Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Group Policies / Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

November 22, 2016 Group PoliciesWindows 10Windows 7

Recovering Encrypted Files from VSS Snapshot after Ransomware Infection

We go on with the series of articles concerning the countermeasures against ransomware. Last time we considered a simple way of protection against encryption ransomware.on Windows file servers using FSRM. Today we’ll talk about how to easily recover your files if the ransomware has already penetrated on the computer and user documents are encrypted.

The easiest way to get back the original files after getting infected with a encrypting ransomware is to recover them from a backup. You can organize a centralized backup on your file servers, but it’s more difficult to backup data on user computers. Fortunately, Windows has an integrated backup mechanism — shadow copies created by Volume Shadow Copy Service (VSS).

To make it possible to recover previous versions of files from VSS snapshots, the following requirements have to be met:

  • VSS has to be enabled for the protected volumes
  • There should be enough of free space on your disk to store snapshots (at least 10-20%)
  • A user shouldn’t have Local Administrator privileges on computer (most modern encryption malware when running elevated deletes all available VSS snapshots), and User Account Control (UAC) has to be enabled

Let’s consider a mechanism that allow to centrally manage the policy of creating snapshots in Active Directory domain environment and easily restore original files after the encryption ransomware attack.

Contents:
  • How to Enable VSS on Domain Computers Using GPO
  • How to Copy Vshadow.exe to User Computers Using GPO
  • PowerShell Script to Create Shadow Copies of All Volumes
  • Scheduled Task to Create VSS Snapshots
  • How to Recover Original Files from a VSS Snapshot
  • Conclusion

How to Enable VSS on Domain Computers Using GPO

First of all, create a group policy to enable Volume Shadow Copy (VSS) Service on domain computers. To do it, in GPMC.msc console create a new GPO object with the name VSSPolicy and assign it to the OU containing user computers.

Now edit your GPO. In the list of services in Computer Configuration->Windows Settings->Security Settings->System Service find Volume Shadow Copy and set the Automatic start type.

Volume Shadow Copy service

How to Copy Vshadow.exe to User Computers Using GPO

To create and manage shadow copies on user computers, we need a tool vshadow.exe from Windows SDK. In this example, we’ll use vshadow from the SDK for Windows 7 x64 (in my case it worked correctly both in Windows 7 and in Windows 10 x64). Copy vshadow.exe to %windir%\system32 on all computers using GPP.

Tip. You can download vshadow.exe using following this link: vshadow_exe_win7x64.zip

Then in Computer Configuration –> Preferences –> Windows Settings -> Files create a new policy that copies vshadow.exe from \\domain.loc\SYSVOL\domain.loc\scripts\vshadow.exe (file must be copied here previously) to %windir%\system32\vshadow.exe. This policy can be configured so that it will work only once (Apply once and do not reapply).

copy vshadow.exe using GPO

PowerShell Script to Create Shadow Copies of All Volumes

Next, we need a script to detect the list of drives in the system, enable shadowing and create a new VSS snapshot. I have got the following script:

$HDDs = GET-WMIOBJECT –query "SELECT * from win32_logicaldisk where DriveType = 3"
foreach ($HDD in $HDDs) {
$Drive = $HDD.DeviceID
$vssadminEnable ="vssadmin.exe Resize ShadowStorage /For=$Drive /On=$Drive /MaxSize=10%"
$vsscreatess = "vshadow.exe -p $Drive"
cmd /c  $vssadminEnable
cmd /c  $vsscreatess
}

posh script to create shadow copy of volumes

The first string allows to find all drives in the system, and then vshadow enables shadow for each disk and creates a new copy. The copies should occupy less than 10% of space.

Save this script to a file vss-script.ps1 and copy it to user computers using GPP as well.

copy ps1 file via gpo

Scheduled Task to Create VSS Snapshots

The last thing you have to do is to create a Scheduled Task on all computers to regularly run vss-script.ps1 and create a new  snapshot for all drives . It’s easier to create this task using GPP. To do it, in the GPO section Computer Configuration -> Preferences -> Scheduled Tasks create a new Scheduled Task (New-> Scheduled Task (at least Windows 7)) with the name create vssnapshot, which must be run elevated as NT AUTHORITY\System.

sheduled task creating vss snapshot

Suppose, the task has to be run every day at 1.20 PM (here you’ll have to think how often you would like the snapshots to be created).

trigger time

The script to be run: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe

with the argument %windir%\system32\vss-script.ps1

task to run powershell script

Tip. Also, you have to provide a weekly Scheduled Task to remove earlier VSS snapshots. To do it, create a new Scheduled Task running a similar script containing the following code:

$vssadminDeleteOld = “vshadow.exe -do=%$Drive”
cmd /c  $vssadminDeleteOld

How to Recover Original Files from a VSS Snapshot

If user’s computer has been infected by ransomware, the administrator or tech support team staff can recover encrypted documents from the snapshot.

The list of all available snapshots can be displayed using this command:

vssadmin.exe list shadows

vssadmin.exe list shadows

In our example, the latest snapshot was created on 10/6/2016 1:33:35 AM and has Shadow Copy ID = {6db666ac-4d42-4734-8fbb-fad64825c66c}.

Mount this snapshot in read only mode as a separate system drive by its ID:

vshadow -el={6db666ac-4d42-4734-8fbb-fad64825c66c},Z:

mount shadow copy using vshadow.exe

Now, using File Explorer or any other file manager, copy the original files from disk Z:.

To unmount the disk with the snapshot:

mountvol Z:\ /D

Conclusion

Of course, VSS are not a means of protection against encryption ransomware and do not cancel a comprehensive approach to computer security (antivirus software, SRP / AppLocker policies, reputation filters, SmartScreen, etc.). However, in my opinion, the simplicity and availability of volume shadow copying is a great advantage of this way to recover encrypted data, which is likely to be useful in case of penetration of malware on the user’s computer

0 comment
0
Facebook Twitter Google + Pinterest
previous post
How to Filter Event Logs by Username in Windows 2008 and higher
next post
How to Add a Second NIC to vCenter Server Appliance (VCSA)

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure a Slideshow Screensaver Using GPO
  • How to Disable NetBIOS Over TCP/IP and LLMNR Using GPO
  • Display Last Logon Info on the Windows Welcome Screen
  • How to Block Viruses and Ransomware Using Software Restriction Policies
  • Using WMI Filter to Apply Group Policy to IP Subnet
  • Troubleshoot Slow GPO Processing and Login Speed Impact
  • Prevent Changing IE Proxy Settings Using GPO
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top