Blog Post

Microsoft Defender for Endpoint Blog
4 MIN READ

Recovering from Attack Surface Reduction rule shortcut deletions

Scott Woodgate's avatar
Scott Woodgate
Icon for Microsoft rankMicrosoft
Jan 14, 2023
Updated 1/23/2023 @ 1:10pm PST   On January 13th, Windows Security and Microsoft Defender for Endpoint customers may have experienced a series of false positive detections for the Attack Surface ...
Updated Jan 23, 2023
Version 28.0
Matt Rouse's avatar
Matt Rouse
Copper Contributor
Jan 14, 2023

I believe I've found a general purpose command line solution that can be deployed to leverage any existing shadow copies and put shortcuts back on the Start Menu. Shadow copies are predictably named which is helpful. I believe they only persist for a couple of weeks so the contents should be recent enough to be useful as well. 

 

Consider the following script which will mount the last five shadow copies, one-by-one, attempt to copy the contents of the Start Menu folder back to the live location, and then dismount the shadow copy. If the shadow copies don't exist, the command will fail but no damage will be done and nothing will be overwritten. Note this script does require admin privileges.

 

mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore

mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore

mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore

mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore

mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\
robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
rmdir c:\shadowrestore

 

Thoughts or comments? This seems to work well in my test environment. Note that you can list shadow copies for a volume with the following command:

 

vssadmin list shadows /for=c:

 

Hope this helps someone.