Home / Questions / 1448
Accepted
Goerman
Asked: 2020-12-22 05:02:38 +0800 CST 2020-12-22 05:02:38 +0800 CST

How to remove “AUTORUN.INF” file from USB?

  • 772

Equipment

  • I am using Windows 7 Professional.
  • I have the Administrator role.
  • The USB device has FAT32 file system.

Situation : In the root folder of a USB there is a file called "AUTORUN.INF", which I want to delete, when trying to do it through the Windows explorer, the message appears: "Equipment administrator permissions are required to make changes in this file". I have tried the following alternatives without success.

Proven Alternatives:

  1. Remove all file attributes (Read Only File, Archive File, System File, Hidden File) via Windows Command Console.
Attrib –r –a –s –h I:/AUTHORUN.INF

Obtaining the following negative result:

Acceso denegado: I:/AUTORUN.INF
  1. Check which process is using the file with the Process Explorer program and then kill the process with the "Handle V4.0" program as suggested by this solution

Shortcut Ctrl + F, to access the “Handle or DLL substring” functionality, then search for “ I:/AUTORUN.INF”, it gives me the answer “0 marching items”

  1. Try the Unlocker program .

I ignored the warning "site suspected of serving unwanted software", I downloaded and installed it, when I right click on the file and then choose Unlocker it shows me that the file is not locked by any process, but it does not allow it to be deleted, it asks do it after the next reboot, but it doesn't remove it in the end either.

Untested Alternatives

  1. Use a mini Linux, mini Windows or BootCD

Delayed alternative, I don't have those tools.

  1. Format the USB.

It implies quite delayed data movement.

  1. Remove it using windows safe mode.

Is there a solution that doesn't involve restarting the computer?

archivo

6 Answers

  1. Unlocker is reliable, but I'll show you how to do it with Windows.

    For all the options that I show you, open the console in administrator mode, right click on the icon and select the "Run as administrator"

    enter image description here

    And before anything check the integrity of the file system

    sfc /SCANFILE=I:\autorun.inf

    If it doesn't work for you, do a full system check.

    sfc /SCANNOW

    Option 1

    Execute these commands, it may be necessary to "kill" explorer.exeto be able to delete the file (explorer may have locked it), and it is used /Fto be able to delete it even if it is read-only.

    TASKKILL /F /IM explorer.exe
del "I:\AUTORUN.INF" /F /Q /A
explorer

    Option 2

    The scenario can be more adverse if an executable has locked the file, in that case download this tool from Microsoft and run the following also as administrator.

    Handle

    handle "I:\AUTORUN.INF"
Algo.exe             pid: 4      type: File          3BE8: I:\AUTORUN.INF
Otro.exe             pid: 5      type: File          40C0: I:\AUTORUN.INF

    Now if then you kill the processes using the pid andtaskkill

    TASKKILL /PID 4 /PID 5 /T
del "I:\AUTORUN.INF" /F /Q /A

    Option 3

    You may flat out don't have permission, it seems your case, so take ownership of the file:

    takeown /F "I:\AUTORUN.INF"

    And then assign the delete permission.

    icacls "I:\AUTORUN.INF" /grant MyUser:(D,W)

    For now if delete

    del "I:\AUTORUN.INF" /F /Q
    • 8

  2. It appears that Panda USB Vaccine has been applied to the drive.

    This tool, to prevent viruses from being able to use a autorun.infto run from the floppy or usb, allows you to create (or automatically creates for all drives that are inserted) an autorun.inf erróneo(if I remember correctly, it included the attributes of system, hidden, volume...), in such a way that although it is shown that the file exists, it is not possible to read, delete or modify the file.

    If you can't access the file even after rebooting, I'm inclined to go with this option. You can also see if attrib autorun.infit gives any clue about it.

    The tool itself (it is a free program) allows a unit to be devaccinated .

    • 3
  3. Best Answer

    NOTE: I have placed this answer on top of the other as it clearly addresses the issue in a very different way and is to cover a very specific case.

    Option 4: Panda USB Vaccine

    It turns out that Panda USB Vaccine makes use of file attributes, BUT undocumented attributes, setting a value to 1 that according to Microsoft documentation should always be 0.

    In the file format the last byte after the name represents the permissions like this

    XYADVSHR

X, Y: reservados por Windows (Y en 1 indica que el archivo apunta a un dispositivo , por ejemplo los archivos reservados CON, LPT etc)
R: ATTR_READ_ONLY   0x01
H: ATTR_HIDDEN      0x02
S: ATTR_SYSTEM      0x04
V: ATTR_VOLUME_ID   0x08
D: ATTR_DIRECTORY   0x10
A: ATTR_ARCHIVE     0x20

    If one checks the setting of that BYTE for AUTORUN.INF in a RAW disk editor one finds the 42hexadecimal value that is equivalent to these bytes

    01000010
XYADVSHR

    If you look closely, set Yto 1, that attribute is reserved and what it does is tell Windows that this file is really a device , so that for Windows this file should not be deleted.

    So you have to rewrite the file attributes at the file system level, to do that follow these steps:

    1. get a binary disk editor, there are several but i recommend iBored

    2. once installed, run it as administrator and open the usb drive from the tool iBored open disk

    3. once 'open' press CTRL + Fto search AUTORUN INF <<--- EYE WITHOUT THE DOT, WITH SPACE . Pay attention to details, such as using case sensitive to make the search faster, as it could take a long time.

      View Raw contents

    4. Once found, select the file name in the Text Editor, look at the hexa character that follows, which is equivalent to the file attributes (in this case 0x42). lookup permission bytes 1.Press Ctrl + Shift + Mto make the disk writable, you may get errors, especially in Windows 10. Ignore the errors by clicking Cancel.

      enter image description here

    5. Now select the 42and replace it with 20what is essentially marking the file as ready for archiving and leaving the other attributes at 0, pressSave
    6. Close iBored and voila, you can now delete the file.
    • 3

  4. In my case iBored worked , once the file was unlocked I opened it and it only had a few letters inside, no malicious code. I think what this file, placed by a previously removed virus, does is it blocks USB autorun to prevent anything else from running and taking control of the USB.

    • 1

  5. Have you tried PsExec ?

    If the problem is one of permissions, perhaps the file can only be manipulated by the SYSTEM account, and this is where PsExec comes in.

    Copy the executable to System32 for example, and then from the command prompt run:

    PsExec -SID cmd.exe

    This will open another CMD with SYSTEM privileges; What follows is that you navigate to the file and use some known command such as:

    DEL autorun.inf
    • 0

  6. I had the same problem, it wasn't a virus, I just couldn't delete the autorun.inf from the root of the USB.

    My solution was to disable the Panda Antivirus USB Vaccine, however, this does not delete the autorun.inf, it does not re-create it with the new memories. Those who already have it must format it. It seems that the autorun.inf is corrupted (by Panda on purpose) and cannot be touched.

    Panda USB Vaccine

    • 0