Persistent error when deleting (Windows Defender backups)

[hendrst]

Bleachbit 4.0.0 on Windows 10.

Receive the following error during execution of clean, no errors show up during preview.

[WinError 5] Access is denied.: Command to delete C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.vdm
[WinError 5] Access is denied.: Command to delete C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasdlta.vdm
[WinError 5] Access is denied.: Command to delete C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavbase.vdm
[WinError 5] Access is denied.: Command to delete C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavdlta.vdm
[WinError 5] Access is denied.: Command to delete C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
[WinError 5] Access is denied.: Command to delete C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.lkg

[az0]

The access is denied error looks like an issue fixed in BleachBit 4.1.0 beta. Please update, test again, and write a comment here to let me know how it went.

[hendrst]

Downloaded and installed 4.1.0 beta. Still receiving 'Access is denied' error on those same folders/files.

[az0]

@hendrst
Would you kindly also test BleachBit 4.1.1 beta?

[hendrst]

Still getting that error. FWIW, I tried to delete them manually as Admin, but they wouldn't budge.

[rados]

@az0
I can handle this one.

[abitrolly]

@rados if they can not be even removed by admin, what are you going to do?

[rados]

@rados if they can not be even removed by admin, what are you going to do?

Will investigate why those files are special and if there really is no way to delete them will propose a way to inform the user that we are aware...

[az0]

@rados
@abitrolly
When a file cannot be deleted at the moment (e.g., some Internet Explorer files), BleachBit normally schedules it to be deleted on Windows reboot, and this requires admin permissions. It may be a fault in the fallback mechanism, like a different kind of special file generating a different kind of error.

[abitrolly]

Is it possible to trace who holds the file on Windows?

[az0]

For troubleshooting, there is this tool https://www.nirsoft.net/utils/opened_files_view.html For general purpose, do you mean to kill the process? This can cause issues. Andrew

…

On Mon, May 10, 2021 at 9:54 AM Anatoli Babenia ***@***.***> wrote: Is it possible to trace who holds the file on Windows? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1021 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHD6MDNMSVMVKAKGD5OFLDTM76R5ANCNFSM4RZDAEXQ> .

[hendrst]

Is it possible to trace who holds the file on Windows?

Here are the files in question:

With the exception of mpengine.dll all are owned by SYSTEM.

[abitrolly]

For general purpose, do you mean to kill the process? This can cause issues.

Not automatically, but at least tell the user.

[az0]

For general purpose, do you mean to kill the process? This can cause issues.

Not automatically, but at least tell the user.

Sometimes that would be helpful, but many users wouldn't want to or wouldn't know how to kill Internet Explorer or Windows Defender.

In the case of Windows Defender, we look into pausing the services like is done for cleaning Windows Updates.

[az0]

#1021 looks like #1004

The issue relates to a rule in windows_defender.xml added by Tobias in 2019 in revision 6ef3f67

<action command="delete" search="walk.files" path="%CommonAppData%\Microsoft\Windows Defender\Definition Updates\Backup\"/>

[rados]

@az0
I've tried both your suggestions - to pause the service like we do with Windows Update and to mark the files for removal on reboot. Both don't work with the same reason - Access Denied. Also stopping Windows Defender Antivirus through the interface or through renaming its exe file (MsMpEng.exe) couldn't allow me to manipulate its Backup folder. It seems like the lock is on some kind of a folder level not the on the files themselves. This suggestion comes from a test that I've performed. I've manually added some experimental empty subfolders in Backup folder and couldn't delete them as well (unless in Safe Mode). The parent folder has similar behavior - you can add an empty folder but cannot delete it.

Also I've checked Windows 7 and those problems doesn't exists there, i.e. the Backup files could be manipulated. This makes me think that probably Tobias have based the addition of the Backup folder on Windows 7 behavior or perhaps on some early version of Windows 10. @Tobias-B-Besemer could you remember? So for now my suggestion is to exclude the Defender Backup lines from the respective cleaner xml file.

[az0]

So for now my suggestion is to exclude the Defender Backup lines from the respective cleaner xml file.

I agree. It seems there is an anti-tampering system.

[hendrst]

Closed

[m86mitch]

Running the system in safe mode fixes this issue and allows the specified files to be deleted.