0

I'm trying to delete a font file using this way,

std::filesystem::remove(std::filesystem::path("C:\\Windows\\Fonts\\segmdl2.ttf"));

But this fails and throw an exception,

filesystem:error cannot remove: Input/output error

The exception is not helpful. What's the correct way to delete this kind of files?

Update,

I made an attempt to delete it from Powershell and it throw following error,

del C:\Windows\Fonts\segmdl2.ttf
del : Cannot remove item C:\Windows\Fonts\segmdl2.ttf: Access to the path 'C:\Windows\Fonts\segmdl2.ttf' is denied.
At line:1 char:1
+ del C:\Windows\Fonts\segmdl2.ttf
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Windows\Fonts\segmdl2.ttf:FileInfo) [Remove-Item], UnauthorizedAcc
   essException
    + FullyQualifiedErrorId : RemoveFileSystemItemUnAuthorizedAccess,Microsoft.PowerShell.Commands.RemoveItemCommand

I even tried to remove it directly from font folder, I'm getting an error that it can't be done because an another application already using the font.

But I was successfully able to delete it from the command prompt.

How does cmd do this?

I need to achieve same level for my app.

jeffbRTC
  • 1,941
  • 10
  • 29
  • 4
    I believe UAC will prevent you from deleting windows system files without elevation. – drescherjm Jul 02 '21 at 22:16
  • @drescherjm But I'm the Admin user. Anyway to force this? – jeffbRTC Jul 02 '21 at 22:23
  • 1
    Even an admin will need elevation. – drescherjm Jul 02 '21 at 22:23
  • @drescherjm How to get this elevation thing? – jeffbRTC Jul 02 '21 at 22:25
  • 1
    Related: [https://stackoverflow.com/questions/52770756/c-delete-system32-files](https://stackoverflow.com/questions/52770756/c-delete-system32-files) – drescherjm Jul 02 '21 at 22:27
  • 1
    @drescherjm I recon that's an exact dupe – Richard Critten Jul 02 '21 at 22:28
  • @drescherjm I ran the exe with Administrator but still the same error thrown.. – jeffbRTC Jul 02 '21 at 22:46
  • @RichardCritten I think system32 has diff permission model than Fonts folder – jeffbRTC Jul 02 '21 at 22:48
  • 1
    Could you use `DeleteFile` API and use `GetLastError` and get actual error? I am almost certain it will be ERROR_ACCESS_DENIED but we need to be sure. You will definitely need elevated privileges and perhaps even token privilege adjustment. Finally, as an idle curiosity, could you tell if possible why you are deleting something from Windows folder? –  Jul 02 '21 at 23:27
  • @vish I'm deleting a font from a fonts folder and not something from a Windows folder. I will check it tomorrow and let you know. – jeffbRTC Jul 03 '21 at 00:10
  • What is the error if you enter the command `del C:\Windows\Fonts\segmdl2.ttf` at a PowerShell or cmd.exe prompt? – Bill_Stewart Jul 06 '21 at 19:01
  • @Bill_Stewart See my update on post. – jeffbRTC Jul 07 '21 at 00:59
  • Both PowerShell and cmd.exe ultimately call the same Windows API to delete a file. Windows won't let you delete an in-use file. I would recommend reading https://learn.microsoft.com/en-us/windows/win32/gdi/font-installation-and-deletion for more information. – Bill_Stewart Jul 07 '21 at 12:53
  • @Bill_Stewart IOBitUnlocker claims that it can delete even in use files without reboot or closing applications. I need to figure out how they do this. – jeffbRTC Jul 07 '21 at 14:40
  • You'd have to ask the developer of that program. I'm just telling you what the docs say. In general I would say it's better to work with the system rather than against it. – Bill_Stewart Jul 07 '21 at 15:00
  • @Bill_Stewart They won't tell me so I putting up it on Ghidra and see what I can find. – jeffbRTC Jul 07 '21 at 19:07
  • @Bill_Stewart They use a Kernel Mode driver and KeStackAttachProcess ... See my answer below! – jeffbRTC Jul 25 '21 at 18:35

1 Answers1

0

The error happened because I don't have permission to delete the file and in some cases it happened because the file already opened by another process.

To fix permission issue, I had to invoke the following commands from command promot,

takeown /f C:\Windows\Fonts /r /d y
icacls C:\Windows\Fonts /grant administrators:F /t

To fix the issue when the file owned by another processs, I've found an application called IOBitUnlocker that capable of doing this without closing the processs so I decided to dig more into it.

I've reverse engineered IOBitUnlocker. They are using a Kernel Mode Driver and uses KeStackAttachProcess to attach into the process that owns the file and unlock it.

I am lucky enough to find an article with complete code that describe how to use this API to unlock the file.

https://www.programmersought.com/article/96107379969/

This method superior because you don't have to close the applications or reboot your machine. Altho, you have to sign the kernel mode driver or disable the driver validation directly from your BIOS.

jeffbRTC
  • 1,941
  • 10
  • 29
  • This sounds like a [bad idea to me](http://technet.microsoft.com/en-us/magazine/2009.04.windowsconfidential.aspx). – Bill_Stewart Jul 25 '21 at 23:51
  • @Bill_Stewart I aware of this. In my specific use case, this doesn't affect since the user have to restart application after bunch of fonts deleted. – jeffbRTC Jul 26 '21 at 05:29
  • My advice is that it's better to work with the system than against it. Your approach is really asking for trouble. – Bill_Stewart Jul 26 '21 at 14:18
  • @Bill_Stewart There is nothing against. It's just my use case. Commercial tools do the same way so. .. – jeffbRTC Jul 26 '21 at 14:25
  • I would refer the honorable gentleman to my previous comment, posted approximately 1 hour ago. – Bill_Stewart Jul 26 '21 at 15:33
  • @Bill_Stewart Where? I can't see anything you posted an hour ago other than the one I replied. – jeffbRTC Jul 26 '21 at 16:31