Listen to this Post
Introduction:
Windows operating systems reserve specific device names (e.g., CON, PRN, AUX, COM0–COM9, LPT0–LPT9) for legacy hardware interfaces. Attackers and malware authors exploit these reserved names combined with the `\\?\` prefix – a raw NTFS path bypass – to create files that standard Windows Explorer and `del` commands cannot remove. This technique turns a seemingly innocuous PowerShell one‑liner into a persistent stalling or denial‑of‑service weapon.
Learning Objectives:
– Understand how Windows device namespaces (`\\.\`, `\\?\`) interact with the NTFS kernel.
– Execute the undeletable file creation and removal process in a controlled lab environment.
– Identify and mitigate such techniques using command‑line forensics, PowerShell removal, and security hardening policies.
You Should Know
1. Creating the Undeletable File – Step‑by‑Step Guide
This procedure creates a 1GB file named `PRN.txt` on the D:\ drive. The file cannot be deleted via normal means because `PRN` is a reserved device name, and the `\\?\` prefix forces direct NTFS access, bypassing Win32 device‑name validation.
Step‑by‑step (Windows 10/11, PowerShell – no admin required):
1. Press `Win + R`, type `powershell`, and press Enter.
2. Verify your target drive exists (e.g., D:\). Create the `POC` folder if needed:
New-Item -ItemType Directory -Path "D:\POC" -Force
3. Execute the core command:
[System.IO.File]::Create("\\?\D:\POC\PRN.txt").SetLength(1GB).Close()
4. Wait for the file to be written. Use `Get-ChildItem “\\?\D:\POC\”` to confirm the file exists.
5. Attempt deletion via normal means:
– In File Explorer, press `Shift + Del` on `PRN.txt` – you receive “Could not find this item” or similar.
– In CMD: `del D:\POC\PRN.txt` → “The system cannot find the file specified.”
– In PowerShell (without prefix): `Remove-Item D:\POC\PRN.txt` → also fails.
Why this works:
The `\\?\` prefix tells Windows to skip all path parsing and pass the string directly to the NTFS driver. The device name `PRN` is interpreted as the printer device at the kernel level, not as a file name. Standard delete APIs check for device names before touching the file system; the bypass hides the file from those checks.
Safe removal (no crash):
Use the same prefix with the `Delete` method:
[System.IO.File]::Delete("\\?\D:\POC\PRN.txt")
Verify deletion with `Get-ChildItem “\\?\D:\POC\”`.
Warning: Setting `SetLength(10GB)` or larger on a low‑memory or spinning disk system may cause system hangs or a crash due to kernel memory pressure.
2. Mapping Reserved Device Names and Attack Surface
The following names are globally reserved by the Win32 API and cannot be used as standard file or folder names anywhere in any path:
| Device | Purpose | Example Malicious File |
|–|||
| CON | Console (stdin/stdout) | `CON.css`, `CON.aux` |
| PRN | Printer | `PRN.exe`, `PRN.pdf` |
| AUX | Serial port (usually COM1) | `AUX.sys` |
| COM0–COM9 | Serial communication ports | `COM1.bat`, `COM4.dll` |
| LPT0–LPT9 | Parallel printer ports | `LPT1.config` |
| NUL | Null device (bit bucket) | `NUL.log` (writes disappear) |
Exploitation scenario:
Malware drops a file named `C:\Windows\System32\drivers\COM1.sys` using the `\\?\` prefix. Because the driver loader enumerates files normally, it cannot see or unload this “device‑named” file. Antivirus real‑time scanners using standard file APIs also miss it. The malware can then load the driver via direct NT paths.
Detection with PowerShell (non‑standard enumeration):
List all files in a directory using the raw NT namespace
Get-ChildItem "\\?\C:\Windows\System32\drivers\" | Where-Object { $_.Name -match "^(CON|PRN|AUX|COM[0-9]|LPT[0-9]|NUL)" }
3. Linux and macOS Parallels – Reserved Names and Bypasses
While Windows is most vulnerable to this exact trick, other operating systems have similar reserved names or path traversal quirks:
– Linux reserves `.` and `..` plus filenames containing `/` or null bytes. A file named `-rf` or `–help` can cause command‑line havoc. Creating a file with a newline in its name: `touch $’evil\nfile.txt’` – many scripts fail to handle it.
– macOS (HFS+/APFS) inherits BSD reserved names like `com.apple.` in certain contexts. The `./` and `..` are protected.
– NTFS‑3G on Linux can read Windows‑style `\\?\` paths if mounted with appropriate options, but creation is limited.
Linux command to find dangerous filenames:
find / -1ame "PRN" -o -1ame "COM1" -o -1ame "AUX" 2>/dev/null
Mitigation across platforms:
Always sanitize user‑supplied filenames by rejecting control characters, reserved DOS names, and any path starting with `\\.\` or `\\?\`.
4. Forensic Artifacts – Detecting Undeletable Files
When an attacker creates such a file, several artifacts are left behind:
| Artifact | Location | Forensic Value |
|-|-|-|
| $MFT (Master File Table) entry | `\\?\D:\` via `fsutil` | Shows the file record even if standard APIs hide it |
| USN Journal | `fsutil usn queryjournal D:` | Records the file creation with `Create` operation |
| PowerShell history | `%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt` | Contains the exact command used |
| Prefetch | `C:\Windows\Prefetch\POWERSHELL.EXE-.pf` | Timestamps of PowerShell execution |
Extract $MFT entry for the hidden file:
fsutil file queryfileid D:\POC\PRN.txt (fails normally) Instead, use raw read: fsutil file queryallocranges "\\?\D:\POC\PRN.txt"
If successful, it returns cluster allocations – proving the file exists.
PowerShell oneliner to detect any reserved‑name file across all drives:
Get-PSDrive -PSProvider FileSystem | ForEach-Object {
$drive = $_.Root
Get-ChildItem "\\?\$drive" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Name -match "^(CON|PRN|AUX|COM[0-9]|LPT[0-9]|NUL)(\.|$)" }
}
5. Hardening Against Device Namespace Abuse
Prevent creation and execution of such files using group policies and system configurations.
Step‑by‑step hardening (Windows):
1. Disable 8.3 short name generation (reduces alternative naming vectors):
fsutil behavior set disable8dot3 1
2. Enable PowerShell script block logging to capture any `[System.IO.File]::Create` with `\\?\`:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -1ame "EnableScriptBlockLogging" -Value 1
3. Block direct NT namespace access for non‑admin processes (requires third‑party security software or custom minifilter driver). As a practical alternative, use Windows Defender ASR rules to audit PowerShell creating files in sensitive directories.
4. Deploy a custom detection rule in SIEM (e.g., Splunk, Sentinel) looking for:
– Process creation with command line containing `\\?\` AND `SetLength` AND `PRN|COM|AUX`.
– Event ID 4104 (PowerShell script block) with those strings.
5. Use Sysmon (Event ID 11 – FileCreate) to monitor raw NTFS writes. Sysmon can see the file creation even if the file is later “invisible.”
Sysmon configuration snippet (XML rule):
<FileCreate onmatch="include"> <TargetFilename condition="contains">\\?\</TargetFilename> </FileCreate>
6. Advanced Exploitation and Mitigation – Kernel vs. Userland
The `\\?\` prefix bypasses the `ObpLookupObjectName` routine that checks for device names. This is why malware families like Gootkit and Trickbot have used similar techniques to drop persistence payloads.
Proof‑of‑concept for persistence (lab only):
Create a startup batch file with a reserved name:
Malicious one‑liner
[System.IO.File]::WriteAllBytes("\\?\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\COM1.bat", [System.Text.Encoding]::ASCII.GetBytes("calc.exe"))
This file will not appear in the Startup folder in Explorer, but the system will attempt to execute `COM1.bat` at user login because the NTFS directory scan includes raw entries.
Removal in safe mode:
Safe mode with command prompt loads a minimal kernel. The reserved‑name bypass still works, but you can delete the file using the same `\\?\` delete method. Alternatively, boot from a live Linux USB and delete the file – Linux NTFS drivers do not enforce Win32 device name restrictions.
Linux removal command (NTFS‑3G):
sudo mount -t ntfs-3g /dev/sda2 /mnt/windows rm -f /mnt/windows/D/POC/PRN.txt Note: path mapping may differ
7. Code – Real‑World Detection Script (PowerShell)
Save this as `Invoke-FindUndeletableFiles.ps1` to scan all local drives for any file that has a reserved device name but is accessible via the raw NT path.
param([bash]$Drive = "C:\")
$reservedNames = @("CON","PRN","AUX","NUL","COM0","COM1","COM2","COM3","COM4","COM5","COM6","COM7","COM8","COM9","LPT0","LPT1","LPT2","LPT3","LPT4","LPT5","LPT6","LPT7","LPT8","LPT9")
foreach ($name in $reservedNames) {
$rawPath = "\\?\${Drive}POC\$name.txt"
if (Test-Path $rawPath) {
Write-Warning "Undeletable file detected: $rawPath"
$fileInfo = Get-Item $rawPath -Force
Write-Host "Size: $($fileInfo.Length) bytes, Created: $($fileInfo.CreationTime)"
}
}
What Undercode Say:
– Key Takeaway 1: The `\\?\` prefix is a double‑edged sword – essential for legitimate deep path access (>260 chars) but easily weaponized to bypass Win32 security filters. Security teams must monitor raw NTFS access patterns.
– Key Takeaway 2: Reserved device names are not a vulnerability per se; they are a legacy design flaw. The real risk is that most security tools scan using standard APIs (FindFirstFile, etc.), leaving these “shadow files” invisible. Remediation requires low‑level enumeration or live forensics.
Analysis (10 lines):
This technique has been publicly documented since at least 2009, yet it remains effective because endpoint detection products rarely hook the `NtCreateFile` syscall with the `OBJ_CASE_INSENSITIVE` flag correctly. Attackers can drop payloads into startup folders, scheduled tasks, or driver directories. The 1GB size exacerbates impact – filling a disk with such files causes denial of service. From a blue team perspective, implementing Sysmon with file creation rules on `\??\` and `\\?\` paths is the most practical detection. Additionally, removing write permissions from standard users on system directories reduces the blast radius. The trick does not require admin rights, making it an ideal user‑land persistence for malware. Red teams should note that some EDRs will trigger on `[System.IO.File]` class usage alone – so they might switch to `System.IO.FileStream` or native Win32 functions via P/Invoke. Finally, the easiest corporate mitigation is application control that blocks PowerShell unless explicitly needed; many breaches start with such low‑visibility primitives.
Prediction:
– -1 Increased weaponization in ransomware – Expect ransomware families to drop small “undeletable” marker files (e.g., `\\?\C:\RECYCLER\COM1.README`) that prevent cleanup scripts from removing ransom notes, delaying incident response.
– -1 Microsoft will not patch this behavior – Changing reserved‑name handling would break decades of legacy hardware compatibility. Instead, they will rely on Defender ASR rules, leaving older Windows versions permanently exposed.
– +1 Emergence of community detection scripts – Open‑source incident response toolkits (e.g., Velociraptor, KAPE) will integrate raw NTFS enumeration as a standard artifact, making these hidden files easier to find during investigations.
– -1 Cloud VDI environments are highly vulnerable – Many VDI gold images disable Defender real‑time scanning for performance, and shared drives with \\?\ access allow a single compromised user to create invisible persistence across the entire pool.
– +1 Linux adoption of `\\?\`‑like bypass will grow – As WSL and Windows/Linux interop increase, Linux tools on NTFS may expose similar bypasses, leading to cross‑platform defense frameworks that normalize raw filesystem access monitoring.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Sans1986 Windows](https://www.linkedin.com/posts/sans1986_windows-hacking-trick-create-a-1gb-undeletable-share-7466536359260811264-lyMG/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
