Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

CB Response Server: All Supported Versions

Symptoms

The 'delete' command inside of a Live Response session gives the following errors when attempting to remove files or directories:
- "Remote error HRESULT 0x80070005" = 0x80070005: Facility[WIN32] Code[0005] Severity[1] Access is denied.

Cause

Read-only flags are set on files and directories. The error generated is being given by the OS, due to the files being read-only.

Resolution

The easiest way to remove read-only files and folders is to use sdelete: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
- Download and extract the sdelete.exe/sdelete64.exe files to the local workstation from the link above.
- Use the 'put' command in the Live Response session to send the sdelete executable to the sensor :

put <destination_location>

Change directories to the 'destination_location' above.

cd <destination_location>

Run sdelete.exe command from Live Response.

execfg sdelete.exe /accepteula -r "<directory/file_to_delete>"

Switches:
- /accepteula : Accepts EULA without prompting via GUI
- -r : Recurse subdirectories (if applicable)

Article Information

Author:

Creation Date:

‎01-13-2021

Views:

1188

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.