Solved

Search for and Delete .exe and containing folder

Posted on 2012-12-29
26
466 Views
Last Modified: 2013-01-04
Is it possible to run a script (preferably in batch file but whatever will work) to search for a particular .EXE and if found to delete it and then, if possible to discover which folder it is in and delete that folder too? I run a Windows domain and as users get more and more sophisticated they are finding ways to install programs that management has told them not to install (programs like iTunes, Safari browser). Initially it was easy to control because most users used the default install locations but as they noticed it was been removed (via a logon script) they have started installing it in non-default locations and we found one users who choose to install it on his external drive and this is the type of behavior I am trying to stop by finding a known exe and then deleting it and its containing folder? Possible?
0
Comment
Question by:lionelmm
  • 10
  • 9
  • 3
  • +2
26 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 38729279
Just passing so not time to sort you script out at the mo, but have you thought of adding such program signatures to anti-virus applications or blocking the exe name etc.  Do the users have to have admin rights then, or are they using portable apps?

Might be worth considering the memo from HR people remininding them how they'd probably like to keep their jobs and not to be naughty with their IT kit!

Steve
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
ID: 38729298
What if they change the name of the executable?
0
 
LVL 24

Author Comment

by:lionelmm
ID: 38729303
These users have admin rights; they decided a long time ago that there were having too many issues when users had restrictive rights; issues with installing printing, installing legitimate programs; I am their IT department so they do a lot of the work themselves and so need the rights to do it; 3 family members do most of the IT support and call me when they can't do it themselves. "HR" has given them a warning--guy who installed on a portable was fired. I'm just trying to stay ahead of it with suggestions. As far as virus program go (I am familiar with AVG and Avast) you must provided program path; I don't know of a way to say block access for abc.exe from any location -- if that can be done that will work; let me know how.
0
 
LVL 24

Author Comment

by:lionelmm
ID: 38729307
What if they change the name of the executable?  
Don't know what I will do then but I will know based on the tracking software that monitors their PCs and that will more than likely end up in them losing their jobs.
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
ID: 38729356
Do you have a domain controller and/or proxy server? I thought you could set up a group policy that would prevent software from being installed, and with a proxy you could prevent certain websites from being access by users. I also believe that you can disable the USB ports via group policy as well.

Note:  I am a developer, not an administrator, so I have no insight how to configure this kind of thing. I am basing my comment on prior experience.
0
 
LVL 24

Author Comment

by:lionelmm
ID: 38729464
kaufmed
No Proxy server--issue is not what websites they go to--the issue as stated in my question, are the programs they are installing. Disabling the USB port would mean it could not be used for legitimate reasons then. Using group to prevent users from installing software seems feasible but I tried it and it also got in the way of legitimate installing so unless you can tell me how to prevent very specific installations and not all installations this does not look like it will work. Can you provide any help with scripting solutions then?
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
ID: 38729482
The reason I mentioned the proxy server is because I would expect the most common way users are installing software is by downloading it from the Internet. Block itunes.com, block installation. Of course that would leave users to download the software at home and bring it in on a flash drive, hence the USB question. Then that would leave CDs as the last front.

What version of OS(es) are your users running?
0
 
LVL 24

Author Comment

by:lionelmm
ID: 38729512
XP. kaufmed we can go back and forth on this--not disputing your assertions and you ideas are good ones but I have thought of most of it--users can and do get software from more than one place--itunes is not only available from apple and safari can be downloaded from multiple websites line cnet, which our users use for legitimate reasons. Granted it would be great if all users obeyed the rules and so conventional solutions like the good ones you have suggested would work but I am looking to see if something different can be done, as what was asked in my question--can you help with what I asked? Appreciate your free thinking and ideas but can you help with what I asked for?
0
 
LVL 26

Expert Comment

by:akahan
ID: 38730077
Lionel,

With all respect, I think your proposed approach is going to cause unintended consequences.  Suppose, for example, the Evil User has put a duplicate copy of itunes.exe on his desktop?  You'll wipe out everything on his desktop.

It sounds to me like what you really want to do here is just uninstall iTunes, no matter where the user has installed (hidden) it.  To do so, you'd just invoke this command:

wmic product where name="iTunes" call uninstall

Simple as that; this will uninstall iTunes, no matter where they've hidden it.  You could put that command in a batch file, just as you would have put in the code to delete directories that you had originally requested.

You can substitute other programs for iTunes if you want to uninstall them as well.

This will uninstall anything that you could have uninstalled using "Add/Remove Programs" from Control Panel.  Seems much more elegant than destroying entire directory structures, at least to me.

To find out the correct name of a particular program you want to delete (so that you'll know what to put between the double quotes), just install that program on your own machine, and give the command

wmic product get name

This will (after a couple minutes) output the names of all the programs you have on your machine that can be deleted in this manner.

Please let me know if you think I'm missing the point of the exercise...
0
 
LVL 26

Accepted Solution

by:
akahan earned 300 total points
ID: 38730079
Oh, and, to uninstall Safari (you mentioned you were interested in that one too), the command would be:

wmic product where name="Safari" call uninstall


And by the way... another reason I think it would be a bad idea to just delete the directory containing the executable and related files is that you'll leave behind the registry entries associated with the program, including any autostartup directives in the registry, and so the system will start generating all sorts of spurious errors about how it can't find this and that whenever it's started up.  After all, the registry won't know you've deleted the executable.
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 200 total points
ID: 38730119
A very good point there akahan.  I was suggesting one step back from that and marking the signature of the installer files to "ban" within the AV product in use (by signature rather than exe name) but I like your idea a lot.

Pretty well could be automated from a banned list quite simply:

@echo off
setlocal enabledelayedexpansion
set logfile=\\server\logfilesshare\%computername%-%username%.txt
for /f "tokens=* %%a in ('wmic product get name ^| findstr /l /i /g:\\server\share\banned.txt') do (
  echo %date%,%time%,"%computername%,%username%,"Uninstall","%%~a"
  wmic product where name="%%~a" call uninstall
  if errorlevel 1 echo Error !errorlevel!
)>>%logfile%

That would (not tested for real yet..) check for installed products in the banned list -- e.g. as it stand a word would match in the middle of a line, you can use the other options in findstr to restrict that if needed or use regular expressions etc.
For each of those found it would run around the for loop which as it stands writes a date & time stamped entry to a log file on a share based on the computer and user name and then calls the uninstall, and records any errors from wmic too.

Putting the computer name and username in the file too means you could combine all the files easily to report from later but still easily see from the modified files who has been uninstalling.

Steve
0
 
LVL 24

Author Comment

by:lionelmm
ID: 38730598
akahan
wmic product where name="iTunes" call uninstall
That sounds like it will work, and it is a much better idea that mine--thank you--will give it a test--when this is run will users see it and thus be able to stop it? Will this work on XP and Win7

Steve is this is where I put all the names of the programs I want uninstalled?
g:\\server\share\banned.txt
0
 
LVL 24

Author Comment

by:lionelmm
ID: 38730600
I run this on my PC--is this an indication of success?

wmic product where name="iTunes" call uninstall
Executing (\\STILLIES\ROOT\CIMV2:Win32_Product.IdentifyingNumber="{9CD0F7D3-67F-4BF8-8784 -D73AD229FF1E}",Name="iTunes",Version="10.5.0.142")->Uninstall()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 43

Expert Comment

by:Steve Knight
ID: 38730819
Looks like it to me.  Return value = 0 means success, anything else is an error number as a rule.

Yes if you either use G:\somepath\somedir\banned.txt or \\someserver\share\somedir\banned.txt with list one-per-line on strings to find.

Give it a try and see what it reports.  You could always just report to start with, i.e. leve out the wmic uninstall line and it will just log the details to the log file of what is there that matches.

Only problem then is any portable apps designed to be run without any admin rights or installing, generally from a USB drive etc.  If the users have admin rights and as the files could be called anything you would have to find some method of blocking specific file signatures, probably using your AV software.  I haven't tried this with AVG (though I use AVG myself) but I imagine there is a way, might be worth contacting them or checking their forums.

Steve

Steve
0
 
LVL 24

Author Comment

by:lionelmm
ID: 38730969
Steve
find some method of blocking specific file signatures

Does that mean that each apps exe has a unique signature that regardless of name and location can be IDed by its internal structure?

leave out the wmic uninstall.....log file of what is there that matches.
What is the command for that wmic?
0
 
LVL 2

Expert Comment

by:tighec
ID: 38731004
The following will just echo out the folder name for the file (in this case iexplorer.exe  that was found:
for /F "tokens=*" %a in ('dir iexplore.exe /s /b') do @ECHO %~da%~pa
EG.:
C:\Program Files>for /F "tokens=*" %a in ('dir iexplore.exe /s /b') do @ECHO %~da%~pa
C:\Program Files\Internet Explorer\
C:\Program Files>

You could change the Echo to do whatever it is you need to do:
   rd "%~da%~pa" /s /q
To delete the containing folder and all files and subfolders (don't test this with iexplorer.exe :))

To put in a batch file, you need to double up the %... all the "%" to "%%"
0
 
LVL 26

Expert Comment

by:akahan
ID: 38731083
It looks like success to me... of course, the way to know for certain is to see whether iTunes is still installed.

Your users may get wise and try something like deleting  the wmic executable... however you implement, this is going to end up being a cat and mouse game.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 38731229
Haven't read all that yet... but the bit about signatures, that is generally how AV software works, it knows certain parts of files that are an issue to recognise them.  We used to be able to create own entries in the AV database for some products but haven't needed to / wanted to in recent years so no idea if any still allow that sorry.
0
 
LVL 24

Author Closing Comment

by:lionelmm
ID: 38742166
This works for me
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 38742216
Glad it helped.
0
 
LVL 24

Author Comment

by:lionelmm
ID: 38743766
One thing I did not get an answer to--how can I run so that users cannot see it or stop it? Thanks.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 38743781
How are you triggering it currently?  You could schedule it to run using the task scheduler for instance?
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 38743785
And/or have a message box pop up saying "You have iTunes on your PC against company policy.  We have just attempted to remove it and this has been logged.  If the software returns, or remains on your PC please contact HR for your P45."
0
 
LVL 24

Author Comment

by:lionelmm
ID: 38744481
Currently I remove them manually whenever I encounter them when doing support on a system. If I use task scheduler it would have to run when no-one was on it, right, otherwise they would see the uninstall process. (Is there a way to export scheduled tasks settings setup using the GUI so that I can transfer it to another system?) As far as the enforcement goes the management don't want to get too strict but want to put the "blame" on me (saying I am the one who does not want all this not work related stuff because it complicates support and maintenance) and I don't mind that, so they want me to uninstall these in the hopes that after awhile users will on their own stop using it on work systems (I say good luck with that--its going to get worse rather than better, in my opinion).
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 38744639
You can use the SCHTASKS command to schedule something to run, there are millions of options you can see under

schtasks /create /?

e.g.

schtasks /create /s pcname /ru userToRunAs /rp passwordOfThatUser /SC ONLOGON /TN "Uninstall stuff" /TR "cmd /c C:\temp\mybatch.cmd"

You can export existing tasks using schtasks /query /xml and then use that file, edited if needed  with schtasks /create /xml

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 38744641
Frankly btw best bet is to take away local admin rights, or ability to install apps.... though that causes more work for IT to put things on of course.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Input information on K column using userform. 15 24
Modification on userform and column K 47 33
excel file 5 44
Pass through dll 2 36
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now