Use PendingFileRenameOperations Registry to Automatically Delete a File On Reboot

Successfully Tested On: Windows 10 Enterprise versions 1507 - 2004

I recently ran into a situation where I was remotely fixing a computer at a distant location and I needed to delete a specific EXE file. Despite the file being removed from startup, it would still start automatically on boot and then its process would hang. Attempting to force end the process would strangely error out, and trying to delete the EXE wouldn’t work because the process was still running (hanging).

Normally a boot into Safe Mode is a quick way to circumvent processes from starting like this, but because of the remote location this wasn’t an easy option. I already tried several ways to force the file to be deleted automatically, including using the RunOnce Registry key, but nothing had worked.

Enter the PendingFileRenameOperations Registry Value

An experienced coworkers happened to mention the PendingFileRenameOperations Registry value. This is a value that can be used to force move or delete a file on startup and is a method I had never used before. It’s fairly easy to do:

To delete a file on startup:

  1. Open Registry Editor and navigate to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
  2. Right-click in the right pane to add a new Multi-String Value and name it PendingFileRenameOperations
  3. Double click the new PendingFileRenameOperations value to edit it and enter the full path of the file to be deleted starting with \??\
    (e.g. \??\C:\Test.exe)
    NOTE: Do not use any quotations even if the path has spaces
  4. Click OK to close the value editor
  5. Right-click the PendingFileRenameOperations value and select Modify Binary Data
  6. At the very end of the binary value data, enter four zeroes 00 00 and click OK:
    undefined
  7. Restart the computer and the specified file as well as the PendingFileRenameOperations Registry value will be deleted

To move a file on startup:

  1. Open Registry Editor and navigate to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
  2. Right-click in the right pane to add a new Multi-String Value and name it PendingFileRenameOperations
  3. Double click the new PendingFileRenameOperations value to edit it
  4. On the first line enter the full source path of the file to be moved starting with \??\
    (e.g. \??\C:\Source\Test.exe)
    NOTE: Do not use any quotations even if the path has spaces
  5. On the second line enter the full destination path of the file to be moved starting with \??\
    (e.g. \??\C:\Destination\Test.exe)
    NOTE: Do not use any quotations even if the path has spaces
  6. Click OK to close the value editor
  7. Restart the computer and the specified file will be moved and the PendingFileRenameOperations Registry value will be deleted

After this simple process, the file that was causing me problems was deleted so the process was no longer hanging, and I was good to go!

3 comments

  1. […] installation process remains mostly the same. We still see the use of PendingFileRenameOperations for placing the files under the system32 directory after a reboot. However, the CustomAction table […]

    Like

  2. […] installation process remains mostly the same. We still see the use of PendingFileRenameOperations for placing the files under the system32 directory after a reboot. However, the CustomAction table […]

    Like

  3. […] installation process remains mostly the same. We still see the use of PendingFileRenameOperations for placing the files under the system32 directory after a reboot. However, the CustomAction table […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: