Have you ever noticed that sometimes, when you install a hotfix in Windows, you're told that the file will be replaced after the system reboots? That's because the file can't be replaced while it's in use. So Windows offers a MoveFileEx API just for this purpose. The Session Manager is responsible for managing this task by reading the registered rename and delete commands from the registry. The specific location is HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations.

Microsoft offers a couple of tools -- PendMoves and MoveFile -- that work hand-in-hand with and take advantage of the MoveFileEx API. Mark Russinovich wrote these tools for Sysinternals.

To use MoveFile to schedule move and delete commands for the next startup, use the following syntax:

C:\> movefile [source] [dest]

For example, to move a file called report.xls to a folder named Finance use the syntax:

C:\> movefile report.xls Finance\report.xls

The file will be moved the next time your computer is rebooted.

If you want to get rid of a malicious file that won't allow you to delete it, the MoveFile utility will come handy. Simply specify an empty destination (""). By using these quotes with no text between them, the source file is deleted at reboot; because the destination is empty, the file won't be moved to another location on your hard drive and cause problems. It will be sent to the bit bucket and be gone forever.

The PendMoves utility displays moves and deletions that have been scheduled. For example, if you want to view the files that have been configured for move at startup, type "pendmoves" (without the quotes) at the command prompt without any parameters and it'll display the full path of the source and target locations.

The PendMoves and MoveFile tools can be downloaded from Microsoft here.