Remove-Item
Delete files, directories, registry keys, or other PowerShell provider items. Used for log wiping, artifact cleanup, and indicator removal.
Binary Paths
PowerShell cmdlet
Glob Patterns
| Pattern | Notes |
|---|---|
& (gcm R*-It*) -Path C:\Windows\Temp\* -Recurse -Force
|
Wildcards on both verb and noun |
& (gcm Remove-I*) -Path C:\artifact.log -Force
|
Star suffix matches 'tem' |
& (gcm R?move-Item) -Path ...
|
Single char wildcard replaces 'e' |
& (gcm *-Item) -Path ...
|
Prefix wildcard — note: may match other *-Item cmdlets; add -CommandType Cmdlet to disambiguate |
rm -Path C:\artifact.log
|
Built-in alias 'rm' for Remove-Item |
del -Path C:\artifact.log
|
Alias 'del' for Remove-Item |
ri -Path C:\artifact.log
|
Alias 'ri' for Remove-Item |
& (gal r?) -Path ...
|
Get-Alias r? — resolves 'rm' or 'ri' depending on match; 'ri' is the shorter alias |
& (gcm R[d-f]move-Item) -Path C:\artifact.log -Force
|
Character range [d-f] matches 'e' in Remove — only character in range that satisfies Remove-Item |
& (DIR Alias:/r?) -Path C:\artifact.log
|
Resolves rm/ri alias via PowerShell's Alias: PSDrive glob — filesystem-style wildcard on the Alias provider |
& (gcm * | ? Name -match '^Rem.*It') -Path C:\artifact.log -Force
|
Regex -match filter on all commands via Where-Object pipeline — regex alternative to glob wildcards |
& (gcm ('{0}move-{1}' -f 'Re','Item')) -Path C:\artifact.log -Force
|
-f format operator constructs 'Remove-Item' from string fragments before gcm resolves it |
Pattern Tester
$
Try typing Remove-Item or a full path like PowerShell cmdlet
YARA Rule
Auto-generated detection rule for Remove-Item
Platform Notes
rm, del, and ri are built-in aliases. Remove-Item with -Recurse -Force silently deletes entire trees. Targets PowerShell providers beyond the filesystem: Remove-Item HKLM:\SOFTWARE\... operates on the registry, Remove-Item Env:\VAR deletes environment variables.