This commit improve cleanup of temporary directories on Windows, addressing issues #176 and #89. Changes include: - Fix side-effects caused by this script by clearing the contents of directories rather than deleting the directories themselves. - Add the removal of Prefetch directory contents, which stores temporary files and can enhance privacy and free up disk space when cleared. - Remove the command `del /f /q %localappdata%\Temp\*` due to its redundancy. - Improve the granularity and documentation of cleanup scripts, and moving the `Clear temporary Windows files` category up in the hierarchy for better structure and clarity. Co-authored-by: iam-py-test <84232764+iam-py-test@users.noreply.github.com>
This commit is contained in:
undergroundwires
@@ -452,6 +452,129 @@ actions:
|
||||
rd /s /q "%USERPROFILE%\Local Settings\Application Data\Apple Computer\Safari"
|
||||
:: Windows Vista and later
|
||||
rd /s /q "%AppData%\Apple Computer\Safari"
|
||||
-
|
||||
category: Clear temporary Windows files
|
||||
docs: |-
|
||||
This category covers removal of temporary Windows files.
|
||||
|
||||
It is recommended to clean these files as they can be used for unauthorized analysis of user behavior and system usage [1].
|
||||
They may also potentially host malicious software [2] [3].
|
||||
Eliminating these files significantly enhances the security and privacy of the system.
|
||||
|
||||
Microsoft advises this cleanup for enhanced security [2]. Besides enhancing security, removing these files also frees up disk space.
|
||||
However, removing temporary files might lead to a slight delay in initial application/system load times.
|
||||
|
||||
By regularly clearing these files, users reduce the chance of malware residing [2] [3] in these folders and prevent the unauthorized
|
||||
use of their information for forensic analysis [1], serving as a simple and effective strategy for maintaining a secure and private system environment.
|
||||
|
||||
[1]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University"
|
||||
[2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com"
|
||||
[3]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov"
|
||||
children:
|
||||
-
|
||||
name: Clear temporary system folder
|
||||
recommend: standard
|
||||
docs: |-
|
||||
This script eliminates the contents of the `%WINDIR%\Temp\` directory, also known as the Windows Temp directory [1].
|
||||
This directory is located within the Windows system folder `%SystemDrive%\Windows\Temp\` [1] [2].
|
||||
It is used by the system and system-level processes to store temporary files, including those generated by the operating
|
||||
system and other system-level software.
|
||||
|
||||
This folder, protected by specific access control lists (ACL) [3] [4], is accessible only to system-level accounts [2].
|
||||
|
||||
Known for being utilized by malware, cleaning this directory is recommended for maintaining system security [2] [5]. Moreover,
|
||||
it's used for forensics to analyze user behavior [6], thus raising privacy concerns.
|
||||
|
||||
Microsoft underscores the importance of cleaning this folder to free up disk space [7], resolve system application issues [1] [8] [9],
|
||||
and counteract malware [2]. Some system applications may populate this folder, taking up considerable disk space [7] [9] [10].
|
||||
|
||||
This script only deletes the contents of the `%WINDIR%\Temp\` directory, not the directory itself, to maintain system integrity,
|
||||
security, and privacy, avoiding potential issues caused by unintentional directory deletion without proper ACL. Deleting the directory
|
||||
itself might disrupt certain applications, such as `dism` [11], and application installers [12], while also removing the special ACL
|
||||
that secures the folder.
|
||||
|
||||
[1]: https://web.archive.org/web/20231001145018/https://learn.microsoft.com/en-us/troubleshoot/windows-server/deployment/error-0x800f0922-uninstall-role-feature "Error 0x800f0922 when you uninstall roles - Windows Server | Microsoft Learn"
|
||||
[2]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com"
|
||||
[3]: https://web.archive.org/web/20231001145051/https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/enabling-postmortem-debugging#window-sysinternals-procdump "Enabling Postmortem Debugging - Windows drivers | Microsoft Learn"
|
||||
[4]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn"
|
||||
[5]: https://web.archive.org/web/20231001145930/https://nvd.nist.gov/vuln/detail/CVE-2019-11644 "NVD - CVE-2019-11644 | nist.gov"
|
||||
[6]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University"
|
||||
[7]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
|
||||
[8]: https://web.archive.org/web/20231001150108/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/adr-updates-download-failure "Automatic deployment rule (ADR) fails to download updates - Configuration Manager | Microsoft Learn"
|
||||
[9]: https://web.archive.org/web/20231001150158/https://support.microsoft.com/en-us/topic/error-message-112-setup-is-unable-to-decompress-and-copy-all-the-program-files-c8dadf2a-4e7e-11bf-6543-ab5560b7fc19 'Error Message 112 "Setup Is Unable to Decompress and Copy All the Program Files" - Microsoft Support'
|
||||
[10]: https://web.archive.org/web/20231001150233/https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/unifiedcontent-folder-fills-up-drive "Exchange UnifiedContent folder fills up the drive - Exchange | Microsoft Learn"
|
||||
[11]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test · Pull Request #176 · undergroundwires/privacy.sexy"
|
||||
[12]: https://github.com/undergroundwires/privacy.sexy/issues/89 "Some installer failed to installer · Issue #89 · undergroundwires/privacy.sexy"
|
||||
code: del /s /f /q "%WINDIR%\Temp\*"
|
||||
-
|
||||
name: Clear temporary user folder
|
||||
recommend: standard
|
||||
docs: |-
|
||||
This script deles the contents of the `%TEMP%\` (or `%LocalAppData%\Temp\` [1], `%TMP%\` [2]) directory, used by applications
|
||||
and processes to store temporary files. This directory is situated within the user profile
|
||||
`%SystemDrive%\Users\<username>\AppData\Local\Temp` [1] [2] [3]. Only the respective profile user can read and write to this folder [4].
|
||||
|
||||
This folder's usage for understanding user behavior in forensics [5] raises privacy concerns. Its content deletion, a regular operation performed
|
||||
by Windows system tools like SilentCleanup (`cleanmgr.exe`) or Storage Sense (`storsvc.exe`) [8], does not harm the system. On cloud machines,
|
||||
Microsoft does not retain contents of this directory and conducts automatic clean-ups to prevent data accumulation [6].
|
||||
|
||||
This script, while removing the contents, retains the directory to preserve the access control list (ACL) assigned by Microsoft [7], preventing potential
|
||||
misconfigurations due to unintentional folder creation without proper ACL.
|
||||
|
||||
Microsoft recommends cleaning this folder to free disk space [8] and eliminate potential malware [9].
|
||||
|
||||
Post-script execution, a reboot is recommended to ensure smooth application functionality accessing `%TEMP%` [8].
|
||||
|
||||
[1]: https://github.com/undergroundwires/privacy.sexy/pull/176 "Do not delete temp dirs by iam-py-test · Pull Request #176 · undergroundwires/privacy.sexy"
|
||||
[2]: https://web.archive.org/web/20231001150554/https://learn.microsoft.com/en-us/windows/deployment/usmt/usmt-recognized-environment-variables "Recognized environment variables - Windows Deployment | Microsoft Learn"
|
||||
[3]: https://web.archive.org/web/20231001150603/https://learn.microsoft.com/en-us/dotnet/api/system.io.path.gettemppath?view=net-7.0#examples "Path.GetTempPath Method (System.IO) | Microsoft Learn"
|
||||
[4]: https://web.archive.org/web/20231001150917/https://learn.microsoft.com/en-us/windows/win32/shell/about-user-profiles "About User Profiles - Win32 apps | Microsoft Learn"
|
||||
[5]: https://web.archive.org/web/20231001145651/https://s3.wp.wsu.edu/uploads/sites/3267/2022/05/Part2-DiskForensics.pdf "Disk Forensics | Montana State University"
|
||||
[6]: https://web.archive.org/web/20231001150713/https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-troubleshoot-default-temp-folder-size-too-small-web-worker-role "Default TEMP folder size is too small for a role | Microsoft Learn"
|
||||
[7]: https://web.archive.org/web/20231001150053/https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/bb776892%28v=vs.85%29 "About User Profiles (Windows) | Microsoft Learn"
|
||||
[8]: https://web.archive.org/save/https://learn.microsoft.com/en-us/troubleshoot/windows-server/shell-experience/temp-folder-with-logon-session-id-deleted "The %TEMP% folder with logon session ID is deleted - Windows Server | Microsoft Learn"
|
||||
[9]: https://web.archive.org/web/20231001145035/https://devblogs.microsoft.com/scripting/weekend-scripter-use-powershell-to-clean-out-temp-folders/ "Weekend Scripter: Use PowerShell to Clean Out Temp Folders - Scripting Blog | microsoft.com"
|
||||
code: del /s /f /q "%TEMP%\*"
|
||||
-
|
||||
name: Clear prefetch folder
|
||||
recommend: standard
|
||||
docs: |-
|
||||
This script deletes the contents of `%WINDIR%\Prefetch\*`, typically pointing to `C:\Windows\Prefetch\` [1] [2].
|
||||
|
||||
**What is Prefetch?**
|
||||
|
||||
Introduced in Windows XP [2], Prefetch was developed by Windows to expedite application startup [1] and the boot process [1] [2].
|
||||
It works by preemptively loading data and code pages into memory from the disk before requests [2], monitoring application's startup
|
||||
page faults [2], and storing the gathered data in the Prefetch directory [2].
|
||||
|
||||
**Why Clear the Prefetch Directory?**
|
||||
|
||||
Over time, many files accumulate in the Prefetch directory. Clearing this directory enhances privacy and potentially frees disk space
|
||||
by removing traces of recently used applications and files in the system, making unauthorized tracking of application usage more difficult.
|
||||
Despite its design for improving application startup times [1], Prefetch can inadvertently expose information about the applications and files
|
||||
accessed on the system [1]. Clearing the Prefetch directory addresses this issue by eliminating these traces.
|
||||
|
||||
Microsoft suggests deleting the Prefetch directory and its contents if significant system configuration changes occur, like adjustments to drivers,
|
||||
services, or applications that start automatically [3]. This action eradicates any outdated prefetched data [3], ensuring that the system operates
|
||||
with the most up-to-date and relevant data for application startups [3].
|
||||
|
||||
The files in the Prefetch directory are used for forensic purposes [4] [5], adding to the privacy concerns. They reveal information about application usage,
|
||||
including data layout [4], access history on disk [4], last execution time [5], and the total number of times an application has been run [5]. Additionally,
|
||||
they contain historical process information such as loaded libraries and process dependencies [6]. Erasing these files mitigates the risk of
|
||||
this information being used for unauthorized tracking or analysis, improving your privacy.
|
||||
|
||||
**Trade-Off**
|
||||
|
||||
Clearing the Prefetch might cause a minor delay in application startup times until the necessary data is regenerated as applications are used again [2].
|
||||
This is a compromise for heightened privacy and potentially freed disk space.
|
||||
|
||||
[1]: https://web.archive.org/web/20231001151015/https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices "Take response actions on a device in Microsoft Defender for Endpoint | Microsoft Learn"
|
||||
[2]: https://web.archive.org/web/20231001151029/https://learn.microsoft.com/en-us/sysinternals/resources/archive/v03n02#windows-xp-prefetching "Sysinternals Newsletter Vol. 3, No. 2 - Sysinternals | Microsoft Learn"
|
||||
[3]: https://web.archive.org/web/20230829142700/https://download.microsoft.com/download/7/e/7/7e7662cf-cbea-470b-a97e-ce7ce0d98dc2/win7perf.docx "Performance Testing Guide for Windows | Microsoft"
|
||||
[4]: https://web.archive.org/web/20231001151107/https://ccsweb.lanl.gov/~kei/mypubbib/papers/TOS_13_diskseen.pdf "A Prefetching Scheme Exploiting both Data Layout and Access History on Disk | ccsweb.lanl.gov"
|
||||
[5]: https://web.archive.org/web/20231001151150/https://www.justice.gov/sites/default/files/usao/legacy/2008/02/04/usab5601.pdf "Computer Forensics | justice.gov"
|
||||
[6]: https://web.archive.org/web/20231001151207/https://par.nsf.gov/servlets/purl/10333089 "Malware Family Classification via Residual Prefetch Artifacts | par.nsf.gov"
|
||||
code: del /s /f /q "%WINDIR%\Prefetch\*"
|
||||
-
|
||||
category: Clear Windows logs & caches
|
||||
children:
|
||||
@@ -576,13 +699,6 @@ actions:
|
||||
-
|
||||
name: Disk Cleanup tool (Cleanmgr.exe) Logs
|
||||
code: del /f /q "%SystemRoot%\System32\LogFiles\setupcln\*"
|
||||
-
|
||||
name: Clear Windows temp files
|
||||
recommend: standard
|
||||
code: |-
|
||||
del /f /q %localappdata%\Temp\*
|
||||
rd /s /q "%WINDIR%\Temp"
|
||||
rd /s /q "%TEMP%"
|
||||
-
|
||||
name: Clear main telemetry file
|
||||
recommend: standard
|
||||
@@ -5212,7 +5328,7 @@ actions:
|
||||
[2]: https://web.archive.org/web/20230711221240/https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/update-management/troubleshoot-software-update-scan-failures "Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn"
|
||||
[3]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn"
|
||||
[4]: https://web.archive.org/web/20230905120345/https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-servicing "Patching Server Core | Microsoft Learn"
|
||||
[5]: https://web.archive.org/web/20230905120445/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Security guidelines for system services in Windows Server 2016 | Microsoft Learn"
|
||||
[5]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
|
||||
call:
|
||||
function: DisableService
|
||||
parameters:
|
||||
@@ -5236,7 +5352,7 @@ actions:
|
||||
|
||||
[1]: https://web.archive.org/web/20230905120757/https://learn.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server "Security guidelines for system services in Windows Server 2016 | Microsoft Learn"
|
||||
[2]: https://web.archive.org/web/20230905120348/https://learn.microsoft.com/en-us/troubleshoot/windows-client/performance/windows-devices-fail-boot-after-installing-kb4041676-kb4041691 "Windows devices may fail to boot after installing October 10 version of KB 4041676 or 4041691 that contained a publishing issue - Windows Client | Microsoft Learn"
|
||||
[3]: https://web.archive.org/web/20230905120445/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Security guidelines for system services in Windows Server 2016 | Microsoft Learn"
|
||||
[3]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
|
||||
call:
|
||||
function: DisableService
|
||||
parameters:
|
||||
@@ -5259,7 +5375,7 @@ actions:
|
||||
way to strengthen both your privacy and your control over your computer.
|
||||
|
||||
[1]: https://web.archive.org/web/20230905120805/https://support.microsoft.com/en-us/topic/kb5005322-some-devices-cannot-install-new-updates-after-installing-kb5003214-may-25-2021-and-kb5003690-june-21-2021-66edf7cf-5d3c-401f-bd32-49865343144f "KB5005322—Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021) - Microsoft Support"
|
||||
[2]: https://web.archive.org/web/20230905120445/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Security guidelines for system services in Windows Server 2016 | Microsoft Learn"
|
||||
[2]: https://web.archive.org/web/20231001150100/https://learn.microsoft.com/en-us/windows/deployment/update/prepare-deploy-windows "Prepare to deploy Windows - Windows Deployment | Microsoft Learn"
|
||||
[3]: https://web.archive.org/web/20230905120815/https://learn.microsoft.com/en-us/windows/iot/iot-enterprise/optimize/services "Guidance on disabling system services on Windows IoT Enterprise | Microsoft Learn"
|
||||
[4]: https://github.com/undergroundwires/privacy.sexy/issues/252
|
||||
call:
|
||||
|
||||
Reference in New Issue
Block a user