Sunday, June 10, 2007

I will kill thee a hundred and fifty ways...freely

(With gratitude to the Bard Shakespeare -- As You Like It. Touchstone, Act v. Sc. 1. and Danny Choo for the cute anime girl image with the wicked swords.)

Two recent posts over at Lifehacker got me thinking...just how many ways do I know of to kill a pesky service, process, or "locked" file (usually malware related) running on a Windows system?

While I really don't have a hundred and fifty ways to offer you, I do have a collection of tools I have amassed over the years that might do the trick.

Use carefully, professionally and at your own risk...lest your systems end up like poor Mercutio and Tybalt.

Easy and Good.

Windows Task Manager - Just a simple CTRL+ALT+DELETE key toggle away. Usually the easiest and first thing I do to try to knock a program down to the mat.

Process Explorer for Windows (freeware) - This Microsoft Sysinternals tool is kind-of-like the task manager but on steroids. Not only can it help you terminate a running process, you can also use it to look up which process might be locking a file to begin with. Very handy.

UNLOCKER (freeware) - Probably one of my all-time favorite file-in-use killing tool right now. This marvelous tool has some of the most comprehensive methods for shutting down a file, and not only can you try to kill it, but you can also set a file to be moved, renamed, or deleted after reboot. Definitely a must-have for any malware hunter or sysadmin.

Locked Files Wizard (freeware) - The main tool I used before coming to Unlocker. This tool by Noel Danjou is still pretty nice, fast and easy to use. Also allows you to see which services are locking a file and attempt to stop them, before taking on the file itself.

Advanced Process Termination (freeware) - This DiamondCS utility looks similar to the process view of Task Manager, but provides nine different process termination techniques to apply to stopping a pesky running process that just refuses to die. Great portable tool to keep handy.

Bit More Complex

TrendMicro HijackThis (freeware) - Although most malware huntin' ninjas know about the HjackThis tool to cut down malware from the Windows autorun locations, only the elite have dived deeper into it and know that it has a tool to delete a file or NT service. Run the application, go click the "Open Misc Tools section, Click the "Misc Tools" button at the top. Then find these tools in the System Tools section. Sweet mother of a maiko!

FileASSASSIN 1.06 (freeware) - MalwareBytes tool that allows you to unload modules, close handles, and terminate processes, as well as delete a locked file at reboot. Windows 2000, XP and Vista compatible. Drag and drop or browse for file selection. Choose method and let her rip. Also available in a "portable" version.

Process Monitor v1.12 (freeware) - This Microsoft Sysinternals tool doesn't really delete a file for you, what it can do is allow you to watch and monitor a file's activity in use on the hard-drive as well as get some great property information about it. Sometimes when you are hunting the big-pigs, you need to know what it is you are really looking at.

DiamondCS TaskMan+ (freeware) - "TaskMan+ steps up to this task by launching Task Manager (or using an existing one, if there is already an instance of Task Manager running), and boosting the token privileges of Task Manager, giving it the power to terminate ANY process on your system." Single exe file...very portable.

KillBox (freeware) - Another really great little single exe file utility. It has a great geek interface a a wealth of options for shutting down pesky locked files and processes. Extremely portable. Nice help file here.

Advanced Process Manipulation (freeware) - This DiamondCS utility allows you to "get inside" processes to stop a loaded dll, point out ports a process is using, close loaded handles, as well as end a process. Provides a measure of targeted attack on a file or process.

WhoLockMe Explorer Extension (freeware) - This tool integrates into your Windows Explorer right-click context menu. Pick a file and if it is locked, right-click and choose the "who lock me?" selection. You will then see a list of the processes that are locking the file.

Force Delete (direct-download link) (freeware) - I really don't like giving you a link directly to a file download. However this one has just about disappeared off the tubes. Simple exe. Run, pick your file and let it try to delete it.

Best left for the Pros

DiamondCS DelLater (freeware) - This is a command-line tool that uses the syntax "dellater.exe <filename>" Supposedly it uses the only method Microsoft recommends for deleting a file in use.

PsKill v1.12 (freeware) - This command-line Microsoft Sysinternals tool is a kill utility that nukes processes on both a local and a remote system.

PsList v1.28 (freeware) - This command-line Microsoft Sysinternals tool is a tool to find all processes that contain a certain text string pattern in their name, and then provide details on that/those processes as found.

Handle v3.20 (freeware) - This command-line Microsoft Sysinternals tool will tell you which program has a file or directory folder open as well as details about the process.

DELETE DOCTOR (freeware) - Older tool to use to delete difficult or locked files as well as scheduling for deletion of file(s) at reboot. Single exe file so nicely portable.

DelinvFile (freeware) - Delete Invalid Files utility, also now includes a function to scan for invalid file names on a system. Nice and interesting tool to look into.

BusyDelete, BusyMove, BusyReplace (freeware) - These command-line only tools will do some clever things if at all possible. Descriptions respectively from the developer; BusyDelete will delete files even if they are busy. The file(s) you specify will be marked for deletion. Then the next time you reboot your system the Operating System will delete the file(s). BusyMove will move files even if the source and/or destination file(s) are busy. The file(s) you specify will be marked for moving. Then the next time you reboot your system the Operating System will move the file(s). BusyReplace will replace a file with a new version without a reboot, even if the file is locked! The new version of the file will be copied immediately, but a reboot is still required to delete the old version. BusyReplace only works on executable image files."

EMCO UnLock IT (freeware) - Will give you a detailed report on what files are locking a certain process. Nice interface and ability to integrate with the Windows Explorer context menu.

The Avenger (freeware) - tool written by Swandog46 to help with removal of stubborn files and registry keys locked by malware. Script-based so not for noobies. Read and understand very carefully before attempting to use.

Not Exactly Related...but good to have handy

RegASSASSIN 1.01 (freeware) - This Malware bytes utility can help you attempt to kill a stubborn registry key that just refuses to otherwise budge on out. Of course, messing with your registry can be dangerous...so if a registry key refuses to come out, be sure you really want to pull it out before progressing onward.

Delete FXP Files (freeware) - This fantastically clever utility from JRTwine Software continues to amaze me. It isn't something most sysadmins will regularly need. See, every now and then you may come across a file or directory that somehow got named something that Windows just won't let you delete. It's not that it is "locked" per-se in the normal sense, but that the name itself makes Windows balk and your deletion request. I highly recommend this tool and suggest you keep it handy, just in case.

Boot from another Windows or Windows-Like OS

So you've tried all these tools and that file just won't come off the system. No matter what. Not even in "safe mode."

Is all hope lost?

Nope.

How to install and use the Recovery Console in Windows XP - As a last resort, you can try booting from the Windows recovery console and try to delete the file manually. If you are doing this on a Windows XP/200 system, depending on the technique you use, you may need to have access to an administrator account to access the file or NTFS partition (if so created).

Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD - Or make a Bart's PE boot disk and boot the system from it. Then browse to and delete or rename the offending file. Assumes you have the software disks needed to create a Bart PE disk.

Ultimate Boot CD - Tons of tools and techniques with not too much work to do to get it built and going. Nice compliment to the Bart PE disk. Worth keeping handy as well.

If you are running Windows 2000/XP Pro/Vista you can try to set the security permissions for the file in question to Deny all. Then reboot and the security settings should prevent the file from running. I've done this lots at work with icky malware launchers that tend to reload/respawn even when you kill them.

Hire a Mercenary

Then you could also use a Linux "Live" CD to boot the system and delete the file as well. Be sure to select a version that supports NTFS partition read/writing. This gets a bit more risky as some Linux NTFS partition support drivers can do funky things during the writing...but if you are at this point, you probably already know what you are doing.

Some Linux Live CD's I like for this technique are:

Hopefully I've given you a bunch of fabulous free resources to deal with those pesky locked files and processes when you are hunting malware or other system issues.

Just be careful and try to understand what's going on and why the file is locked in the first place. Sometimes playing "whack-a-mole" with a file killer is great fun, but unless you get to the heart of what is going on, new moles will just replace the one you splattered, sliced, and diced.

--Claus

No comments: