Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Deleteing files.. ACCESS_DENIED and CANNOT_DELETE errors.

Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 316


I am probably missing something obvious, but so much of simple file I/O has been different in kernel mode, that it could be something bigger.

So I am trying to delete our "data cache" folder. These are our files, copies of some random files (a lot of them).
I am trying to delete those files, but for a few of them (like.. 0.001%), I get STATUS_ACCESS_DENIED when I try to open them this way:
ntRes = FltCreateFileEx(gFilter, Instance, &hFile, &lpFile, FILE_ALL_ACCESS, &ObjAttr, // We may reuse ObjAttr, as it points to szPath, which // now includes the component name. &IoSb, NULL, FILE_ATTRIBUTES_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_OPEN_REPARSE_POINT, NULL, 0, IO_IGNORE_SHARE_ACCESS_CHECK);
The above code is used to try and remove a possible read-only flag, but it fails.

This is during InstanceSetup at boot. Files are definitely not open by anything,

Any clues?


  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 316

    Ah, I love these "spend 5 days without success bugs, post a query, find a solution right after you post." :)

    I was asking for too many permissions, FILE_WRITE_ATTRIBUTES | DELETE did the trick instead of FILE_ANY_ACCESS.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    Urg. Files with RO bit I guess...

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 316

    Yeah, it appears that is the reason (they were all RO, but I cannot tell if any other were also RO, but did not fail, as there are >10K files in the cache).
    I find this strange, I can request DELETE access in the same open for RO-bit clearing, but not WRITE_DATA access in it. The peculiar part being that I can get DELETE access, without needing a second open, after clearing the RO attribute.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,131

    I suppose its like ejecting the floppy, putting tape over the RO tab and putting it back in again, then deleting (and may be date to needing to simulate that)

    RO files are a complete pain in mutliple ways but this is the most aggravating. Almost equally aggravating are directory ACLs where you can create an entry, but not read it (so you can create a new file, but you cannot then open it). And then there are files open for write but with the RO bit set...

    Filesystems are weird.

  • Craig_BarkhouseCraig_Barkhouse Member - All Emails Posts: 19

    Dejan, the traditional way to delete a readonly file is to toggle the readonly attribute off. That's what "del /f" does from the command line. To do this efficiently from a filter open for DELETE access (but not DELETE_ON_CLOSE), set disposition, and if that fails with STATUS_CANNOT_DELETE you can check if the file is readonly (the only other reason for STATUS_CANNOT_DELETE being someone has a mapped view), and if so then toggle readonly off, set disposition again.
    In RS3+, on NTFS, the DELETE_ON_CLOSE should work if you specify IO_IGNORE_READONLY_ATTRIBUTE (0x40) in addition to IO_IGNORE_SHARE_ACCESS_CHECK which you are already specifying. For some reason this doesn't appear to be documented.
    In RS5+, on NTFS, you can set FileDispositionInformationEx and pass the flag FILE_DISPOSITION_IGNORE_READONLY_ATTRIBUTE. This one also appears to be undocumented at the moment. The documentation really is sorely out of date.

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 316

    OK, another missing post sent via e-mail here...
    Thanks for that info.
    I doubt the new classes will be of any use, as it is extremely rare that only the latest OS needs to be supported.

    We still have a great number of XP Clients, more than W10.

  • Craig_BarkhouseCraig_Barkhouse Member - All Emails Posts: 19

    That's unfortunate you will have so many XP clients. You could still send the new info class to take advantage of it on newer OSes, and fall back to old methods if it fails, but that's your decision.

    I've added some verbiage to the documentation about what STATUS_CANNOT_DELETE means, and also added FILE_DISPOSITION_IGNORE_READONLY_ATTRIBUTE:

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA