Tuesday, December 12, 2017

windows - strange AppData directoryfile will not delete


On a roaming profile network, a user has a strange directory\file that will not delete:
C:\Users\Manager1\AppData\OICE_15_974FA576_32C1D314_1A3\130544A4.


In Windows Explorer: "Could not find this item"
From command prompt: "Could Not Find "


Since I can't explain the file's existence, I am suspecting malware created the file ... but it's odd I can't delete this file.


Observations:



  • Odd that the file has a trailing "." (dot) in the name. (zero-length
    extension?!)

  • The file is 0KB in size.

  • Trying to open it with Notepad, I get "The system cannot find the file specified."

  • This user has logged on to 2 different workstations, this directory\file exists and will not delete on either workstation.

  • Both workstations have been rebooted to ensure the file is not locked.

  • The normal AppData directories exist: Local, LocalLow, Roaming (I haven't before seen a 4th folder at this level).

  • I typically have the "Owner" column showing in WinExp, this file does not have an Owner. (The parent directory has "Manager1" as the
    Owner, as expected).

  • As part of the Roaming Profile, this file was copied back to the server, so this may explain why the file exists on 2 workstations. I
    can not delete the file on the server!

  • Trying to get an idea of what created this directory\file(s) in the first place. There are 2 other files in this odd directory, appearing to be temporary files, it appears I can delete them easy enough:

    • ~WRS{4857159A-7397-4DAD-AC26-BAF9D7AFC830}.tmp

    • msoF57A.tmp



All the tricks I know have failed:



  • delete the file through the C: drive network share, WinExp and CmdPrompt.

  • delete the file locally, logged in as an Administrator, WinExp and CmdPrompt.

  • delete the parent directory, and all sub-files (rmdir /s).

  • rename the file, using both wildcard rename and specific name.


Typical CmdPrompt message: "The system cannot find the file specified."


Wowsa, weird, especially not being able to delete from the romaing profile on the server.
Any ideas?


Answer



It turns out I was pointed at the answer in a post I found over on Stack Overflow:


How to delete a folder that name ended with a dot(“.”)


Command:


del "\\?\C:\Users\Manager1\AppData\OICE_15_974FA576_32C1D314_1A3\130544A4."

(now if only I understood the difference between and Stack Overflow, you'd think someone with 35+ years of computer experience could figure it out)


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...