Can't Delete Folder Called COM1 on Windows Server 2019

Michael Adams 306

Hackers attacked a Windows Server 2019, and in the process put a folder called COM1 on Drive C. I have made a number of attempts to delete this folder. Unfortunately, COM1 is a reserved name. Here is what I have tried and have failed.

I took ownership of the folder back to the Administrators group, which I was able to do. However, it did not allow the folder removal process through File Explorer.

Then I tried removing the directory from a DOS prompt.

rmdir \?\<x>:\<path_to_folder>\<COM1>

Result: "Access denied".

Then i tried renaming the folder.

ren "\.\C:\<path to folder>\COM1 TEMP

Result: "Access denied".

File Explorer shows the folder is shared, but if go to Advanced Options, it does not show up as a Share. It also does not show up
as a shared folder in Computer Management.

I tried running the attrib command from a DOS prompt. It will display the attributes of the folder, (only Archive shows). Trying to set attributes results in,

Path not found - \.\com1\

I am running out of ideas. Any help would be appreciated.

Accepted answer

MotoX80 31,571 Reputation points

2022-01-11T00:55:34.41+00:00
So it came back with a file or directory called FRArX with access denied.

Try this sequence.

icacls \\.\c:\Progra~3\COM1 /inheritance:r /grant:R everyone:f /t attrib -R -S -H \\.\c:\Progra~3\com1 attrib -R -S -H \\.\c:\Progra~3\com1\* /S /D rd \\.\c:\Progra~3\COM1 /s /q

If that doesn't work, try the rename. If that works, then there should not be any restrictions on the name.

ren \\.\c:\Progra~3\COM1 XXX
Please sign in to rate this answer.
Michael Adams 306 Reputation points

2022-01-13T18:42:54.927+00:00

Progress is being made!!!

I wasn't able to remove the directory, but i was able to rename it. I think the mystery folder FRArx is what's holding us up now.

MotoX80 31,571 Reputation points

2022-01-13T19:13:49.6+00:00

Good. So now you should be able to reference that folder as C:\ProgramData\xxx\FRArX and use the explorer to change ownership and permissions and do a delete.

Michael Adams 306 Reputation points

2022-01-14T21:03:29.813+00:00

Success!!! You did it MotoX80!!! It's gone.

It turned out there was an .aspx file also inside the FRArX folder that I also had to be deleted. It had System, Hidden, Read-only attributes.

I turned off the Read Only attributes for the FRArX folder and the .aspx file. The ownership for both said "Unable to display current owner". I changed both to Administrator.

I then could see the directory and file rights (they were blocked from view before the Owner was changed). SYSTEM was present but did not have Full Rights. I changed it to Full Rights. I also added user Administrator, and gave it Full Rights.

I was then able to delete the .aspx file, then the FRArX folder, and finally the XXX folder.

MotoX80, huge THANK YOU for hanging in there and providing all your help. I could not have done this without your help.

I also want to thank Gary Nebbett, Andreas Baumgarten and Crypt32 who assisted with this project, too, and kept the ideas flowing.

It feels great to have this folder gone. :-)

Best wishes,

Michael

MotoX80 31,571 Reputation points

2022-01-14T23:36:25.8+00:00

Wooo hooo!! Excellent. In a way, I'm sorry that you deleted the file. I would have been interested in knowing what was in it. If you have IIS installed, Check your web sites to see they managed to add that folder to any of your sites.

Michael Adams 306 Reputation points

2022-01-15T01:24:22.69+00:00

No worries. I made a copy of the file before I deleted it, so if you want me to send it to you I would be glad to do that.

I'll check IIS for that folder.

Thanks again!

MotoX80 31,571 Reputation points

2022-01-15T13:23:12.83+00:00

Sure, post it somewhere. Might help us understand what you got hit with.
Sign in to comment

9 additional answers

Michael Adams 306 Reputation points

2021-12-29T19:07:37.137+00:00

Here are the results of the commands.

I also found some other issues with this folder, which I believe may be causing it not to be deleted. I believe the hackers corrupted some of the directory information associated with this folder. For instance, there are no creation or modified dates.

I ran the Fanbar Tool, and it shows this for the directory.

0-00-00 00:00 - 2446-65429-65535 17756:00 - 000000000 _____ C:\ProgramData\COM1

It should look something like this Windows INF folder.

2021-12-18 15:54 - 2018-09-14 23:17 - 000000000 ____D C:\Windows\INF

I believe the first date is supposed to be the Modified date. COM1 has all zeros.

I believe the second date is supposed to be the creation date. COM1 has some crazy number in there.

I ran these Powershell commands to see if any processes were running on the folder.

$Regex = "C:\ProgramData\COM1"

Get-WmiObject Win32_Process | Where {$_.CommandLine -like "$Regex"} | Select -Property Name,ProcessId,CommandLine | Format-Table

It came back with no entries, so I don't believe any malware has locked the folder.
Please sign in to rate this answer.
MotoX80 31,571 Reputation points

2021-12-29T19:48:34.097+00:00

It came back with no entries, so I don't believe any malware has locked the folder.

You are only looking at the command lines. You have to search for open file handles.

https://learn.microsoft.com/en-us/sysinternals/downloads/handle

From an admin command prompt run:

handle -a com1

MotoX80 31,571 Reputation points

2021-12-29T19:51:22.77+00:00

Maybe try running a chkdsk too.

Gary Nebbett 5,721 Reputation points

2021-12-29T22:27:26.86+00:00

Hello All,

The results of the tests that have been posted so far are difficult to understand (they don't correspond with my expectations).

My suggestion would be to try the following two things:

Issue the command fsutil file layout /v \\.\C:\Progra~3\COM1 and report the results.

Try any of the previous suggestions whilst tracing with ETW (Event Tracing for Windows), Procmon or any other similar tool and check the failure status of the low level (native) API that tries to delete the directory.

Gary

Michael Adams 306 Reputation points

2021-12-29T22:35:08.857+00:00

Thank you for the suggestions. I ran the handle program. Here are the results.

handle -a com1

Nthandle v4.22 - Handle viewer
Copyright (C) 1997-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

No matching handles found.

MotoX80 31,571 Reputation points

2021-12-29T22:36:39.627+00:00

The results of the tests that have been posted so far are difficult to understand (they don't correspond with my expectations).

What specifically don't you understand?

Michael Adams 306 Reputation points

2021-12-29T22:45:56.477+00:00

Good idea! I ran Disk Scan, but not actually chkdsk. I'll run this tonight since it has to be done on a restart.

I'll run

chkdsk /f

MotoX80 31,571 Reputation points

2021-12-29T23:44:08.407+00:00

So much for that idea.

Try the fsutil command that @Gary Nebbett suggested.

And just for fun open a Powershell admin prompt and try this.

(get-item -path "\\?\c:\Progra~3\COM1") | format-list -Property * (get-item -path "\\?\c:\Progra~3\COM1").LastWriteTime = (get-date) (get-item -path "\\?\c:\Progra~3\COM1") | format-list -Property *

What does that show?

I get hooked on problems like this, and we can't let the computer demons win!!.

Michael Adams 306 Reputation points

2021-12-30T02:04:08.957+00:00

Ran chkdsk /f and then,

C:\>rd \.\c:\PROGRA~3\COM1
Access is denied.

Argh!

MotoX80 31,571 Reputation points

2021-12-30T03:07:05.377+00:00

So just leave it alone! It's just another empty folder. It shouldn't hurt anything.

If you're not confidant that the malware has been removed, then rebuild the server as @Vadims Podāns suggested.

Gary Nebbett 5,721 Reputation points

2021-12-30T09:06:37.907+00:00

Hello Dave,

Sorry, that was a poor way of expressing myself.

What I can't understand is how the "rmdir" command could fail with error message "Access denied", given all of the steps and checks that have been performed on its security descriptor. That is why it might be helpful to see the NTSTATUS returned at the lowest level possible (in case that "Access denied" is a poor translation of an NTSTATUS to a Win32 status).

One could also try issuing the command fltmc instances to see if there are any "unusual" file system filter drivers in operation.

Gary

MotoX80 31,571 Reputation points

2021-12-30T14:44:56.013+00:00

Hi Gary,

Yeah, this is really odd. Those are good ideas using fltmc and fsutil.

Booting into the recovery console would seem to be the next best step. But if that works, then would kind of point to the malware still being present like in the filter drivers you pointed out.

@Michael Adams I just had another thought.... temporarily turn off any antivirus software that you have installed. Then try the RD.

Dave

Michael Adams 306 Reputation points

2021-12-31T20:08:09.293+00:00

Hi Gary,

I got called away to another job yesterday, but I am back on it again today.

Thank you for the suggestions.

Here the results of the fsutil command.

Michael Adams 306 Reputation points

2021-12-31T21:09:58.967+00:00

Me, too! We have get the "demons" out of here! :-)

Here are the results. Two of them came up blank, and the third with an error.

Michael Adams 306 Reputation points

2021-12-31T21:29:00.06+00:00

Hi Gary,

I appreciate the suggestion again!

I ran the fltmc instances command.

I found this article on this command, and all the the mini filters were either standard, or were part of the server backup program or antivirus program.

Gary Nebbett 5,721 Reputation points

2021-12-31T21:36:45.7+00:00

Hello Michael,

There are two (slightly) odd items in that listing.

The minor point is the File attributes (Hidden and System as well as Directory). I would have guessed that you would have removed the System and Hidden attributes at some stage in your attempt to remove the directory.

The major point (for me, since it is unexpected and will need some more research) is the "HLINK Name" information. As far as I knew, the only two name types were NTFS and DOS (as documented here: https://learn.microsoft.com/en-us/windows/win32/devnotes/file-name). Let's see what we can find out about "HLINK".

BTW, have you any update on the "fltmc instances" command? The filters that I have are: FileInfo, WdFilter, Wof, bindflt, luafv and wcifs. If you have anything else then let us know.

Gary

Gary Nebbett 5,721 Reputation points

2021-12-31T22:19:04.67+00:00

Hello Michael,

"HLINK" is very probably "Hard Link". It is not a name type (like NTFS or DOS); it is displayed when $FILE_NAME.Flags has the value 0 (neither NTFS nor DOS).

According to the documentation (https://learn.microsoft.com/en-us/windows/win32/fileio/hard-links-and-junctions), hard links to directories are not permitted (for understandable reasons (cyclic paths)), so if this really is (or was, at one time) a hard link, how was it created?

[Update: I just noticed that some system directories (such as \Windows) only have an "HLINK" name]
[Update 2: "HLINK" names are standard when 8dot3name generation is disabled]

Gary

MotoX80 31,571 Reputation points

2022-01-01T00:01:00.567+00:00

I compared it with my COM1 folder and I noticed that yours had some attributes set. Try removing them.

attrib \\.\c:\Progra~3\com1 -R -S -H

Michael Adams 306 Reputation points

2022-01-01T00:22:06.377+00:00

Hi Gary,

Here is what I found with the "fltmc instances"

Wof Instance
luafv
WdFilter Instance
npsvctrig

plus our backup program. I believe these are all standard.

I think you are onto something with HLINK. I also found that Windows shows up as an HLINK, too.

I did some searching, but not sure how to delete hardlinks.

Andreas Baumgarten 96,521 Reputation points MVP

2022-01-01T00:54:43.26+00:00

As far as I know it's not possible to delete HLINKs. Searching the internet doesn't provide a solution.

Not sure if this was already mentioned: Did you try pendmoves from sysinternals already?
https://learn.microsoft.com/en-us/sysinternals/downloads/pendmoves

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Gary Nebbett 5,721 Reputation points

2022-01-01T09:31:04.233+00:00

Hello Dave,

I somehow missed that "Read only" attribute - it was about 23:30 on 31st December when I looked at the image :-)

The Read-Only attribute could be the explanation, although the original question says: "I tried running the attrib command from a DOS prompt. It will display the attributes of the folder, (only Archive shows)."

Gary

Gary Nebbett 5,721 Reputation points

2022-01-01T09:46:36.193+00:00

Hello Andreas,

Hard links can normally be deleted in the same way as normal files (with the same commands or API routines).

There is not much information to be found about "HLINK" on the web; this is what I have found by testing:

If 8dot3name name generation is disabled on a volume, the $FILE_NAME Flags is set to zero ("HLINK"); otherwise:

If a file is created with an 8.3 compatible name, it gets one $FILE_NAME attribute stream with both NTFS and DOS name flags set.

If a file is created with an incompatible name (and the short name feature is enabled), it gets two $FILE_NAME attribute streams, with NTFS set in one and DOS in the other.

If an existing file is given an additional name (via hardlink), it gets an additional $FILE_NAME attribute with no flags set (displays as "HLINK"); no "shortname" is set, even if the new name is not 8.3 compatible.

If the original name is deleted, the $FILE_NAME attributes with the NTFS and DOS flags are removed. This is one way of creating a file that only has an "HLINK" name

Gary

MotoX80 31,571 Reputation points

2022-01-03T17:03:36.437+00:00

Hi Michael,

Did the attrib command make any difference?

attrib \\.\c:\Progra~3\com1 -R -S -H

Michael Adams 306 Reputation points

2022-01-05T18:28:50.4+00:00

I appreciate the suggestion.

This is looking better. At least, it doesn't say access denied.

Michael Adams 306 Reputation points

2022-01-05T18:31:30.737+00:00

Yes, it did! It still can't delete it, but no more "access denied".

MotoX80 31,571 Reputation points

2022-01-05T19:30:05.927+00:00

Are there subdirectories or files in the folder? Add /s.

rd /s \\.\c:\Progra~3\com1

Michael Adams 306 Reputation points

2022-01-10T20:02:39.24+00:00

Sorry it has taken so long to get back to you. I got swamped. I have a lot more time this week. Here are the results.

So it came back with a file or directory called FRArX with access denied. I ran the attrib command to try to change the file attributes on FRArx, but access was denied. I ran a directory command using the -as switch for system files, and it could not be found.
Sign in to comment