Link to home
Start Free TrialLog in
Avatar of Lionel MM
Lionel MMFlag for United States of America

asked on

Search for and Delete .exe and containing folder

Is it possible to run a script (preferably in batch file but whatever will work) to search for a particular .EXE and if found to delete it and then, if possible to discover which folder it is in and delete that folder too? I run a Windows domain and as users get more and more sophisticated they are finding ways to install programs that management has told them not to install (programs like iTunes, Safari browser). Initially it was easy to control because most users used the default install locations but as they noticed it was been removed (via a logon script) they have started installing it in non-default locations and we found one users who choose to install it on his external drive and this is the type of behavior I am trying to stop by finding a known exe and then deleting it and its containing folder? Possible?
Avatar of Steve Knight
Steve Knight
Flag of United Kingdom of Great Britain and Northern Ireland image

Just passing so not time to sort you script out at the mo, but have you thought of adding such program signatures to anti-virus applications or blocking the exe name etc.  Do the users have to have admin rights then, or are they using portable apps?

Might be worth considering the memo from HR people remininding them how they'd probably like to keep their jobs and not to be naughty with their IT kit!

What if they change the name of the executable?
Avatar of Lionel MM


These users have admin rights; they decided a long time ago that there were having too many issues when users had restrictive rights; issues with installing printing, installing legitimate programs; I am their IT department so they do a lot of the work themselves and so need the rights to do it; 3 family members do most of the IT support and call me when they can't do it themselves. "HR" has given them a warning--guy who installed on a portable was fired. I'm just trying to stay ahead of it with suggestions. As far as virus program go (I am familiar with AVG and Avast) you must provided program path; I don't know of a way to say block access for abc.exe from any location -- if that can be done that will work; let me know how.
What if they change the name of the executable?  
Don't know what I will do then but I will know based on the tracking software that monitors their PCs and that will more than likely end up in them losing their jobs.
Do you have a domain controller and/or proxy server? I thought you could set up a group policy that would prevent software from being installed, and with a proxy you could prevent certain websites from being access by users. I also believe that you can disable the USB ports via group policy as well.

Note:  I am a developer, not an administrator, so I have no insight how to configure this kind of thing. I am basing my comment on prior experience.
No Proxy server--issue is not what websites they go to--the issue as stated in my question, are the programs they are installing. Disabling the USB port would mean it could not be used for legitimate reasons then. Using group to prevent users from installing software seems feasible but I tried it and it also got in the way of legitimate installing so unless you can tell me how to prevent very specific installations and not all installations this does not look like it will work. Can you provide any help with scripting solutions then?
The reason I mentioned the proxy server is because I would expect the most common way users are installing software is by downloading it from the Internet. Block, block installation. Of course that would leave users to download the software at home and bring it in on a flash drive, hence the USB question. Then that would leave CDs as the last front.

What version of OS(es) are your users running?
XP. kaufmed we can go back and forth on this--not disputing your assertions and you ideas are good ones but I have thought of most of it--users can and do get software from more than one place--itunes is not only available from apple and safari can be downloaded from multiple websites line cnet, which our users use for legitimate reasons. Granted it would be great if all users obeyed the rules and so conventional solutions like the good ones you have suggested would work but I am looking to see if something different can be done, as what was asked in my question--can you help with what I asked? Appreciate your free thinking and ideas but can you help with what I asked for?

With all respect, I think your proposed approach is going to cause unintended consequences.  Suppose, for example, the Evil User has put a duplicate copy of itunes.exe on his desktop?  You'll wipe out everything on his desktop.

It sounds to me like what you really want to do here is just uninstall iTunes, no matter where the user has installed (hidden) it.  To do so, you'd just invoke this command:

wmic product where name="iTunes" call uninstall

Simple as that; this will uninstall iTunes, no matter where they've hidden it.  You could put that command in a batch file, just as you would have put in the code to delete directories that you had originally requested.

You can substitute other programs for iTunes if you want to uninstall them as well.

This will uninstall anything that you could have uninstalled using "Add/Remove Programs" from Control Panel.  Seems much more elegant than destroying entire directory structures, at least to me.

To find out the correct name of a particular program you want to delete (so that you'll know what to put between the double quotes), just install that program on your own machine, and give the command

wmic product get name

This will (after a couple minutes) output the names of all the programs you have on your machine that can be deleted in this manner.

Please let me know if you think I'm missing the point of the exercise...
Avatar of akahan
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
wmic product where name="iTunes" call uninstall
That sounds like it will work, and it is a much better idea that mine--thank you--will give it a test--when this is run will users see it and thus be able to stop it? Will this work on XP and Win7

Steve is this is where I put all the names of the programs I want uninstalled?
I run this on my PC--is this an indication of success?

wmic product where name="iTunes" call uninstall
Executing (\\STILLIES\ROOT\CIMV2:Win32_Product.IdentifyingNumber="{9CD0F7D3-67F-4BF8-8784 -D73AD229FF1E}",Name="iTunes",Version="")->Uninstall()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
        ReturnValue = 0;
Looks like it to me.  Return value = 0 means success, anything else is an error number as a rule.

Yes if you either use G:\somepath\somedir\banned.txt or \\someserver\share\somedir\banned.txt with list one-per-line on strings to find.

Give it a try and see what it reports.  You could always just report to start with, i.e. leve out the wmic uninstall line and it will just log the details to the log file of what is there that matches.

Only problem then is any portable apps designed to be run without any admin rights or installing, generally from a USB drive etc.  If the users have admin rights and as the files could be called anything you would have to find some method of blocking specific file signatures, probably using your AV software.  I haven't tried this with AVG (though I use AVG myself) but I imagine there is a way, might be worth contacting them or checking their forums.


find some method of blocking specific file signatures

Does that mean that each apps exe has a unique signature that regardless of name and location can be IDed by its internal structure?

leave out the wmic uninstall.....log file of what is there that matches.
What is the command for that wmic?
Avatar of tighec

The following will just echo out the folder name for the file (in this case iexplorer.exe  that was found:
for /F "tokens=*" %a in ('dir iexplore.exe /s /b') do @ECHO %~da%~pa
C:\Program Files>for /F "tokens=*" %a in ('dir iexplore.exe /s /b') do @ECHO %~da%~pa
C:\Program Files\Internet Explorer\
C:\Program Files>

You could change the Echo to do whatever it is you need to do:
   rd "%~da%~pa" /s /q
To delete the containing folder and all files and subfolders (don't test this with iexplorer.exe :))

To put in a batch file, you need to double up the %... all the "%" to "%%"
It looks like success to me... of course, the way to know for certain is to see whether iTunes is still installed.

Your users may get wise and try something like deleting  the wmic executable... however you implement, this is going to end up being a cat and mouse game.
Haven't read all that yet... but the bit about signatures, that is generally how AV software works, it knows certain parts of files that are an issue to recognise them.  We used to be able to create own entries in the AV database for some products but haven't needed to / wanted to in recent years so no idea if any still allow that sorry.
This works for me
Glad it helped.
One thing I did not get an answer to--how can I run so that users cannot see it or stop it? Thanks.
How are you triggering it currently?  You could schedule it to run using the task scheduler for instance?
And/or have a message box pop up saying "You have iTunes on your PC against company policy.  We have just attempted to remove it and this has been logged.  If the software returns, or remains on your PC please contact HR for your P45."
Currently I remove them manually whenever I encounter them when doing support on a system. If I use task scheduler it would have to run when no-one was on it, right, otherwise they would see the uninstall process. (Is there a way to export scheduled tasks settings setup using the GUI so that I can transfer it to another system?) As far as the enforcement goes the management don't want to get too strict but want to put the "blame" on me (saying I am the one who does not want all this not work related stuff because it complicates support and maintenance) and I don't mind that, so they want me to uninstall these in the hopes that after awhile users will on their own stop using it on work systems (I say good luck with that--its going to get worse rather than better, in my opinion).
You can use the SCHTASKS command to schedule something to run, there are millions of options you can see under

schtasks /create /?


schtasks /create /s pcname /ru userToRunAs /rp passwordOfThatUser /SC ONLOGON /TN "Uninstall stuff" /TR "cmd /c C:\temp\mybatch.cmd"

You can export existing tasks using schtasks /query /xml and then use that file, edited if needed  with schtasks /create /xml

Frankly btw best bet is to take away local admin rights, or ability to install apps.... though that causes more work for IT to put things on of course.