How To Delete Undeletable Files and Folders

How To delete those undeletable files and folders

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

A little background on undeletable files and folders

I’ve seen these in the past regarding ‘pubbed’ FTP servers by software, game and movie users that find open FTP servers. They would upload their illegal software to the FTP servers they find, but they would name the files and the folder they create with extended characters and symbols that FTP supports but Windows does not directly support (ASCII characters), as well as create a very deep file structure with these extended unsupported ASCII characters, and/or file names with these characters that are greater than 256 characters. Windows directly supports ANSI characters. However, although Windows supports ASCII characters indirectly, it is not supported directly through the Windows Explorer GUI or the command line. Therefore this prevents admins from getting to them or deleting them, nor delete them. In the older NT4 days, you could install the POSIX support tools (to support UNIX based commands and using ASCII characters) to read and remove them, but that no longer applies with Windows 2000 and newer. However Windows still provides POSIX support but not directly. They can be deleted by using specific commands, but you just have to know the commands!

Also, if it was an FTP created folder and files, and the size shows zero bytes, yet you know it is much larger, then it’s also likely the files are using an alternate data stream which would explain why their file size appears as zero bytes.


Is the drive NTFS?

So the other factor, as mentioned, is if the file, folder name, and/or number of child folders is greater than 256 characters. Many operating system limits are based on the i386 addressable 32bit architecture, such as the number of users that can access a share, which is 4.3 billion objects. It also depends on the drive and if an app can read it. Many programs also expect a limit of 256 objects (characters, paths, bytes, etc), maybe even the deltree command is limited, however NTFS formatted drives can go beyond the 256 objects.

Therefore, not being able to delete them is caused by the factors above, special or extended ASCII characters, trailing spaces, trailing dots (periods) or reserved names in the folders, such as com, lpt, etc, such as when a machine gets ‘pubbed’ into an FTP site where the ‘pubsters’ will create these deep paths and using reserved names to prevent the admin from deleting them. If you’ve found someone accidentally created such files or subfolders with these characters, it will give you headaches to remove them. With an FTP app it’s easy to read and remove them, because FTP uses ASCII characters, such as what POSIX uses, however WIndows uses ANSI and cannot translate the folders. In this case, you can setup a local FTP service, then use an FTP app to connect to your own machine, then you wil be able to read and delete the files and folders. That is only one option, which many adminstrators are reluctant to do.


Removing folder examples:

Assuming the first folder is the numeral “1” on D drive (and use the quotes if you have problems and watch the required periods if the command uses it):

rm -r “//D/1”

RD \\.\c=D:\1

RmDir \\.\D:\1 /s /q

RmDir \\.\C:\YourFTP_ROOT’s_PATH\COM1 /s /q

C:\>cd inetpub\ftproot
C:\Inetpub\ftproot>rd /s /q \\?\c:\inetpub\ftproot
NOTE – The syntax is literal, do not substitue or remove the question mark (?), change only the path.

Removing files examples

Note: In the following examples, if the filename contains symbollic, extended or other characters, enter what you can and wildcard the rest or use file completion or use a full wildcard.

DEL \\.\c:\somedir\filename.

DEL \\.\c:\somedir\lpt

DEL \\.\c:\somedir\aux

DEL \\.\c:\somedir\com


Read the following references for more information and instructions.

How to Remove Files with Reserved Names in Windows:;EN-US;Q120716

You cannot delete a file or a folder on an NTFS file system volume:

Cannot Delete Files or Folders with Extended Characters:

Here’s how to create a locked folder with FTP:
Here’s how to delete them:
How to Remove Files with Reserved Names in Windows

Ace Fekay

DNS Recursive Queries vs Iterative Queries

DNS Recursive Queries vs Iterative Queries

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Published Nov 12, 2009 at 6:55 PM EST
10/6/2010 12:31 AM EST – Added section “Non-Sequitar: Windows Cache Poisoning Settings and Recursion Settings.” This was in response to a discussion associating recursion and cache poisoning that I wanted to add to clear up.


The Definition Between Recursive and Iterative Queries Actually Depends on Context, Such as Which Machine is Asking the Query.

The reason why I mentioned this is because basically a recursive query means the machine sends the query, such as a client machine, or even a DC, to a DNS server for resolution, and the DNS server will resolve the query based either on a zone that has been confgured locally (in its Forward Lookup Zones or Reverse Lookup Zones), or from a Stub zone, Root Hints, General Forwarder or Conditional Forwarder.

Therefore, in summary, a recursive name queries are generally made by a DNS client to a DNS server, or by a DNS server that is configured to pass unresolved name queries that it does not host the zone, to another DNS server, whether through a Stub, Conditonal or General Forwarder.

Interative queries is a request from a client that tells the DNS server that the client expects the best answer the DNS server can provide immediately, without contacting other DNS servers, whether it has the zone configured or not. The process then relies on the client to continue the process possibly by using a referral where the DNS server supplying the client NS or A records of a DNS server that is closer to the namespace which may possibly provide the answer. However we don’t see that with the normal sense of the word, ‘query,’ when a client sends a request to a DNS server, which we are more familiar with. For the most part, the DNS resolver service on Windows clients are basically ‘stub resolvers’ that rely on a recursive-enabled DNS server to resolve queries it is not aware of. Of course you can create resolver scripts to preform an interative query.

However, with a recursion request from a client to a DNS server, which as I mentioned above, is what we normally think of using the term ‘query,’ the DNS server will do its best to resolve it, either by using Stubs, Conditional or General Forwarder, or Root Hints, which is essentially an interative query to the Root Hints to devolve the namespace from the TLD backwards (such as from “com” to the second level name, etc), or a query to a Forwarder, if configured with a Forwarder, which is essentially a recursion request because technically it’s not an iterative request, even though the server repeats (iterates or re-iterates) when trying to find the answer.

You can make nslookup perform an iterative query by using the “norecurse” option (set norecurse). In this situation the DNS server will give its best response, without looking elsewhere other than its cache or zones its authoritative for.


To go further…

The following quote is a non-Microsoft definition, but it still applies, no matter what DNS server service is used. The quote was taken from:

“Since the DNS server called isn’t authoritative for a zone called and hasn’t recently communicated for any host that is authoritive for it, it begins a query of its own on the user’s behalf. The process of asking one or more queries in order to answer (resolve) other queries is called recursion.”

Does that make sense so far? 

So to further take it another step or to look at it in a different light…

Keep in mind, recursion is not necessarily resolution. The reasons is the process of following a chain of delegations from one set of content DNS servers to another, starting at some root servers, is termed “resolution”; as exemplified in section 6.3 of RFC 1034.  It is not termed “recursion”.  “Recursion” is something else. The official definition of “recursion” is the act of a server sending back-end queries (of _whatever_ sort) to another server. Both query resolution, where back-end queries are sent to content DNS servers, and forwarding, where back-end queries are sent to proxy DNS servers, are forms of recursion.


  • Resoluton can be provided many times from its own authoritative zones where no recursion involved.
  • A query can be resolved from its cache where no recursion involved (directly, because it’s in its cache).
  • By forwarding, with the forwardee doing the resolution where recursion is involved.
  • However if it forwards it out, it essentially becomes an interative query because it’s proxying the request elsewhere for the client, such as an indirect query for the client, but essentially this can be viewed as an recursive query by the DNS server itself acting as a recursive client.
  • Or DNS can perform the query resolution itself where recursion is involved. An example is when Forwarding is not enabled, and the DNS server uses the Root Hints, where essentially it’s querying the Roots in a recursive manner devolving the DNS name hierarchy from the TLD backwards.
  • And more…

 Got it?

I hope that was easy. Next week we’ll discuss helion particles (a-particle of the helium-3 nucleus) and their mass.


Non-Sequitar:  Windows Cache Poisoning Settings and Recursion Settings

Added 10/6/2010 – This stemmed from a discussion in the Microsoft forums when one was concerned with the Cache poisoning settings and recursion when the poster was told that it’s his recursion settings causing the false positive.

If you ever had an external security threat analysis performed and the results indicated that your DNS servers were open to DNS pollution and the fix was to disable recursion, this may not necessarily be necessary. This may not be an option in many scenarios, and it may not necessarily be the answer. Simply enable the “Secure cache against pollution” setting in DNS. Keep in mind, and to veer off topic for the moment, with Windows 2003 and newer,the  “Secure cache against pollution” is enabled by default. In Windows 2000, it needs to be set. I think that this setting should suffice for internal needs and prevent DNS pollution for the most part, and not necessarily affect DNS performance at the same time keeping it secure based on current vulnerabilities.
If “Do not use recursion for this domain” is enabled, the DNS server will pass the query on to forwarders, but will not recursively query any other DNS servers (e.g. external DNS servers or the Root Hints) if the forwarders cannot resolve the query. This setting pretty much disables Root Hints forcing it to only rely on the Forwarders.
If Disable recursion under the Advanced Tab is checked, (which this setting completely disables forwarders), the server will attempt to resolve a query from its own database only. It will not query any additional servers. This is normally set for content only nameservers, such as for web hosting companies that also host numerous domain names for their customers but don’t want anyone else to use it as a DNS server to resolve outside names.
If this is an internal DNS server and not exposed to the internet, “Secure cache against pollution” is set, and it’s not offering public nameserver services for any public records, I think you will be find and would leave it alone using the default settings.


Related Links on Recursive and Iterative Queries

Recursive and Iterative Queries – With a recursive name query, the DNS client requires that the DNS server respond to the client […]:

How DNS query works: Domain Name System(DNS)Jan 21, 2005 … As DNS servers process client queries using recursion or iteration, they discover and acquire a significant store of information about the …

Cool site with a scripted demo showing how it works and the differences between a recursive and interative query:
Recursive/Iterative Queries in DNS (Chapter 2)


Ace Fekay

Active Directory DNS Domain Name Single Label Names

Active Directory DNS Domain Name Single label names

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Originally Compiled 3/2005

Active Directory DNS Domain Name Single Label Name scenarios are slowly disappearing the more IT admins understand what they are. However, there are installations that are still plagued by this condition, whatever the original cause was, whether lack of research, planning or simply understanding AD’s DNS requirements. This article introduces what a single label name domain name is, and what can be done about it.


First, let’s discuss the FQDN. What is an FQDN?

It stands for “Fully Qualified Domain Name.” It is multi-level, or hierarchal, such as:

What is a Single Label DNS Domain name?
The name is reminscent of the legacy style NT4 domain NetBIOS domain names, such as:


The reason this does not work with DNS, which Active Directory relies on.


DNS is a hierarchal database. Some call it a “tree” with a root (the ‘com’ or ‘net’, etc, name), then the trunk (the ‘domain’ portion of it), and the branches (such as www, servername, etc). The Root domain name, such as com, edu, net, etc, is also known as the TLD (Tope Level Domain name).

Basically you can look at a DNS domain name as having multiple levels separated by periods. The minimal requirment for an FQDN domain name, such as, is two levels. Then of course are your resource names, such as www, servername, or even child domain names under it.

Notice with a single label name there is only one name for the domain, or one level? Don’t get this confused with the NetBIOS domain name, that we were familiar with in the NT4 days. AD supports the NetBIOS domain name as well, but only as a NetBIOS domain name. It’s one of the domain names chosen when a machine is promoted into a domain controller for a brand new domain in a brand new forest. NT4 wasn’t reliant nor did it use DNS for NT4 domains. However, AD is reliant, therefore it must follow DNS naming rules.

Unfortunately tHe old NT4 style names are not hierachal because there is only one level.
Since AD requires and relies on DNS, and DNS is a hierarchal database, a single lable name does not follow any sort of hierarchy. DNS fails with single label names. Windows 2008, Windows 2003, XP and Vista have problems resolving single label names because it does not follow the proper format for a DNS domain name, such as, etc.

Also, Windows 2000 SP4 and all newer machines have problems querying single label names. It’s explained below by Alan Woods. Because clients query DNS for AD resources (domain controller locations and other services), they may have difficulty finding resources.

How did it happen? Most cases it’s due to lack of research on AD’s DNS requirements, or how it works, or it could have been a simple typo, yet costly typo, when originally upgrading from NT4 or promoting your new AD domain.

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain (or any AD upgrade or installation):;en-us;555040


Single Label Name Explanation

Another variation of the Single Label Name explanation that I had provided in a response to a post in the DNS and/or AD newsgroups at one time:

The issue is the single label name. Locally at HQ, it’s using NetBIOS to join, however remotely, it’s relying on DNS. DNS queries do not work properly with single label names on Windows 2000 SP4 and all newer machines.
Period. Why? good question. It’s based on the fact DNS is hierachal. Hierarchal meaning it must have multi levels, a minimum of two levels.

The TLD (top level domain) is the root name, such as the com, net, etc, names. The client side resolver service algorithm (which is governed by the DHCP Client service which must be running on all machines, static or not),
relies on that name for the basis to find the second level name (the name “domain” in, etc). If the name is a single label name, it thinks THAT name is the TLD.

Therefore it then hits the Internet Root servers to find how owns and is authorative for that TLD.Such as when looking up It queries for the COM portion, which the roots return the nameservers responsible for the COM servers, then it queries for the servers responsible for microsoft.

If it’s a single label, the query ends there, and it won’t go further. However what is funny (sic) is that even though the single label name is being hosted locally in DNS, it will NOT query locally first, because it believes it is a TLD, therefore goes through the normal resolution (recursion and devolution) process, which causes excessive query traffic to the internet Root servers.

How to fix it? Good question. Glad you’ve asked.

1.  The preferred “fix” (in a one line summary), is to install a fresh new domain properly named and use ADMT to migrate user, group and computer accounts into the new domain from the current domain.

2. An alternative is to perform a domain rename, (difficulty depends on the operating system and which version of Exchange is installed).

3. As a temporary resort, you can use the patch/bandaid registry entry to force resolution and registration that is mentioned in the following link. This must be applied to every machine. Unfortunately it must be done on every machine in the domain, including the DCs, member servers, workstations and laptops.

Information About Configuring Windows 2000 for Domains with Single-Label DNS Names:


Microsoft’s Stance on Single Label Name AD DNS domain names.

The following is Microsoft’s stance on Single Label Names by Microsoft engineer Alan Woods.

Single label names, from Alan Woods, [MSFT], posted:

—– Original Message —–
From: “Alan Wood” [MSFT]
Newsgroups: microsoft.public.win2000.dns
Sent: Wednesday, January 07, 2004 1:25 PM
Subject: Re: Single label DNS

Hi Roger,

We really would prefer to use FQDN over Single labled. There are
alot of other issues that you can run into when using a Single labeled
domain name with other AD integrated products. Exchange would be a great
example. Also note that the DNR (DNS RESOLVER) was and is designed to
Devolve DNS requests to the LAST 2 names.

Example: Single Labeled domain .domainA
then, you add additional domains on the forest.

If a client in the domain Child2 wants to resolve a name in domainA
Example. Host.DomainA and uses the following to connect to a share
\\host then it is not going to resolve. WHY, because the resolver is
first going to query for first for Host.Child2.child1.domainA, then it
next try HOST.Child1.domainA at that point the Devolution process is
DONE. We only go to the LAST 2 Domain Names.

Also note that if you have a single labeled domain name it causes excess
DNS traffic on the ROOT HINTS servers and being all Good Internet Community
users we definitely do not want to do that.   NOTE that in Windows 2003,
you get a big Pop UP Error Message when trying to create a single labeled
name telling you DON’T DO IT.  It will still allow you to do it, but you
will still be required to make the registry changes, which is really not

Microsoft is seriously asking you to NOT do this.  We will support you but
it the end results could be limiting as an end results depending on the
services you are using.

Thank you,

Alan Wood[MSFT]


Related Articles

Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain

Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003:

DNS and AD (Windows 2000 & 2003) FAQ:

Naming conventions in Active Directory for computers, domains, sites, and OUs (Good article on DNS and other names)

Ace Fekay