How would I trace what system call or executable a Windows tool uses to delete user profiles?

First, some background.

I deal with a lot of end user desktop support involving Onedrive. Sometimes, if the Onedrive client completely borks itself and its library, we must rebuild. Usually this involves removing the old library location, and letting it resync. Quite often, if the client has not signed out or disconnected cleanly, these librarys do not simply let you delete them using File Explorer, due to something similar to this KB: https://learn.microsoft.com/en-us/sharepoint/troubleshoot/sync/delete-onedrive-synced-file-error . Unfortunately for myself and our team of technicians, CHKDSK will often completely fail to fix this problem, or in other cases, we cannot use CHKDSK. This means we have a library in limbo, and we usually resort to renaming it and hiding it, and letting Onedrive create a new working library.

Here is the mystery. Even in situations where File Explorer has failed, and calling the Delete() method recursively using powershell has failed, the user profile menu in the system menu can still completely delete a user profile folder containing one of these broken Onedrive librarys.

The menu I'm referring to: https://i.stack.imgur.com/3jTW2.png

I would like to know if there is a way to find out what magic system call or utility is used by Windows to forcibly delete these Onedrive library folders, so that I may do so myself. This is a common enough problem for us that I've spent significant time trying to figure out how it does it. If anyone knows more about this, I'd love to hear your wisdom.

Thanks.

First thing I'd try would be running Process Monitor https://learn.microsoft.com/en-us/sysinternals/downloads/procmon on the system while it's being removed, and then reviewing the output what was being run, which paths were accessed etc.

Note, if you're not familiar with ProcMon, it spits out a LOT of data, so I'd recommend making sure you've set it to store the output to a file NOT memory, eg go to File > Backing Files, and set the file name. Also you'll want to stop and clear the capture, before you start, begin capturing just before you begin the removal, and stop it again immediately afterwards. Otherwise you'll end up with a LOT of irrelevant information. Then it's just a matter of filtering out those bits of information you know aren't relevant, eg background processes accessing the file system, services connecting to resources etc, until you've reduced the amount of data to a reasonable size where you can look through it to see what exactly happened on the system.