Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Batch cleanup of temp directories


  • Please log in to reply
4 replies to this topic

#1 Will B.

Will B.

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 09 February 2010 - 12:15 PM

Hi, I am making a batch script that cleans up the temporary folders of an external hard drive with a copy of Windows XP installed on it using a computer running Windows XP.
I just want to validate the temporary files that can be cleaned out of windows and if there are any other files or folders that can be deleted (temp folders will be deleted and recreated using the rd and mkdir comands)

Here is the list I have:
%*DRIVE*%\Pagefile.sys
%*DRIVE*%\Hiberfile.sys
%*DRIVE*%\Temp\
%*DRIVE*%\WINDOWS\Downloaded Installations
%*DRIVE*%\WINDOWS\Downloaded Program Files
%*DRIVE*%\WINDOWS\Temp\
%*DRIVE*%\Documents and Settings\%USER%\UserData
%*DRIVE*%\Documents and Settings\%USER%\Local Settings\Temporary Internet Files\Content.IE5
%*DRIVE*%\Documents and Settings\%USER%\Local Settings\Temp
%*DRIVE*%\System Volume Information\


I have FULL control of the drive and every folder on it, therefore removing folders like System Volume Information is not a problem. Also are there any websites that have a list of known files and folders associated with malware that I could add to my script? (I will be making a script for vista as well in the near future, upon completing this script I will post a copy of it on this forum for anyone to use, it should be a handy tool for cleaning up infected computers) Thanks in advance :thumbsup:

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:17 PM

Posted 09 February 2010 - 12:59 PM

Hello, Will :thumbsup:
  • I strongly encourage you to use a turnkey solution such as CCleaner instead -- it's going to be much more comprehensive as it does much more than delete files. For example, it can compact the SQLite databases used by the Mozilla Firefox and Google Chrome browsers.
  • %*DRIVE*%\Pagefile.sys is not a temporary file. You cannot delete it while the operating system is running in any case. It is the system paging file, where memory pages which do not fit in physical RAM are relocated. You should never attempt to delete this file.
  • %*DRIVE*%\Hiberfile.sys is not a temporary file, it is the system hibernation memory cache. When the system enters hibernation, the system memory is copied to this file before the system is shutdown, which allows the system to resume to a saved state. You should never attempt to delete this file, and you can't while the operating system is running in any case. If you don't need hibernation support, you can disable hibernation support. After hibernation support is disabled, the operating system will remove this file on the next reboot automaticly.
  • %*DRIVE*%\WINDOWS\Downloaded Installations and %*DRIVE*%\WINDOWS\Downloaded Program Files are not temporary files, they are the ActiveX cache for Internet Explorer. If you delete files from these locations, you need to take special care to remove the ActiveX controls correctly. To do this, you would need to parse the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database] registry key. Failure to uninstall these correctly could damage Internet Explorer's handling of ActiveX.
  • I have not heard of %*DRIVE*%\Documents and Settings\%USER%\UserData and I do not believe it is created by the operating system, though I am not positive. Mucking around in %USERPROFILE% is probably a bad idea though.
  • %*DRIVE*%\System Volume Information\ is not a temporary directory, it is the repository for the Volume Shadow Copy Service, which is necessary for the proper function of the System Restore feature in Windows XP. If you remove files from this folder, any restore points created before the time you did such a deletion will be unrestorable. Additionally, this folder is generally protected by NTFS access permissions making removal difficult in any case. If you don't need system restore, I suggest you turn it off correctly which will automaticly empty this folder the next time the system is rebooted after the shutdown of system restore.
I hope that helps,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Will B.

Will B.
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 09 February 2010 - 01:49 PM

I'm sorry if I wasn't clear. The computer I am running the script on is running a copy of Windows XP. The Harddrive being cleaned up via the batch script is from another computer and plugged in via an IDE to USB adapter. The hard drive being cleaned up is NOT running an active operating system but it DOES have a SERIOUS virus problem. I cleanup hard drives like this on a regular basis and it doesn't cause a problem, right now all I'm trying to do is automate the process. This cleanup process is the last attempt at saving an OS before calling it quits and reinstalling windows, therefore there is nothing to loose by trying some risky cleanup procedures.

Hello, Will :flowers:

  • I strongly encourage you to use a turnkey solution such as CCleaner instead -- it's going to be much more comprehensive as it does much more than delete files. For example, it can compact the SQLite databases used by the Mozilla Firefox and Google Chrome browsers.


Seeing as the drive is an external drive... CCleaner will not work, CCleaner will only clean up the ACTIVE opperating system, I have already tried using CCleaner for this task and it was to no avail. Altho if you know how to MANUALLY cleanup the temp directories for Mozilla Firefox as well as Google Chrome, that information would be useful.

%*DRIVE*%\Pagefile.sys is not a temporary file. You cannot delete it while the operating system is running in any case. It is the system paging file, where memory pages which do not fit in physical RAM are relocated. You should never attempt to delete this file.


Pagefile.sys is okay to delete if the drive is an external drive and not running an OS. Once the computer shuts down the Pagefile.sys file is no longer needed. Also, seeing as pagefile.sys holds memory pages that do not fit into RAM, live malicious code that did not fit into RAM tends to be stored in it as well. Therefore, it is going bye-bye.

%*DRIVE*%\Hiberfile.sys is not a temporary file, it is the system hibernation memory cache. When the system enters hibernation, the system memory is copied to this file before the system is shutdown, which allows the system to resume to a saved state. You should never attempt to delete this file, and you can't while the operating system is running in any case. If you don't need hibernation support, you can disable hibernation support. After hibernation support is disabled, the operating system will remove this file on the next reboot automaticly.


Same scenario as before, however turning off hibernation is not necessarily what I intend to do, only to remove any possible malicious code that was in memory the last time windows went into hibernation. The next time windows hibernates (if all goes as planned) the computer will no longer have a virus problem :trumpet:

%*DRIVE*%\WINDOWS\Downloaded Installations and %*DRIVE*%\WINDOWS\Downloaded Program Files are not temporary files, they are the ActiveX cache for Internet Explorer. If you delete files from these locations, you need to take special care to remove the ActiveX controls correctly. To do this, you would need to parse the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database] registry key. Failure to uninstall these correctly could damage Internet Explorer's handling of ActiveX.


Thank you for telling me this :inlove: , I was unaware of that. Is there any way to perform registry key read/writes on a remotly loaded registry? (i.e. loading the registry off of the external hard drive's installation of windows and parsing [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database] )

I have not heard of %*DRIVE*%\Documents and Settings\%USER%\UserData and I do not believe it is created by the operating system, though I am not positive. Mucking around in %USERPROFILE% is probably a bad idea though.


This file is generally created by 3rd party programs for various reasons, altho sometimes it is used to store information for malware.

%*DRIVE*%\System Volume Information\ is not a temporary directory, it is the repository for the Volume Shadow Copy Service, which is necessary for the proper function of the System Restore feature in Windows XP. If you remove files from this folder, any restore points created before the time you did such a deletion will be unrestorable. Additionally, this folder is generally protected by NTFS access permissions making removal difficult in any case. If you don't need system restore, I suggest you turn it off correctly which will automaticly empty this folder the next time the system is rebooted after the shutdown of system restore.


System volume information tends to store a HUGE (and I emphasise H-U-G-E!!!!!!) amount of malicious code! It also nearly triples (if not more-so) scan time on an external drive (wich a full hard drive scan with a-squared is performed after the batch script). Seeing as the computer has a serious virus problem and generally the System Volume Information is infected with a massive amount of malicious code, using System Restore will only cause more problems at this point. I will be deleting it, and it can safely be deleted as long as the active OS is not running off of the drive in question. It is not difficult to delete either, using a calcs loop in cmd prompt takes full ownership of the folder, then a simple rmdir command will delete the entire file. I tried to express I had FULL control (maybe I should have said ownership, that was my mistake) of all of the folders and files on the drive.

I hope that helps,
Billy3


I do appreciate your response and effort :) ....altho all you did was tell me NOT to do what I am doing :thumbsup: ....

P.S.
I found another one while thumbing through files:
%*DRIVE*%\\WINDOWS\Prefetch

Any suggestions as to where windows stores program data and temporary files would be appreciated.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:17 PM

Posted 09 February 2010 - 02:20 PM

Side note: I really hope you aren't taking full control of the entire drive before doing this -- the Windows directory in particular has permissions setup explicitly to protect Windows' internal files from being modified. Taking full control of specific folders does make sense, however.

I'm sorry if I wasn't clear. The computer I am running the script on is running a copy of Windows XP. The Harddrive being cleaned up via the batch script is from another computer and plugged in via an IDE to USB adapter.

Yes, that changes the game considerably. Now pagefile.sys and hiberfil.sys are fair game :thumbsup:

This file is generally created by 3rd party programs for various reasons, altho sometimes it is used to store information for malware.

Then it should probably be left alone, unless it is explicitly created as a temporary area. Malware sometimes puts things into C:\Windows\System32, but you don't see people nuking that folder ;)

%*DRIVE*%\System Volume Information\ is not a temporary directory, it is the repository for the Volume Shadow Copy Service, which is necessary for the proper function of the System Restore feature in Windows XP. If you remove files from this folder, any restore points created before the time you did such a deletion will be unrestorable. Additionally, this folder is generally protected by NTFS access permissions making removal difficult in any case. If you don't need system restore, I suggest you turn it off correctly which will automaticly empty this folder the next time the system is rebooted after the shutdown of system restore.


System volume information tends to store a HUGE (and I emphasise H-U-G-E!!!!!!) amount of malicious code! It also nearly triples (if not more-so) scan time on an external drive (wich a full hard drive scan with a-squared is performed after the batch script). Seeing as the computer has a serious virus problem and generally the System Volume Information is infected with a massive amount of malicious code, using System Restore will only cause more problems at this point. I will be deleting it, and it can safely be deleted as long as the active OS is not running off of the drive in question. It is not difficult to delete either, using a calcs loop in cmd prompt takes full ownership of the folder, then a simple rmdir command will delete the entire file. I tried to express I had FULL control (maybe I should have said ownership, that was my mistake) of all of the folders and files on the drive.

Yes, system restore backs up the user's desktop, and parts of their user profile for the express purpose of restoring that data if need be. If malware have installed themselves in those locations, System Restore will back them up. Malware (generally) doesn't install itself there explicitly because the directory is generally protected by NTFS permissions, and any files there not created by the Volume Shadow Copy Service are like a big red light saying, "Come find me!" :flowers: You can safely delete this folder because VSS is resilient enough to handle this case, but remember, once this folder is deleted, all restore points (and any other backup tool that relies on VSS) will be wiped.

I found another one while thumbing through files:
%*DRIVE*%\\WINDOWS\Prefetch

http://www.edbott.com/weblog/?p=619

Any suggestions as to where windows stores program data and temporary files would be appreciated.

Windows usually does not make temporaries, you have third party applications to blame for that. As for typical locations for their dross, while you can't use CCleaner explicitly, perhaps you might want to take a look at the list of places it checks and research them.

Hope that helps,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Will B.

Will B.
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:17 PM

Posted 09 February 2010 - 03:20 PM

Thank you :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users