So I decided not to upgrade my notebook to Windows 10, killed the updater task and wanted to delete the c:$Windows.~BT directory. After I reset all ownership to myself and all permissions to Everyone:FullControl, some files still could not be deleted.
Most of them were “desktop.ini” files, like this one:
c:$Windows.~BT\Sources\SafeOS\SafeOS.Mount\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini
NtDeleteFile returned STATUS_IO_REPARSE_TAG_NOT_HANDLED for these files. I investigated the problem with FileTest and found that each of these files is set to reparse point with an undocumented reparse tag 0x80000008 and the following structure:
REPARSE_DATA_BUFFER
- ReparseTag 0x80000008
- ReparseDataLength 0x0024
- Reserved 0x0000
- GenericReparseBuffer
0x0018BF24 af eb 5e 37 db 2a 55 4f b0 c1 b4 52 7b fb 03 c0
0x0018BF34 e2 82 1a f7 bc 81 78 74 6a 5a 6d da a8 38 98 26
0x0018BF44 30 5b 6c 9b
The reparse point can be deleted normally.
Could anyone explain the structure of the reparse point in this case,
or give any comments at all?