Can't Delete Folder Called COM1 on Windows Server 2019

Michael Adams 306 Reputation points
2021-12-27T21:55:25.62+00:00

Hackers attacked a Windows Server 2019, and in the process put a folder called COM1 on Drive C. I have made a number of attempts to delete this folder. Unfortunately, COM1 is a reserved name. Here is what I have tried and have failed.

I took ownership of the folder back to the Administrators group, which I was able to do. However, it did not allow the folder removal process through File Explorer.

Then I tried removing the directory from a DOS prompt.

rmdir \?\<x>:\<path_to_folder>\<COM1>

Result: "Access denied".

Then i tried renaming the folder.

ren "\.\C:\<path to folder>\COM1 TEMP

Result: "Access denied".

File Explorer shows the folder is shared, but if go to Advanced Options, it does not show up as a Share. It also does not show up
as a shared folder in Computer Management.

I tried running the attrib command from a DOS prompt. It will display the attributes of the folder, (only Archive shows). Trying to set attributes results in,

Path not found - \.\com1\

I am running out of ideas. Any help would be appreciated.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,928 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,701 questions
0 comments No comments
{count} votes

Accepted answer
  1. MotoX80 31,316 Reputation points
    2022-01-11T00:55:34.41+00:00

    So it came back with a file or directory called FRArX with access denied.

    Try this sequence.

    icacls \\.\c:\Progra~3\COM1  /inheritance:r  /grant:R  everyone:f /t 
    attrib -R -S -H  \\.\c:\Progra~3\com1   
    attrib -R -S -H  \\.\c:\Progra~3\com1\*  /S /D 
    rd  \\.\c:\Progra~3\COM1 /s /q 
    

    If that doesn't work, try the rename. If that works, then there should not be any restrictions on the name.

    ren \\.\c:\Progra~3\COM1 XXX
    

9 additional answers

Sort by: Most helpful
  1. MotoX80 31,316 Reputation points
    2021-12-27T23:14:12.92+00:00

    This worked for me on Win10.

    rd \\.\c:\temp\ComTest\COM1
    
    0 comments No comments

  2. Michael Adams 306 Reputation points
    2021-12-28T01:11:49.403+00:00

    I appreciate the suggestion very much. Unfortunately, I got the same "Access denied" message.


  3. Vadims Podāns 8,861 Reputation points MVP
    2021-12-28T10:15:58.283+00:00

    You have a different and more serious problem than this magic folder. The real problem is that the server is compromised and you have to perform format-reinstall for entire server and restore from last known good backup. You may need to examine other machines on your network because they can be compromised as well.

    Regarding the magic folder — you have to use a non-Win32 tool to delete the folder. But this doesn't solve your root problem.


  4. MotoX80 31,316 Reputation points
    2021-12-28T13:55:24.11+00:00

    I took ownership of the folder back to the Administrators group, which I was able to do.

    If you opened the command prompt with "run as administrator", then I would have expected the RD command to work.

    If a reinstall as Crypt32 suggested is not an option, try using psexec.

    https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

    psexec \\localhost -s cmd.exe  
    

    That will get you a command prompt running as the system account. Then run the RD command that I posted earlier. "Exit" will close the session.

    Are you sure that you got all of the malware? If you've got a rogue process still running with an open handle to that folder, you won't be able to delete it. What steps did you take to clean the server?