Guides
If you are having fun today with Defender ASR deleting lnk files then you will see the MS Script has a v1.1 which looks to VSS to see if it can restore shortcuts from shadow copies, so whilst here I thought I’d note down a few different ways to list the Volume Shadow Copies.
You will need admin rights for these to work:
VSSAdmin
vssadmin list shadows
WMI (From PowerShell)
Get-CimInstance -ClassName Win32_ShadowCopy
and using another method with variables:
$vss = Get-CimInstance -ClassName Win32_ShadowCopy
$vss.Count
Also also using WMIC
wmic ShadowCopy get count
Other ways
There are also other ways including:
Windows Scripting Host
WSF, VBS, JS and even HTAs or even COM objects…
or you could knock up a binary etc.
anyway just to see if your SOC lights up here’s some enumeration of VSS commands.. the delete ones are fun as well! (You want to alert on those for sure!)
Look how conti use it….
vssadmin Delete Shadows /all /quiet
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded And since we are here.. to enable it on a volume use:
vssadmin add shadowstorage /for=c: /on=d: /maxsize=900mbBear in mind you can enble C and store on D and the max size can be varied:
