Delete running .exe using NTFS streams
About NTFS streams on Habré have already been written more than once, but I will show you how to overcome one Windows restriction on working with processes with their help. Here this topic has already been raised in one post, but somehow in passing. I want to pay attention to her.
You probably know that the .exe file of the running process cannot be deleted while it is running. You can move a file, but only within its section. With the help of NTFS streams, you can still delete the process file while it is running.
This is done literally three lines on the command line.
Run cmd.exe, go to the directory on the NTFS partition.
')
The first line copies Notepad to the NTFS partition as a stream “notepad.exe” of the zz file. An empty zz file will be created automatically.
The second line launches this thread for execution, as if it were a regular .exe file.
The third line deletes an empty zz file, and along with it, its streams disappear.
The process remains to work. You can run taskmgr.exe and admire the zz process that continues to work: notepad.exe.
Practical application of this? For example, in installers. They like to leave a bunch of exe-shnik in temporary files. The installers could run their executable files in this way, then there will be no problem removing temporary .exe files.
The program for working with alternative file streams NTFS .
You probably know that the .exe file of the running process cannot be deleted while it is running. You can move a file, but only within its section. With the help of NTFS streams, you can still delete the process file while it is running.
This is done literally three lines on the command line.
Run cmd.exe, go to the directory on the NTFS partition.
type %windir%\system32\notepad.exe > zz:notepad.exe
start E:\tmp\zz:notepad.exe
del zz
')
The first line copies Notepad to the NTFS partition as a stream “notepad.exe” of the zz file. An empty zz file will be created automatically.
The second line launches this thread for execution, as if it were a regular .exe file.
The third line deletes an empty zz file, and along with it, its streams disappear.
The process remains to work. You can run taskmgr.exe and admire the zz process that continues to work: notepad.exe.
Practical application of this? For example, in installers. They like to leave a bunch of exe-shnik in temporary files. The installers could run their executable files in this way, then there will be no problem removing temporary .exe files.
The program for working with alternative file streams NTFS .
Source: https://habr.com/ru/post/77818/
All Articles