Renaming a running EXE

Did you know that under Windows 2000/XP (and possibly others) it is possible to rename the exe-file of a running program? Furthermore, you can even move it to another folder, provided it is still on the same drive. The application will then appear in the Task Manager with the new filename (not path), and even advanced utilities (like Process Explorer) will think it still has the same path (and might get confused).

So you can have a program that runs away everytime the user starts it, or whatever 🙂

I thought I’d write a sample application that would move itself to Recycle Bin when started and it turned out nontrivial because Recycle Bin is a complex OS feature. In short :

  1. Deleted files from different drives are stored in a special folder on their respective drive.
  2. For FAT32 drives this folder is called “Recycled”. For NTFS drives it’s “Recycler”.
  3. On NTFS filesystems the Recycler folder contains more folders – each user has his own folder, named after Security ID (SID) of that user.
  4. Files and folders stored in the “Recycled” or “Recycler\[UserSID]” are renamed as Dxy.zzz, where x is a drive letter, y is a natural number (starting at 1 and +1 for every newly deleted file) and zzz is the original extension.
  5. There is an “info” file that contains original filenames and some additional info.

So my sample program turned out to be a bit more complex… The moved file doesn’t show up in the Recycle Bin (when viewed by Explorer), but it is deleted when Recycle Bin is emptied. Note that if you don’t rename the file as 4. requires, it won’t be deleted when the user selects “Empy Recycle Bin” (I think…). The sample program doesn’t update the “info” file (which it should, if you wanted to simulate deleting files in this manner).

Download

Demo app (43 Kb)
Description : When started, moves its exe-file to Recycle Bin and displays a message saying where it went to. Note that the application is still running, but its exe isn’t there!
Required : NT-based OS (2000/XP)

Source (3 Kb)
Required : Delphi (nearly any)

Related posts :

2 Responses to “Renaming a running EXE”

  1. lovebug says:

    Wow…that’s great articles….

  2. Very impressive information. I think im gonna stick around and read about 2 more of your posts. Many thanks

Leave a Reply