder itself, and put everything back that you manage to delete. |
kode54 |
Posted on 20-01-25, 03:46
|
Post: #47 of 105 Since: 11-13-19 Last post: 1461 days Last view: 1461 days |
Bonus points regarding TrustedInstaller: If it's a Windows Store app, it will also be using NTFS Encrypting File System (EFS) to protect the files, and the certificate and keys that control that encryption are owned by TrustedInstaller, and also password protected with a key I have yet to determine, be it a static key, a system key, or whatever. The only way around this is to run the app, inject a DLL into it somehow, and that DLL dump the filesystem to an unencrypted location. There's a tool for this, too. Just don't expect those UWP or even Centennial apps to run outside of the store mechanism once removed from their encrypted storage. Certainly a handy way to hack at the resources, though. Due to the EFS, Windows Store apps are not likely to use extra encryption on their resources, like some Unreal Engine games have been known to do. |