Creating a file Windows can't delete

A friend at a user group meeting showed me a "trick" many years ago to create a file that Windows doesn't think should exist. This "trick" involves the Win32 Device name space and can create files that are reserved in the namespace for files (like LPT1, CON. COM1. AUX and NUL) - once created Windows does not know how to delete the file (you reverse the "trick" to delete it. A regular user can create these files using this method and then a Windows user (with or without Admin privileges) doesn't have the ability to delete the file. Now fast forward to today when persistance of a malicious script, code or file might be something an attacker would want to ensure - wouldn't a file that Windows can't delete be potentially valuable?

I have been learning more about this over the past 6 months delivering Microsoft 365 Tech Series seminars and only a handful of the highly techinical in the audience are even aware of this technique. I ask "why would Microsoft not have fixed this?" after the demonstration. The answers range widely, but I believe boil down to "no one has used this maliciously up to this point".

Windows 10 S or the upcoming Windows 10 Pro in S Mode, does not allow this 
"trick" to create a file Windows can't delete

The other story I share is the SYSKEY story. SYSKEY has been part of Windows for a long time. I learned about it around Windows 3.1 or 95 timeframe. The file encrypts the local SAM (Security Accounts Management) database. The utility allows you to type in a password that is needed before you get to a logon screen or into the operating system.

What a lot of phishing scammers were doing once they get someone to provide them remote control of their PC is to try and show them what is "wrong" with their computer (typically in Event Viewer and explaining that every warning in it is "bad" and "slowing down" their computer. If they can't get you to buy their software or speed/PC tune up service, a lot of times they will execute SYSKEY and set a password only they know (it's like a poor or amateur attempt at Ransonware because the filesystem and files aren't encrypted) and then disconnect. The next time the user restarts they are prompted for a password they do not know.

Because SYSKEY had been used in this way, Microsoft decided to pull it from 1709 of Windows 10 (so the program is no longer part of Windows going forward). If this other old school technique finds it's way into malicious software, you can bet it will go to the top of the security pile and programmers will deal with it. If it continues to be an obsecure reference from the past, it will likely continue into the future. Windows 10 S or the upcoming Windows 10 Pro in S Mode, do not all