Blog Post

Microsoft Defender for Endpoint Blog
4 MIN READ

Recovering from Attack Surface Reduction rule shortcut deletions

Scott Woodgate's avatar
Scott Woodgate
Icon for Microsoft rankMicrosoft
Jan 14, 2023

Updated 1/23/2023 @ 1:10pm PST

 

On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface Reduction (ASR) rule "Block Win32 API calls from Office macro" after updating to security intelligence builds between 1.381.2134.0 and 1.381.2163.0. These detections resulted in the deletion of files that matched the incorrect detection logic primarily impacting Windows shortcut (.lnk) files.

 

There is no impact for customers who do not have the “Block Win32 API calls from Office macro” rule turned on in block mode or did not update to security intelligence update builds 1.381.2134.0, 1.381.2140.0, 1.381.2152 and 1.381.2163.0. 

 

For currently impacted customers: what do I need to do? 

Impacted customers will need both the updated security intelligence build and follow the process to recover start menu and taskbar shortcuts.

 

The updated security intelligence build

Customers should update to build 1.381.2164.0 or later. Customers utilizing automatic updates for Microsoft Defender antivirus do not need to take additional action to receive the updated security intelligence build. Enterprise customers managing updates should download the latest update and deploy it across their environments.  The security intelligence build does not restore deleted shortcuts. Instructions on how to restore those are immediately below. If you turned “Block Win32 calls from Office macros” into audit mode per prior guidance you can now safely turn on block mode.

 

To recover deleted start menu and taskbar shortcuts

Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted.  

 

Version 5.0 provides improved error handling for AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in. MpRecoverTaskbar.exe now supports restoring each user’s Chrome and Edge pinned taskbar shortcuts found per profile. For more details click here.

 

1/ Download both AddShortcuts.ps1 and MpRecoverTaskBar.exe and select from the following options:

 

Option A/ If you are using System Center Config Manager or Group Policy Object Editor or third-party tools then deploy both files and run the command “powershell -ep bypass -file .\AddShortcuts.ps1 -MpTaskBarRecoverUtilDownload=false as Administrator.

 

Option B/ If you are using Intune or no management tool then deploy AddShortcuts.ps1 and run the command “powershell -ep bypass -file .\AddShortcuts.ps1” as Administrator.  This will automatically download MPTaskBarRecover.exe from the Microsoft download center onto the user’s machine and run the script. Detailed instructions on how to deploy the script using Microsoft Intune are here. 

 

2/ The changes will come into effect after users logout and login to their accounts.

 

3/ The MPRecoverTaskbar.exe can be run multiple times on end-user machines if necessary.  If end-users are missing taskbar icons after completing this process, then try running it a second time from %windir%\MPRecoverTaskbar.exe in the user context.

 

The script requires PowerShell 5.x and does not currently support PowerShell 7.x.

 

Version 5.0 includes all the improvements from Version 4.0: restores from Volume Shadow Copy Service by default, recovers .URL files in the user's profile's Favorites and Desktop directories, if those URL files exist in the Volume Shadow Copy Service, contains improvements for non-English language machines, improved error handling and additional checks that help recover more shortcuts and links, better error handling to perform all the actions including running the MpRecoverTaskbar.exe, while adding support for better error handling using AddShortcuts.ps1 to ensure RunOnce executes when a logged off user logs back in, and enabling MPRecoverTaskbar.exe to restore each user’s Chrome and Edge pinned taskbar shortcuts found per profile.

 

To add programs to the script: edit the $program variable and add a new line with the name of the application lnk and the executable. 

 

For customers that prefer manual steps rather than the script running an application repair on affected applications will recreate deleted links.  Users can run the Application Repair functionality for programs including Microsoft 365, Microsoft Edge, and Microsoft Visual Studio.

To repair an application, follow these instructions:

    1. Windows 10:
      1. Select Start  > Settings  > Apps > Apps & features
      2. Select the app you want to fix.
      3. Select Modify link under the name of the app if it is available.
      4. A new page will launch and allow you to select repair.
    2. Windows 11:
      1. Type “Installed Apps” in the search bar.
      2. Click “Installed Apps”.
      3. Select the app you want to fix.
      4. Click on “…”
      5. Select Modify or Advanced Options if it is available.
      6. A new page will launch and allow you to select repair.

Verifying environment impact

Customers can verify the impact of this issue in their environment through the following advanced hunting queries (AHQs):

 

This AHQ can retrieve all block events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “Block” mode, run this query.

DeviceEvents

| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| extend JSON = parse_json(AdditionalFields)

| extend isAudit = tostring(JSON.IsAudit)

| where isAudit == "false"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc

 

This AHQ can retrieve all events from devices with ASR rule "Block Win32 API calls from Office macro" enabled on “block” and “audit” mode, run this query.

 

DeviceEvents

| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields

| sort by Timestamp asc

 

This AHQ can retrieve the device count with this ASR rule “Block Win32 API calls from Office macro” enabled and if the number is exceeding 10K, run this query.

 

DeviceEvents

| where Timestamp >= datetime(2023-01-13)

| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"

| summarize deviceCount = dcount(DeviceId)

| extend IsMoreThanTenThousand = iif(deviceCount> 10000, True, False)

 

Advanced Hunting Queries are not available in Defender for Endpoint P1 which is also included in E3 and A3 or in Defender for Business.  To identify affected machines run the script here on individual user machines.  

 

FAQ 

Additional questions are addressed in the FAQ document

Updated Jan 23, 2023
Version 28.0

154 Comments

Show More
  • Chrispyyy's avatar
    Chrispyyy
    Copper Contributor
    Jan 14, 2023

    Unfortunately, this doesn't restore Microsoft Office shortcuts which were deployed per-user - which is most 365 C2R installations. This is the default installation behaviour for M365 deployed through Intune, so if this can be reflected in the script - this would be very helpful. 

     

    I understand you can't do every application, but at least get your core offering resolved. 

  • lat-lukepollard's avatar
    lat-lukepollard
    Brass Contributor
    Jan 14, 2023

    I've just run the following code to find all the .lnk files affected.

    DeviceEvents
| where Timestamp > datetime(2023-01-13)
| where ActionType contains "AsrOfficeMacroWin32ApiCallsBlocked"
| where FileName contains ".lnk"
| extend JSON = parse_json(AdditionalFields)
| extend isAudit = tostring(JSON.IsAudit)
| where isAudit == "false"
| summarize by Timestamp, DeviceId, FileName, FolderPath, ActionType, AdditionalFields, isAudit
| sort by Timestamp asc

     

    This isn't just impacting the Start Menu (C:\ProgramData\Microsoft\Windows\Start Menu\Programs). What about recovering all of the User's pinned taskbar links (C:\Users\<username>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar) and their Quick Access links (C:\Users\<username>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch)?!

     

    I suspect that these links have been lost indefinitely and us administrators are going to have to recover the Start Menu, and the users are going to have to repin every Task bar and Quick Launch shortcut manually.

     

    Who on earth released that update without checking the impact! There are thousands of administrators across the globe now having to repair their environments which is causing a major impact on productivity.

     

    I've always been avid user of your various cloud solutions, but this error is appauling Microsoft!

  • Niiiiis's avatar
    Niiiiis
    Brass Contributor
    Jan 14, 2023

    What about advanced custom shortcuts like Autocad and other business line applications? 

    And Microsoft: You need to fix this. Not us.

  • Yves te Poel's avatar
    Yves te Poel
    Brass Contributor
    Jan 14, 2023

    Timestamp is not correct, change it to : >= datetime(2023-01-13)

     

    For convenience you may add the DeviceName to the summarize line. 

    | summarize by Timestamp, DeviceName, DeviceId, FileName, FolderPath, ActionType, AdditionalFields