FileDelete Issue, cannot remove C:\Sysmon locked .dlls

[deathrig07]

I currently had to wipe Sysmon from our enterprise environment and wanted to purge/remove all the C:\Sysmon folders off the devices as this pertained to the FileDelete preservation.

However, the issue I have.. even after takeown and icacls and setting integritylevel. Is I am unable to locate, or unlock these leftover .dll and .exe files that remain in the C:\Sysmon folder, I am getting Access denied, blah blah due to them being locked to a process. I have used the other tools in the sysinternal suite to try and track down the handles and locks for these hashed .dll files and I am unable to.

Anyone please have a solution for this? Would love to toss out a script to be able to remove this directory once Sysmon has been uninstalled and removed from a system.

Thanks in advance

[mhu4711]

One option would be registering all currently locked files for automatic deletion at the next system restart (via the PendingFileRenameOperations Registry key). You can also use that method to delete the C:\Sysmon directory itself, but that only works once it is completely empty so you have to remove the files first.

See https://learn.microsoft.com/en-gb/sysinternals/downloads/pendmoves and https://qtechbabble.wordpress.com/2020/06/26/use-pendingfilerenameoperations-registry-key-to-automatically-delete-a-file-on-reboot/

[deathrig07]

Thank you for the reply. I have already weighed that option, but with thousands of devices on our network that would take forever, with each device having different files in that folder. I have already started to devise a script to possibly be able to do it all in one fell swoop. But that's just proto atm.

If anyone has encountered this or had a better alternative.

Thanks in advance for any help

[mhu4711]

Create a small script (CMD or Powershell) that iterates over the contents of that directory in a foreach loop and registers each encountered file for deletion. Deploy that script to all your machines using your established software deployment solution (or as a run-once scheduled task via GPO). Boom, job done.

[deathrig07]

Thank you mhu4711.

I was able to create a powershell script that does the job. It may not be the greatest and may need some tweaks, but it essentially does what I needed it to do. I deployed this across the enterprise and am able to delete the C:\Sysmon folder after the machine reboots.

If anyone else encountered this issue I will post my script here, feel free to take it and modify it as you need. If anyone can lighten or make this script simpler, feel free.

# Directory containing files to add
$directory = "C:\Sysmon"

# Check if the directory exists
if (-not (Test-Path -Path $directory -PathType Container)) {
    Write-Output "Directory not found: $directory"
    return
}

# Remove attributes from folder
attrib -h -s $directory

# Take ownership of folder
takeown /R /A /F $directory /D N

# Grant administrators permission to folder
icacls $directory /grant Administrators:F /T /C

# Set integrity level of folder
icacls $directory /setintegritylevel l

# Get all files in the directory
$files = Get-ChildItem -Path $directory

# Create the PendingFileRenameOperations property if it doesn't exist
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'PendingFileRenameOperations' -PropertyType MultiString -ErrorAction SilentlyContinue

# Get the current value of the PendingFileRenameOperations registry value
$currentValue = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'PendingFileRenameOperations'

# Convert the current value to an array of strings
$currentArray = $currentValue.PendingFileRenameOperations -split "`0"

# Iterate over each file and add its path to the array
foreach ($file in $files) {
    $newPath = "\??\$($file.FullName)"
    $currentArray += $newPath
    # Add the binary data to the array after each file path
    $currentArray += [char]0 + [char]0
}

# Join the array back into a multi-string value
$newValue = ($currentArray -join "`0") + "`0"

# Set the modified value back to the PendingFileRenameOperations registry value
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'PendingFileRenameOperations' -Type MultiString -Value $newValue

Write-Output "Process finished successfully."

# Try to delete the directory
try {
    Remove-Item -Path $directory -Recurse -Force -ErrorAction Stop
    Write-Output "Directory and its contents deleted successfully."
} catch {
    Write-Output "Failed to delete directory: $_"
}

-Cheers