Wondering if the takeown/icacls/del trick still work to screw up %windir%\system32 (via Patrick Doyle on Twitter)
Posted by jpluimers on 2026/05/07
A few years back this trick was shown to screw up %windir%\system32 [Wayback/Archive] Patrick Doyle on Twitter: “@SwiftOnSecurity @RoseAreaZero Delete any file in three easy steps: > takeown /F "example.ext" > icacls "example.ext" /grant "%USERNAME%":F > del "example.ext"“.
Like [Wayback/Archive] SwiftOnSecurity (@SwiftOnSecurity) / Twitter (see the long thread further below), I was expecting that Windows would either prevent you from doing this at all, or allow for easy recovery with System File Protection (now Source: Windows File Protection).
That didn’t prevent or recover it back then.
I wonder if that has been changed by now.
From the above Tweet:
Delete any file in three easy steps:> takeown /F "example.ext" > icacls "example.ext" /grant "%USERNAME%":F > del "example.ext"
followed by [Wayback/Archive] Patrick Doyle on Twitter: “@SwiftOnSecurity @RoseAreaZero I did it with “*.DLL” and restarted, whoops.”
Both were responses to [Wayback/Archive] SwiftOnSecurity on Twitter: “A great way to learn Windows is every day in the morning you open System32, delete a file, and see what happens.”
To which both reacted:
- [Wayback/Archive] SwiftOnSecurity on Twitter: “@KaoAtlantis @RoseAreaZero I thought System File Protection would have fixed this but I guess not.”
- [Wayback/Archive] Patrick Doyle on Twitter: “@SwiftOnSecurity @RoseAreaZero After trying it with *.DLL it prevented me from deleting some of the files, but clearly not enough. At least half of them were removed successfully.”
Thread
The [Wayback /Archive] Thread by @SwiftOnSecurity on Thread Reader App I promised starts at
[Wayback/Archive] SwiftOnSecurity on Twitter: “Patrick knows how to actually delete System32. Patrick is good at his job. (In seriousness, I thought Windows File Protection would have intervened for integrity, but who knows if they maintain that for new files anymore. Last time I saw that trigger was XP.)” then continues with [Wayback/Archive] SwiftOnSecurity on Twitter: “This is a GREAT example of how people like me, who think they know something about the integrity of a system based on experiences a decade+ ago can fall to people just… seeing if an assumption or folk knowledge is actually true. Prepare for a humbling.”.
After that, the thread really becomes interesting, so be sure to read it!
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment