• The 'delete' command inside of a Live Response session gives the following errors when attempting to remove files or directories:
  • "Remote error HRESULT 0x80070005" = 0x80070005: Facility[WIN32] Code[0005] Severity[1] Access is denied.

• CB Response Server: All Supported Versions

• Read-only flags are set on files and directories.  The error generated is being given by the OS, due to the files being read-only.

• The easiest way to remove read-only files and folders is to use sdelete: https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete 
  • Download and extract the sdelete.exe/sdelete64.exe files to the local workstation from the link above.
  • Use the 'put' command in the Live Response session to send the sdelete executable to the sensor : 

put <destination_location>

• Change directories to the 'destination_location' above.

cd <destination_location>

• Run sdelete.exe command from Live Response.

execfg sdelete.exe /accepteula -r "<directory/file_to_delete>"

• Switches:
  • /accepteula : Accepts EULA without prompting via GUI
  • -r : Recurse subdirectories (if applicable)