日本語 | 中文 | Español | Français | हिन्दी | Italiano | Português (BR)
MCP server that finds and safely removes "undeletable" files on Windows.
Windows reserves device names like CON, PRN, AUX, NUL, COM1-COM9, and LPT1-LPT9 at the Win32 layer. Files with these names can exist on NTFS (created via WSL, Linux tools, or low-level APIs) but become impossible to rename, move, or delete through Explorer or normal shell commands.
NullOut scans for these hazardous entries and removes them safely using the \\?\ extended path namespace, with a two-phase confirmation workflow designed for MCP hosts.
- Scan an allowlisted directory for reserved-name collisions, trailing dots/spaces, and overlong paths
- Plan the cleanup — NullOut generates a per-entry confirmation token bound to the file's identity (volume serial + file ID)
- Delete with the token — NullOut re-verifies the file hasn't changed (TOCTOU protection) before removing it via extended namespace
- Allowlisted roots only — operations are confined to directories you explicitly configure
- No raw paths in destructive calls — delete accepts only server-issued finding IDs + confirmation tokens
- deny_all reparse policy — junctions, symlinks, and mount points are never traversed or deleted
- File identity binding — tokens are HMAC-signed and bound to volume serial + file ID; any change between scan and delete is rejected
- Empty-only directories — v1 refuses to delete non-empty directories
- Structured errors — every failure returns a machine-readable code with next-step suggestions
| Tool | Type | Purpose |
|---|---|---|
list_allowed_roots |
read-only | Show configured scan roots |
scan_reserved_names |
read-only | Find hazardous entries in a root |
get_finding |
read-only | Get full details for a finding |
plan_cleanup |
read-only | Generate deletion plan with confirmation tokens |
delete_entry |
destructive | Delete a file or empty directory (requires token) |
who_is_using |
read-only | Identify processes locking a file (Restart Manager) |
get_server_info |
read-only | Server metadata, policies, and capabilities |
Set allowlisted roots via environment variable:
NULLOUT_ROOTS=C:\Users\me\Downloads;C:\temp\cleanup
Token signing secret (generate a random value):
NULLOUT_TOKEN_SECRET=your-random-secret-here
NullOut defends against:
- Destructive misuse — delete requires a server-issued confirmation token; no raw paths accepted
- Path traversal — all operations confined to allowlisted roots;
..escapes are resolved and rejected - Reparse point escapes — junctions, symlinks, and mount points are never traversed or deleted (
deny_all) - TOCTOU races — tokens are HMAC-bound to volume serial + file ID; any identity change between scan and delete is rejected
- Namespace tricks — destructive operations use
\\?\extended path prefix to bypass Win32 name parsing - Locked files — Restart Manager attribution is read-only; NullOut never kills processes
- Non-empty directories — refused by policy; only empty directories can be deleted
Data touched: filesystem metadata (names, file IDs, volume serials), process metadata (PIDs, app names via Restart Manager). Data NOT touched: file contents, network, credentials, Windows registry. No telemetry is collected or sent.
- Windows 10/11
- Python 3.10+
Built by MCP Tool Shop