App Control: Blocks In the \Windows\WinSxS\Temp\PendingDeletes and \Program Files\Windowsapps\Deleted\ Directory
search cancel

App Control: Blocks In the \Windows\WinSxS\Temp\PendingDeletes and \Program Files\Windowsapps\Deleted\ Directory


Article ID: 287547


Updated On:


Carbon Black App Control (formerly Cb Protection)


  • Blocks in \Windows\WinSxS\Temp\PendingDeletes folder that are unhashed
  • Blocks in \Program Files\Windowsapps\Deleted\ folder that are unhashed


  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions


Due to how Windows uses this directory during Windows Update / other OS related processes , the files are already deleted by the time our agent starts analyzing it, causing us to respond with an "open file failure" and show a block.


There are a few different ways these blocks can be dealt with:

  1. Enforce a scheduled reboot policy in the environment. Under ordinary circumstances, rebooting the device after Windows Updates will clear/prevent these blocks.
    • This is the safest method as there is no rule that can be taken advantage of.
  2. If the notifier is bothersome to end users, disabling the notifier can alleviate this burden.
    • This may cause some confusion to end users and/or technicians that are troubleshooting system/application issues.
  3. Create an execution control rule to allow the executions
    • Generally not recommended as the path processes are usually generic and could be taken advantage of.
  4. A configuration in the console can be added to allow the "open file failure" by using the below steps.
    1. Logon to the Cb Protection console and navigate to https://<CBServerName>/agent_config.php
    2. Click on + Add Agent Config
    3. Fill in the properties like below
      • Property Name: Allow Inaccessible files
      • Host ID: 0 (Having this be 0 will send to all machines)
      • Value:
        • 8.1 P2 and Higher use: allow_inaccessible_files=0x02
        • Older Agents use: allow_inaccessible_files=1
      • Status: Enabled
    4. Click Save

Additional Information

  • The allow_inaccessible_files=0x02 configuration tells agents to allow the open file failure when the condition is "File not existing"
  • The allow_inaccessible_files=1 configuration tells agents to allow the "open file failure" for any of the below conditions:
    • File not existing 
    • File is not interesting, 
    • Failed to hash file
    • Unknown open error 
    • Access to file denied
    • Sharing violation
    • Other error