Help with eradicating Flash.ocx

atlauren · March 5, 2021, 5:49am

Like all the good little children, we’ve been studiously eradicating Flash from our systems. However, The All-Revered Vulnerability Scanner™ reports that files c:\windows\system32\Macromed\Flash\Flash.ocx are still there. And naturally, the blinking red lights must be satisfied.

However, it seems that these systems have remaining file permissions that have prevented the uninstaller from doing its full duty. Trimming the icacls output a bit…

C:\Windows\System32>icacls.exe Macromed
Macromed NT AUTHORITY\SYSTEM:(F)
         NT SERVICE\TrustedInstaller:(I)(F)
         NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
         NT AUTHORITY\SYSTEM:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
         BUILTIN\Administrators:(I)(F)
         BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
 
Successfully processed 1 files; Failed processing 0 files

C:\Windows\System32>icacls.exe Macromed\Flash
Macromed\Flash NT SERVICE\TrustedInstaller:(F)
               NT SERVICE\TrustedInstaller:(CI)(IO)(F)
               NT AUTHORITY\SYSTEM:(M)
               NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
               BUILTIN\Administrators:(M)
               BUILTIN\Administrators:(OI)(CI)(IO)(F)
 
Successfully processed 1 files; Failed processing 0 files

C:\Windows\System32>icacls.exe Macromed\Flash\Flash.ocx
Macromed\Flash\Flash.ocx NT SERVICE\TrustedInstaller:(F)
                         BUILTIN\Administrators:(RX)
                         NT AUTHORITY\SYSTEM:(RX)
 
Successfully processed 1 files; Failed processing 0 files

How to untangle these permissions so that BigFix, running as SYSTEM, can delete the bloody files? Between the mixture of limitations and inheritance, I can’t quite suss it out.

Thanks,
Andrew

baynes74 · March 5, 2021, 10:17am

I had to create a task with 2 actions, non of which are set to default. 32-bit is below, 64-bit has action uses wow64 redirection false at the top.

// Kill Browsers & Flash
waithidden taskkill.exe /im iexplore.exe /f
waithidden taskkill.exe /im firefox.exe /f
waithidden taskkill.exe /im chrome.exe /f
waithidden taskkill.exe /im plugin-container.exe /f
waithidden taskkill.exe /im “FlashUtil*” /f

// Change Ownership
waithidden cmd /C takeown /f “C:\Windows\System32\Macromed\Flash\Flash.ocx” /a

// Set SYSTEM access
waithidden cmd /C icacls.exe “C:\Windows\System32\Macromed\Flash\Flash.ocx” /grant SYSTEM:(D,WDAC)

// Enable inheritance
waithidden cmd /C icacls.exe “C:\Windows\System32\Macromed\Flash\Flash.ocx” /inheritance:E

// Now delete the files and folder
delete “C:\Windows\System32\Macromed\Flash\Flash.ocx”

folder delete “C:\Windows\System32\Macromed”

atlauren · March 5, 2021, 4:17pm

Sweet! This looks perfect. Thank you!

-Andrew

atlauren · March 5, 2021, 7:15pm

FWIW, I’ve adapted it to a single action. The folder delete never worked in my tests, so I removed it.

// Kill Browsers & Flash
waithidden taskkill.exe /im iexplore.exe /f
waithidden taskkill.exe /im firefox.exe /f
waithidden taskkill.exe /im chrome.exe /f
waithidden taskkill.exe /im plugin-container.exe /f
waithidden taskkill.exe /im "FlashUtil*" /f

// << 64BIT ONLY
if {x64 of operating system}
	action uses wow64 redirection false
	// Change Ownership
	waithidden cmd /C takeown /f "C:\Windows\System32\Macromed\Flash\Flash.ocx" /a
	// Set SYSTEM access
	waithidden cmd /C icacls.exe "C:\Windows\System32\Macromed\Flash\Flash.ocx" /grant SYSTEM:(D,WDAC)
	// Enable inheritance
	waithidden cmd /C icacls.exe "C:\Windows\System32\Macromed\Flash\Flash.ocx" /inheritance:E
	// Now delete the file
	delete "C:\Windows\System32\Macromed\Flash\Flash.ocx"
	action uses wow64 redirection true
endif
// >> 64BIT ONLY 

// << ALL SYSTEMS
// Change Ownership
waithidden cmd /C takeown /f "C:\Windows\System32\Macromed\Flash\Flash.ocx" /a
// Set SYSTEM access
waithidden cmd /C icacls.exe "C:\Windows\System32\Macromed\Flash\Flash.ocx" /grant SYSTEM:(D,WDAC)
// Enable inheritance
waithidden cmd /C icacls.exe "C:\Windows\System32\Macromed\Flash\Flash.ocx" /inheritance:E
// Now delete the file
delete "C:\Windows\System32\Macromed\Flash\Flash.ocx"
// >> ALL SYSTEMS

baynes74 · October 7, 2021, 3:39pm

Wanted to post this here in case others may have a similar issue. We recently found that after running the commands to remove files AND the Macromed\Flash folder, some of our Windows 2012 and Windows 2012R2 servers would stop having patches applied.

The BigFix action to install the patch comes back as Complete. After a reboot of the server and for a period of time (seems like an evaluation cycle) the patches are Not Relevant. Then they become relevant again. This is very difficult to determine with Action Status as well as Action History unless you then compare that with Relevant patches after a period of time following a reboot.

https://docs.microsoft.com/en-us/answers/questions/478073/unable-to-install-july-2021-rollup-patches-on-wind.html

Per the link, I have created content to create/recreate the Macromed\Flash in System32;SysWOW64 folders. Attempted patching with reboots and this seems to have corrected the issue.

itsmpro92 · October 7, 2021, 4:04pm

I’m fairly certain that there have been others here in the forums that have had similar patch failures. This is really good detective work.