NTFS Junction Points (Potential Malware Exposure) RRS feed

  • Question

  • Hi

    Is there any way under XP to delete an NTFS Junction Point in sucjh a way as to just delete the link not the target directory. I have tried pretty much all the tools I can find with no success. I discovered this issue thanks to a Trojan that came in via Java and effectively destroyed Microsoft Security Essentials to the point it would be pretty much unrecoverable for the majority of users.

    The background is that the Trojan was targeted specifically at MSE and did pretty much everything you'd expect i.e. replaced the exe files, changed Windows startup, disabled Windows Firewall / MSE but bluffed Security Center into indicating that Firewall / MSE was active and fine. I was able to remove the Trojan fairly easily using the standard tools but was unable to uninstall / reinstall MSE due to the Trojan setting up Junction Points within the MSE directory. After a lot of effort I managed to get MSE up and running but I needed to copy files from another machine (I'm happy to share how I did this if anyone else has the same problem but that is not the point of this question).

    Basically the Trojan changed the Backup, Drivers and En-us subdirectories within the "C:\Program Files\Microsoft Security Client"  directory to Junction Points linked to "C:\Windows\System32\config" so at that stage MSE can't uninstall or reinstall and of course the removal tool doesn't work either. At this stage MSE is effectively dead in the water without some fancy footwork.

    As I said I have cleaned everything out and got it working again but I still have the three Junction Point directories and cannot remove them from within XP at all. When I get the chance later today I will boot from a Recovery CD, take a copy of "C:\Windows\System32\config", delete the contents of the of the directory then attempt to delete the Junction Points, this should work although I may have to do it multiple times - one for each Junction Point and may have to recreate "C:\Windows\System32\config" each time. Afterwards I should be able to restore "C:\Windows\System32\config" and all should be OK but this seems a like using a sledgehammer to crack a nut.

    There are obviously two issues here: 1/ The exposure to MSE (wrong forum for that) and 2/ The inability to just delete the Junction Points which is my question here i.e. is there any way to do this?

    Thanks in advance .... Colin

    Thursday, May 16, 2013 3:47 PM


All replies

  • An internet search for NTFS Junction Points provide a multitude of links with information about this subject: https://www.google.com/search?q=NTFS+Junction+Points&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=rcs

    There is a Microsoft KB for Windows 2000 on this @ http://support.microsoft.com/kb/205524 and the information applies to XP as well.

    The tools needed are in the Windows Server 2003 Resource Kit Tools which you can download @ http://www.microsoft.com/en-us/download/details.aspx?id=17657 and these tools also work on XP.

    There is also a related article @ http://www.techrepublic.com/article/manually-creating-junction-points-in-windows-xp/5388706   

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Thursday, May 16, 2013 5:32 PM
  • Thank you for your help Rick.

    I didn't try the utilities from KB205524 as it appeared to be W2K only - I will see if this works when I am back at the machine. I will also try seeing if the System Attribute is set (as per the Tech Republic article).

    I did spend a lot of time on Google researching and trying the solutions discussed however, including Mark Russinovich's "Junction" utility, Windows Resource Kit LinkD, directory manipulation from within the command prompt (RMDIR is meant to work) and a number of other suggestions but none of these had any success. This may have been because the Junction is linked to a main O/S System Folder or it may be that when the Junction Points were set up by the Trojan are somehow locked.

    One thing that does seem strange is the Junction Points didn't work as "Folders" i.e. Double Clicking them in Explorer or "CD" within Command Prompt did not take me to the target directory "C:\Windows\System32\config". Attempting to open the Junction Point from Explorer gave the error "The system cannot access the file specified"

    Thank you again and I will report back once I've tried again


    Friday, May 17, 2013 1:08 PM
  • Hi

    I've had a chance to try using linkd and also the suggested attribute manipulation but again no joy. Everything I've searched for and tried has failed so I would appreciate any assistance.

    Is there any way I can query the settings of the actual Junction Point to see if it's corrupt or is the issue because of the System Folder it's linked to?

    Thanks .... Colin

    Monday, May 20, 2013 10:14 PM
  • Did anyone come up with an answer that works to remove empty directories marked as "Junctions"?
    Thursday, September 19, 2013 3:31 AM