Environment
- CB Response Server: All Supported Versions
Symptoms
- The 'delete' command inside of a Live Response session gives the following errors when attempting to remove files or directories:
- "Remote error HRESULT 0x80070005" = 0x80070005: Facility[WIN32] Code[0005] Severity[1] Access is denied.
Cause
- Read-only flags are set on files and directories. The error generated is being given by the OS, due to the files being read-only.
Resolution
- The easiest way to remove read-only files and folders is to use sdelete: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete
- Download and extract the sdelete.exe/sdelete64.exe files to the local workstation from the link above.
- Use the 'put' command in the Live Response session to send the sdelete executable to the sensor :
put <destination_location>
- Change directories to the 'destination_location' above.
cd <destination_location>
- Run sdelete.exe command from Live Response.
execfg sdelete.exe /accepteula -r "<directory/file_to_delete>"
- Switches:
- /accepteula : Accepts EULA without prompting via GUI
- -r : Recurse subdirectories (if applicable)