Skip to main content

Overview

The delenv action removes environment variables from local and remote systems using the Win32_Environment WMI class. This is essential for cleanup after operations and removing persistence markers.

Syntax

SharpWMI.exe action=delenv name=VARIABLE_NAME [computername=HOST[,HOST2,...]] [username=DOMAIN\user] [password=Password]

Parameters

ParameterRequiredDescription
actionYesMust be delenv
nameYesEnvironment variable name to delete
computernameNoTarget host(s), comma-separated. Defaults to localhost
usernameNoUsername for authentication
passwordNoPassword for authentication

Usage Examples

SharpWMI.exe action=delenv name=TEST

Operational Use Cases

Scenario 1: Cleanup After Operations

# 1. Use variable for operation
SharpWMI.exe action=setenv name=TEMP_DATA value="<operational_data>" computername=target.domain.com

# 2. Execute using the variable
SharpWMI.exe action=exec computername=target.domain.com command="payload.exe"

# 3. Clean up
SharpWMI.exe action=delenv name=TEMP_DATA computername=target.domain.com

Scenario 2: Remove Command Output

# Command output was stored in environment variable (via exec with result=true)
# Clean up after retrieval
SharpWMI.exe action=delenv name=_Context123456 computername=target.domain.com
SharpWMI automatically cleans up environment variables used for command output retrieval. Manual cleanup is only needed if operations fail or for custom variables.

Scenario 3: Remove Persistence Markers

# Remove indicators of compromise
SharpWMI.exe action=delenv name=SYSTEM_ID computername=target.domain.com
SharpWMI.exe action=delenv name=C2_SERVER computername=target.domain.com
SharpWMI.exe action=delenv name=IMPLANT_CONFIG computername=target.domain.com

Scenario 4: Batch Cleanup

# Clean up across multiple systems
SharpWMI.exe action=delenv name=BUILD_NUMBER computername=ws01,ws02,ws03,ws04 username="DOMAIN\admin" password="Password123!"

User Context

The delenv action deletes variables in the user context. Variables must match both name and username to be deleted.
Variables are user-specific:
  • System variables require SYSTEM context
  • User variables are tied to specific username
  • Cannot delete other users’ variables without proper context

Remote vs Local Usage

  • Local Delete
  • Remote Delete
SharpWMI.exe action=delenv name=TEST
Use for:
  • Local cleanup
  • Testing
  • Post-operation tidying

Detection Considerations

  • Win32_Environment class deletions
  • Event ID 5857: WMI activity
  • Sysmon Event ID 19-21: WMI operations
  • Environment variable removal
  • Registry deletions in environment key
  • HKCU\Environment changes
  • Event ID 4657: Registry value modification/deletion
  • Suspicious variable deletion
  • Bulk deletion operations
  • Deletion of recently created variables
  • Cleanup correlated with other activity

Best Practices

Always Clean Up

  • Remove variables after use
  • Don’t leave indicators
  • Clean up on operation failure
  • Automate cleanup in scripts

Verify Deletion

  • Confirm variable was deleted
  • Check with getenv action
  • Handle errors gracefully
  • Log cleanup operations

Operational Security

  • Clean up immediately after use
  • Don’t leave data in environment
  • Remove all custom variables
  • Check for orphaned variables

Error Handling

  • Handle variable not found
  • Verify admin privileges
  • Account for permission issues
  • Retry on failure

Cleanup Workflow

Complete cleanup example: 
# 1. List all custom variables
SharpWMI.exe action=getenv computername=target.domain.com

# 2. Delete custom variables
SharpWMI.exe action=delenv name=CONFIG computername=target.domain.com
SharpWMI.exe action=delenv name=API_KEY computername=target.domain.com
SharpWMI.exe action=delenv name=PAYLOAD computername=target.domain.com

# 3. Verify deletion
SharpWMI.exe action=getenv name=CONFIG computername=target.domain.com

Troubleshooting

Cause: Variable doesn’t exist or wrong user contextSolution:
  • Verify variable exists with getenv
  • Check variable name spelling
  • Ensure correct user context
  • Variable may have been already deleted
Cause: Insufficient privilegesSolution:
  • Use username and password parameters
  • Verify admin rights on target
  • Check UAC remote restrictions
  • May need SYSTEM context for system variables
Cause: Trying to delete another user’s variableSolution:
  • Variables are user-specific
  • Must authenticate as that user
  • Or use SYSTEM context
  • Cannot delete other users’ variables directly

getenv

Retrieve environment variables

setenv

Set environment variables

query

Query Win32_Environment directly

exec

Execute cleanup commands

Alternative Methods

# Delete using exec action with PowerShell
SharpWMI.exe action=exec computername=target command="powershell -c \"[Environment]::SetEnvironmentVariable('VARNAME',$null,'User')\"" result=true

# Delete using registry
SharpWMI.exe action=exec computername=target command="reg delete HKCU\Environment /v VARNAME /f" result=true

Verification

After deletion, verify the variable is gone: 
# Check if variable still exists
SharpWMI.exe action=getenv name=VARNAME computername=target.domain.com

# Should return no results or "Variable not found"