Forum Discussion
Disk Cleanup won't delete certain files
Disk Cleanup via Windows settings doesn't delete the checked "Temporary files" (770mb) nor Windows Defender files. All the other checked files do get cleaned up normally. It completes as if it successfully deleted everything but it doesn't when I click Refresh.
Trying to delete these files via the Disk Cleanup tool (cleanmgr.exe) as Administrator or in Safe mode also doesn't work. I am the only user and Administrator on the PC.
I am aware I could try to go to the temp folder and delete the files manually, but why doesn't it work this way? Is this reproducible at anyone's end?
24 Replies
JohnnyGuiThis script does not tell you to delete anything. All it does is grant permissions to the operating system and programs, so that it can open file handles with these particular entries (due to missing or revoked file permissions, as I wrote in my earlier posts.) Sometimes this does happen, though it's very rare. The only other way around that is to backup and reformat ( icacls / takeown will save you a lot of time, as you won't need to reinstall. If you reinstall, all that does is just copy the same files, and create new file permissions for each entry. Takeown and icacls does the same thing, but without deleting the files and recreating them. )
Probably only a few file permissions have changed, so that might actually block the entire cleanup operation. You could also go into Windows Explorer and hand parse as well with your mouse and keyboard, if you don't want to use the scripts. My earlier post also covers that. All options are available, no risk whatsoever, as you can choose based on what you want to do. If you don't want to do anything, you can just read the documentation and then make some decisions later after thinking it through. Zero pressure whatsoever. It's your choice:
"I am aware I could try to go to the temp folder and delete the files manually, but why doesn't it work this way?"
For me, a non-reversible error may be changing the permissions to the file you recommend, and creates paths that may be a threat to the integrity of the system!
" This script does not tell you to delete anything. All it does is grant permissions to the operating system and programs, so that it can open file handles with these particular entries ("
DeletedThe whole point of changing the permissions is actually to restore integrity in some sense:
"changing the permissions to the file you recommend"
No new folders are created with these scripts...
"creates paths that may be a threat to the integrity of the system"Here's what it does. Line #1 and #3 will remove entries. The purpose of that also is to clear any ACEs that have an SID string tied to them, or to clear permissions that deny the operating system read / write permissions (from another computer,) and restore "full control". That in fact will increase integrity, if the file permissions are missing. If this computer was part of a domain that utilized Active Directory, of course this would be managed for you by an external entity, or it would be set through a profile. On a personal computer this is not risky if you run it offline on WinPE and let it finish. For line #2 and #4 which add entries, OI / CI mean Inherit, and F means full control. The reason why I have it in this specific order, is so it can be used to modify an offline image (it grants control without using SID strings.) If you were to use the full script, not a small excerpt like below, it would work the same way on a USB drive, regardless of what computer it was plugged into:
1.) icacls A: /remove "NT SERVICE\TrustedInstaller" /c /l /q 2.) icacls A: /inheritance:r /grant:r "NT SERVICE\TrustedInstaller":(OI)(CI)(F) /c /l /q 3.) icacls A: /remove "NT AUTHORITY\SYSTEM" /c /l /q 4.) icacls A: /inheritance:r /grant:r "NT AUTHORITY\SYSTEM":(OI)(CI)(F) /c /l /qHere's another example for you to read:
Microsoft Windows [Version 10.0.22000.795] (c) Microsoft Corporation. All rights reserved. C:\Users\<user_name>\Desktop>icacls /? ICACLS name /save aclfile [/T] [/C] [/L] [/Q] stores the DACLs for the files and folders that match the name into aclfile for later use with /restore. Note that SACLs, owner, or integrity labels are not saved. ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] [/L] [/Q] applies the stored DACLs to files in directory. ICACLS name /setowner user [/T] [/C] [/L] [/Q] changes the owner of all matching names. This option does not force a change of ownership; use the takeown.exe utility for that purpose. ICACLS name /findsid Sid [/T] [/C] [/L] [/Q] finds all matching names that contain an ACL explicitly mentioning Sid. ICACLS name /verify [/T] [/C] [/L] [/Q] finds all files whose ACL is not in canonical form or whose lengths are inconsistent with ACE counts. ICACLS name /reset [/T] [/C] [/L] [/Q] replaces ACLs with default inherited ACLs for all matching files. ICACLS name [/grant[:r] Sid:perm[...]] [/deny Sid:perm [...]] [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy[...]] /grant[:r] Sid:perm grants the specified user access rights. With :r, the permissions replace any previously granted explicit permissions. Without :r, the permissions are added to any previously granted explicit permissions. /deny Sid:perm explicitly denies the specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed. /remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With :g, it removes all occurrences of granted rights to that Sid. With :d, it removes all occurrences of denied rights to that Sid. /setintegritylevel [(CI)(OI)]Level explicitly adds an integrity ACE to all matching files. The level is to be specified as one of: L[ow] M[edium] H[igh] Inheritance options for the integrity ACE may precede the level and are applied only to directories. /inheritance:e|d|r e - enables inheritance d - disables inheritance and copy the ACEs r - remove all inherited ACEs Note: Sids may be in either numerical or friendly name form. If a numerical form is given, affix a * to the start of the SID. /T indicates that this operation is performed on all matching files/directories below the directories specified in the name. /C indicates that this operation will continue on all file errors. Error messages will still be displayed. /L indicates that this operation is performed on a symbolic link itself versus its target. /Q indicates that icacls should suppress success messages. ICACLS preserves the canonical ordering of ACE entries: Explicit denials Explicit grants Inherited denials Inherited grants perm is a permission mask and can be specified in one of two forms: a sequence of simple rights: N - no access F - full access M - modify access RX - read and execute access R - read-only access W - write-only access D - delete access a comma-separated list in parentheses of specific rights: DE - delete RC - read control WDAC - write DAC WO - write owner S - synchronize AS - access system security MA - maximum allowed GR - generic read GW - generic write GE - generic execute GA - generic all RD - read data/list directory WD - write data/add file AD - append data/add subdirectory REA - read extended attributes WEA - write extended attributes X - execute/traverse DC - delete child RA - read attributes WA - write attributes inheritance rights may precede either form and are applied only to directories: (OI) - object inherit (CI) - container inherit (IO) - inherit only (NP) - don't propagate inherit (I) - permission inherited from parent container Examples: icacls c:\windows\* /save AclFile /T - Will save the ACLs for all files under c:\windows and its subdirectories to AclFile. icacls c:\windows\ /restore AclFile - Will restore the Acls for every file within AclFile that exists in c:\windows and its subdirectories. icacls file /grant Administrator:(D,WDAC) - Will grant the user Administrator Delete and Write DAC permissions to file. icacls file /grant *S-1-1-0:(D,WDAC) - Will grant the user defined by sid S-1-1-0 Delete and Write DAC permissions to file. C:\Users\<user_name>\Desktop>If file permissions are blocked for "SYSTEM" or "Trusted Installer," SFC is not able to open file handles, so of course it can't replace a corrupted file or even open the file to check for corruption to begin with (verify checksums.) It is a good idea though to use DISM / SFC for what it is used for, which of course has nothing to do with this, but that could indirectly solve other issues:
"No, I did not find, but if you have any doubts, run SFC if it is okay and Windows works without errors is a waste of time to further analyze."
JohnnyGuiYour file permissions are improperly set I'm sure (also check file ownership.) Either that, or the ACLs are corrupt / have been modified in some way. This is not exactly the same as the original one Microsoft uses for Windows 10 / 11, but it can also remove SID strings for accounts that may or may not exist on your PC (sometimes with upgrades or certain patches, the operating system cannot access the files because the ACLs have been modified to block access.) This can take anywhere between 30 minutes, to 4 hours btw. If you don't want to use this you can hand parse each entry with takeown / icacls.
@ECHO OFF SETLOCAL REM ++++++++++----------++++++++++----------++++++++++----------++++++++++----------++++++++++---------- REM ----------++++++++++----------++++++++++----------++++++++++----------++++++++++----------++++++++++ REM Batch file to reset ACLs on WinPE for offline images only: icacls A: /remove "ALL RESTRICTED APPLICATION PACKAGES" /c /l /q icacls A: /remove "ALL APPLICATION PACKAGES" /c /l /q icacls A: /remove "NT AUTHORITY\Authenticated Users" /c /l /q icacls A: /remove "NT SERVICE\TrustedInstaller" /c /l /q icacls A: /inheritance:r /grant:r "NT SERVICE\TrustedInstaller":(OI)(CI)(F) /c /l /q icacls A: /remove "NT AUTHORITY\SYSTEM" /c /l /q icacls A: /inheritance:r /grant:r "NT AUTHORITY\SYSTEM":(OI)(CI)(F) /c /l /q icacls A: /remove "BUILTIN\Users" /c /l /q icacls A: /inheritance:r /grant:r "BUILTIN\Users":(OI)(CI)(F) /c /l /q icacls A: /remove "BUILTIN\Administrators" /c /l /q icacls A: /inheritance:r /grant:r "BUILTIN\Administrators":(OI)(CI)(F) /c /l /q icacls A: /inheritance:r /grant:r "NT AUTHORITY\Authenticated Users":(OI)(CI)(F) /c /l /q icacls A: /inheritance:r /grant:r "ALL APPLICATION PACKAGES":(OI)(CI)(F) /c /l /q icacls A: /remove "Everyone" /c /l /q icacls "A:\*.*" /reset /t /c /l /q REM ----------++++++++++----------++++++++++----------++++++++++----------++++++++++----------++++++++++ REM ++++++++++----------++++++++++----------++++++++++----------++++++++++----------++++++++++----------SID Strings | Well-known SIDs | Security Descriptor String Format | Takeown (SS64)
Security Descriptor Definition Language for Conditional ACEs | Icacls (SS64)
Specifies a security descriptor in the security descriptor definition language (SDDL) format. By default the security descriptor is taken from the parent directory. SDDL strings can be complex but flexible. In its simplest form, a security descriptor that protects access, is known as a discretionary access control list (DACL). It is of the form: D:<DACL_FLAGS>(<STRING_ACE>)(<STRING_ACE>)...(<STRING_ACE>) Common DACL_FLAGS are: "P" - The DACL should not be overiden (protected) by any ACLs from parent containers. "AI"- The DACL should auto-inherit from the parent container. STRING_ACEs are of the form: <ACE_TYPE>;;<RIGHTS>;;;<ACCOUNT_ID> Common ACE_TYPEs are: "A" - Allow access. "D" - Deny access. Common RIGHTS are: "GA" - All access. "GR" - Read access. "GW" - Write access. Common ACCOUNT_IDs are: "BA" - Built in administrators "AU" - Authenticated users. "CO" - Creator owner. "WD" - Everyone. Putting all this together, for example, gives read-access to all authenticated users: D:P:(A;;GR;;;AU) Similarly, gives everyone full access: D:P:(A;;GA;;;WD)"Sddl: The security descriptor of the resource displayed in a single text string in Security Descriptor Definition Language format. PowerShell uses the GetSddlForm method of security descriptors to get this data." -> https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-7.1
Naming Files, Paths, and Namespaces | UNIX-Style Regular Expressions
MS-DOS and Windows Wildcard Characters
How-to: Match filenames with Wildcards
How-to: Escape Characters, Delimiters and Quotes at the Windows command line
NOTE: This is the final output, though you could obviously modify this script. There is no user account ID / SID string associated with WinPE, so you don't need takeown or anything else to modify or reset the ACLs. It individually removes, and consolidates permissions without waste (although it's pretty broad as far as user rights vs administrator rights are concerned.) For personal use it's very good, given it grants inheritance, so that if you have this issue, you can run icacls regardless of folder hierarchy, and it inherits the ACL from the root entry on the system drive. If you were to run icacls on its own, it would inherit this new ACL, and you couldn't go back, no matter HOW much you tried (unless you were to wipe out each ACL with your own setup. I haven't tried creating one that mimics the default Microsoft version exactly, but even that one has some annoying flaws too, such as restrictions for "Program Files" when logged in as admin, etc.)
C:\Users\<user_name>\Desktop>ICACLS C: C: APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(F) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) NT SERVICE\TrustedInstaller:(I)(OI)(CI)(F) Successfully processed 1 files; Failed processing 0 files C:\Users\<user_name>\Desktop>If it is necessary to use WinPE to modify the ACLs, I have written some WinPE ISO creation scripts here: https://techcommunity.microsoft.com/t5/windows-11/example-iso-patch-guide-for-windows-11-64-bit-21h2/m-p/3574791/highlight/true#M4464
NOTE: If you try to change the ACLs for system files on a running operating system image it will become non-bootable, or you will lose access to the files after you remove the ACEs, which is counter-productive. So you basically have to use WinPE if you want to be productive. It's much easier to test scripts on a non-system drive, with only a small amount of files, and a simple directory structure that doesn't span more than half a dozen entries. This is so you can manually inspect the entries in Windows Explorer. ( Right Click on a File -> Properties -> Security -> Advanced )
ACLs also affect Windows Apps as well. If you don't include "All Application Packages / Authenticated Users," you will run into serious issues with any Windows Apps. Ironically, Microsoft disables inheritance so that only "Program Files" and a few other folders have this particular setting, yet even that can get corrupted. I found it far easier to just set all file permissions at the root folder, and then enable inheritance. When you run icacls after that point, (with /reset /t /c /l) it will purge any entry that does not match the original folder hierarchy for the root ACL, without you even noticing it (which is extremely convenient for obvious reasons.) If you don't allow icacls to operate on symbolic links, you will get a far higher failure rate. Although some would not want the exact same folder permissions, with user accounts in particular, unless the computer was air-gapped on the network / network shares were disabled, and they were the ONLY person who was using the device.
"Microsoft Store Apps fail to start if default registry or file permissions modified" -> https://docs.microsoft.com/en-us/troubleshoot/windows-client/shell-experience/microsoft-store-apps-fail-to-start
Application User Model IDs (AppUserModelIDs)
Find the Application User Model ID of an installed app
This is cumbersome not to mention quite risky.
Deleted Could you please check something out for me?
1. In Windows Settings, go to System -> Storage -> Temporary files and clean the files as usual.
2. Now, go to the temp folder (Start menu -> Run -> %temp%).
Is there a folder created on that exact timestamp when you went to the Storage settings and cleaned the files? Its name consisting of numbers and letters separated by -'s and contains an executable called Dismhost.exe (among many others files)?
Waiting for your reply.
No, I did not find, but if you have any doubts, run SFC if it is okay and Windows works without errors is a waste of time to further analyze.
Hi Mousefluff
Hi, tell everyone how your response relates to the topic of the post?
I do not recommend following all these steps, because it is not needed and can lead to an irreversible error!
JohnnyGui I am experiencing exactly the same issue/s. The windows update, defender and temp files do not clear. I have been trying various ways to delete the past few days. This is seems to have started in the past couple of updates. I am currently showing 2.16g windows update files that will not delete. This is a big deal when trying to clean up files to capture an image. By not being able to clean up all files it's is increasing my image size approximately 3g that is not needed. Any help from Microsoft would be appreciated.
Question, when going to the temp folder (type %temp% in the run application) do you see many folders with numbers and letters separated by -'s ? Do these folders contain an .exe file called Dismhost.exe?
wrd2093au Curious whether you also have these mentioned folders in the temp folder containing DismHost.exe
- I have 2 profiles on this laptop. So there is different %temp% per profile. On one profile, I do see a folder in %temp% that contains various files including DismHost.exe.
Thanks for the reply.
I have moved 7 days old files rom the Appdata/Local/Temp folder itself and it disappeared from the Disk Cleanup. However, today 70mb of temp files popped up in Disk Cleanup that I couldn't delete.
I know it's not that much space but I don't get why it simply doesn't work.
No one else who noticed the same thing on his/her Windows 11 device?
Hi JohnnyGui
Some temporary files are needed, but try restarting and disk cleaning should start automatically if the configuration is correct.
Deleted
If some are needed then it's quite confusing that it shows up in Disk Cleanup.
I rebooted and restarted several times but it didn't help.
The weird part is that on the Storage page in Settings it shows less space taken by temporary files than when I click on it to show the details.
Are you experiencing the same?
