Friday, July 27, 2007

Flash9c.ocx Strangeness

A few weeks ago I was running a periodic scan of my XP Pro system at work using The Secunia Software Inspector.

It found that I had an out-of-date version of Flash.  Specifically, version 9.0.47.0.

It helpfully pointed out the file was installed in C:\Windows\SYSTEM32\Macromed\Flash\ folder.

Since Adobe doesn't provide an "un-installer" for Flash, and new ones are just installed along-side the current version, I knew I would just have to pop in there and manually delete the file.

Only when I went to do so, it refused to let me, despite my Administrator level permissions.

The Hunt Begins!

So I first closed out all my browsers and tried again, thinking it was a "locked file."  Nope.

Then I ran Process Explorer and did a search for the file, to see who was using it.  No one was found.

Hmmm.

So I rebooted and tried again.  Nada.

Then I tried to delete it in Safe mode.  Not budging.

In frustration I booted with a Linux Live CD and tried one more time.  It was stuck!

Getting frustrated now, I rebooted back into normal mode and re-approached the situation.

I looked at the file properties and (doh!) saw that it was set to "Read only."  Should have known.

So I removed the read-only permission setting and tried again.  Nope!

Mysteriously, the read-only property setting had come right back again. 

So I checked the security permissions for the file control and all were checked (allowed) showing that under my Administrator level profile, I should be able to remove the read-only file setting property.  But it staunchly refused all my Administrator attempts of property setting changes.

Hmmm indeed!

Research Time

So I hit the Web and reviewed my understanding of displaying and changing file attributes: Attrib - Edit file attributes.  Unfortunately nothing seemed amiss with this command-line level inspection.

However that article pointed me to the XP command "Cacls": Cacls - Modify Access Control List

The "CACLS" stands for (best I can tell) the Control Access Control List program.

I opened a command-line session and browsed into that folder and ran the CACLS command against the Flash9c.ocx file and got the following results (slightly cleaned up):

C:\Windows\System32\Macromed\Flash>CACLS Flash9c.ocx
C:\Windows\System32\Macromed\Flash\Flash9c.ocx Everyone:(DENY)(special access:)
                         FILE_WRITE_ATTRIBUTES

                         NT AUTHORITY\ANONYMOUS LOGON:(DENY)(special access:)
                         FILE_WRITE_ATTRIBUTES

                                               NT AUTHORITY\SYSTEM:(ID)F
                                               BUILTIN\Administrators:(ID)F
                                               BUILTIN\Users:(ID)R

Any guesses what immediately stuck me in the output?

How about those "(DENY)(special access:)" entries for the FILE_WRITE_ATTRIBUTES.

Yep.

So I went back and did a bit more looking and found this interesting Microsoft technical bulletin: How to set, view, change, or remove special permissions for files and folders in Windows XP.

Once I reviewed that article I knew what I had to do.

Release the Hounds!

I opened Windows Explorer and browsed back to the file.

I right-clicked the file and selected "Properties."

I clicked the "Security" tab. And now picked up the "Special Permissions" line in the bottom section I had missed before, so used to looking at just the expected "Full Control, Modify, Read & execute, Read, and Write" options I usually focus on.

On the Security tab, I clicked the "Advanced" button to drop into the "Advanced Security Settings" for the file.

One by one, I selected each line that showed "Deny" as the type and clicked the "Edit" button.

In the next pop-up window, I unchecked the "deny" tickbox as set and saved the changes.

Then I applied the changes through.

Then I right-clicked the file and selected "Properties" again.

This time I removed the "Read-only" setting and applied the change.

It took.

Finally I deleted the file without any issues.

System secure.

Serious Questions Remain

I discussed this finding with one of my network analysts who also hadn't ever run into any files set with a "special permissions" file setting.

We both chalked it up as an interesting exercise and I made a mental note to maybe post about it.

Only how useful could this information really be?

So today when I ran Secunia Software Advisor on my home Vista Home Premium system it spotted that crazy Flash9c.ocx file.  So I went and downloaded the new version from Adobe and then went to delete the file.

Guess what?

Yep.  Same problem again! 

The Flash9c.ocx file had special permissions set on it as well to deny rights to change the file attributes.  Having gone though this before on my XP Pro system I didn't hesitate.  I knew what to do and the file was deleted almost as an afterthought.

So now I am left with some questions.

As I understand it, these ACL properties only hold for NTFS partitioned drives.  So users who don't have their Windows drives NTFS formatted shouldn't encounter this. 

  1. But why would Macromedia release a file set with such a specialized property?

  2. If they didn't, how did this file get set that way on multiple and different OS versions?  Not something I did, that's for sure!

  3. If Adobe can do this, could/do malware writers attempt to try this trick as well to prevent removal of the file(s) by anti-malware applications and end-users?

  4. How many others have run into this issue with this or unrelated files and just given up and left the darn things present; or worse...figured something was corrupted on their file system and wiped/reloaded everything from scratch?

Very interesting indeed.

--Claus

24 comments:

Anonymous said...

Thanks,you did forget to say that simple file sharing has to be off to see the the security tab.

Claus said...

Thanks anonymous,

My systems were already configured that way (I don't remember dealing with that when I set them up) so I didn't realize that needed to be done.

How to configure file sharing in Windows XP - Microsoft KB

Quick Guide to XP Simple File Sharing

Disable Simple File Sharing and Display the Security Tab

File and Printer Sharing in Windows Vista

Anonymous said...

Hi,

Actually, Adobe does have a Flash uninstaller. You can find it at http://www.adobe.com/shockwave/download/alternates/#fp for Windows and Mac.

Thanks

Julie

Claus said...

Thanks for the tip, Julie!

I wasn't aware of that.

Do you know if it installs "all" versions (current and previous) of Flash existing on a system?

I'm also curious if it would cleanly uninstall the flash file in the situation where I encountered it with the special access:deny permissions somehow set. I think I will go back and "reverse engineer" that situation on a test box and see...just out of curiosity.

Thanks again for this link. I look forward to referring to it!

Anonymous said...

I tried the latest uninstaller and it failed to remove flash9c.ocx

I used

cacls flash9c.ocx /e /r everyone

to reset the permissions and this allowed me to delete the file.

Thanks for the research.

Anonymous said...

Great tip, John!

Didn't even cross my mind to suggest the command line method instead of all that point and clicking GUI method.

Your method would probably work great in a scripted manner to pull it from systems across a mass-deployment as well.

I appreciate you taking the time to comment!

Anonymous said...

Thanks a lot. I had a same problem and you helped me to solve it.

Anonymous said...

You are very welcome, Andrew.

Thanks for leaving a comment.

The Ramblings of Diesel Dave said...

Thanks for the information. I have found that this file no longer exists on my system, but both Registry Mechanic (which recognizes the registry entry) and CCleaner (which doesn't) are unable to get rid of the offending registry entry.

Off I go to manually delete the key. Wish me luck...

The Ramblings of Diesel Dave said...

Well, no love on deleting the key manually. I tried Julie's tip (using the Adobe uninstaller) and it's still there.

I did some more research and it looks like I would need to run Microsoft's SubInACL against the user profile. I'm too chicken to do that, so I guess it's going to be there for a while...

Any other tips would be most appreciated!

Anonymous said...

Dave,

I'm not sure what to suggest. I didn't encounter any registry entry problems when I was dealing with it and the sweeps with the tools I used never indicated a registry issue.

The only tool off the top of my head that I could suggest might be RegASSASSIN from Malwarebytes.

"RegASSASSIN is a portable application which allows you to remove registry keys by resetting the keys' permissions and then deleting it. Please use with caution as deleting critical registry keys may cause system errors."

Not sure if it can help or not. I do like and trust Malwarebyte's products...

Let me know if you succeed. Would you mind trying to copy/paste the actual registry key name/value that is being alerted on for any other readers information?

Good luck!

The Ramblings of Diesel Dave said...

Well, for not knowing what to suggest, you've suggested well!

RegASSASSIN was able to delete the key, in one pass, and with no ill effects. I did do a restore point before starting, and I suppose that it's important to say that it may screw things up for others, but for me it worked absolutely perfectly.

Thanks Claus you've been a huge help.
Dave

Anonymous said...

Thanks for the tutorial! I was having major problems with this as well: I had the file on a drive that USED to have Windows on it, it was my D:\ storage drive and it would not let me remove it. The command line listed does not work because I cannot cd D:\ from the command prompt, the root C:\ is as far as it goes.

Using the GUI way I was able to remove it and then delete my old WinXP folder saving me 2.43 GB in space.

Thanks a ton! I was stumped for sure.

Anonymous said...

anonymous,

You are very welcome. This old post keeps folks coming back so I suppose it is still an active issue.

I understand how frustrating it can be.

Thank you for leaving a comment!

Anonymous said...

Thanks so much for posting the solution to this problem! I was finally able to delete my old Windows install folder.

I was ready to rip my hair out when I finally came across a message board post that linked to your blog post.

Thanks again!

Anonymous said...

Please, anyone!

I've tried all of this before I saw this website.
But the last step stuck me: I ___DON'T___ have the "Security" tab!!

Can anyone help me?

Anonymous said...

My guess is that you have Windows XP Home. The "Security" tab is not offered under this OS version....UNLESS....

You boot your XP Home system in safe-mode.

Reboot your PC and press the F8 key as it is coming up right after the BIOS displays.

You should then be able to select to boot your system in Safe Mode.

Once you get to your desktop, you will then be able to access the Security Tab.

Or...if you want to do a hack (at your own risk), read this post I made:

Get the Security Tab in XP Home! For Free!

Anonymous said...

Hi, all!
Had the same problems, no luck in delete Flash, until I find "Unlocker" , ( http://ccollomb.free.fr/unlocker/ ), it cleaned everything, hurrah!

Anonymous said...

You are spot on!

I had noticed that recently as well.

Unlocker 1.8.7 - Free by Cedrick Collomb.

I found it interesting in the changes notes for his recent version update that he specifically mentioned the following:

"- Improved behavior: Improved deleting/renaming/moving files such as C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx for example."

It's an outstanding product and one of my favorites in this class of utilities. Highly recommended.

At the heart of the issue it seems Adobe/Flash is determined to write and apply specialized file security permissions for this file that I find curiously high and frustrating for users trying to delete it...especially whey they don't bother to offer to uninstall older versions when installing new release versions and the old ones contain known security vulnerabilities.

Oh well...Thanks for sharing this tip!

Anonymous said...

Thanks, fixed the problem for me.

Anonymous said...

Thank you so much Claus. I just got a new HP Mini, and it had those two files that I couldn't delete.

Weird thing was, that they weren't in the "C:\Windows\System32\..." -folder, but in "C:\USWXP32C\Windows\System32\...".

So, this problem is still alive and out there.

Unknown said...

Many thanks for saving my sanity. I have been trying to remove an old copy of XP from a spare drive and the persistent Flash9e files have resisted all other attempts at removal. I used the command lin options with CACLS and have now removed all traces of the old files (I believe!)

Claus said...

@ everyone - thanks for all the kind words. I'm glad this has been helpful.

I ended up having to go through this all over again with a stubborn Flash 10x series file on an XP Pro system just yesterday.

Sometimes the Flash upgrade seems to clean off the older versions with no issues and othertimes it cannot. When it can't, you often have no choice but do use the technique listed here.

Cheers.

--Claus V.

Anonymous said...

I ran into the same problem. Thanks for the help. (I was referred to your page from http://www.overclock.net/windows/304685-cannot-delete-windows-old-folder-3.html).