Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vssadmin.exe (Volume Shadow Copy) disabling procedure questions


  • Please log in to reply
13 replies to this topic

#1 Robert1123

Robert1123

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 31 March 2016 - 03:35 PM

It has been discussed that many of the ransomware programs use the vssadmin.exe program that wipes clean all volume shadow copys (restoration copies) to make recovery of your system impossible.

 

Discussions don't recommend disabling the shadow copy program (Recovery), just the vssadmin.exe which erases all recovery copies.

 

The main article that details this is here:

 

http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/

 

My question is that when I follow the instructions in the above article, and run the utility, it only allows me to alter one of the eight vssadmin.exe (and vssadmin.exe mui) files.

 

Specifically, the utility allowed me to get permission and change the name on the 64 bit version (so if hit my ransomware it will not find that file).  But what about these vssadmin files?  Do I need to do something about them?

 

This is a screen shot of the remaining search results for "vssadmin.exe" AFTER the 64 bit program was renamed in the above referenced link.

 

vssadmin.exe%20search.jpg

 

 



BC AdBot (Login to Remove)

 


#2 vilhavekktesla

vilhavekktesla

  • Members
  • 918 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:22 PM

Posted 05 April 2016 - 05:09 PM

Hi, I'm not sure where those two amd64 and x86 folders are.

system32 and SysWOW64 are important system folders for windows. I would definitely disabled, renamed or in any other whay disabled those if possible.

When you have decided to disable vssadmin. If you do similar stuff to notepad.exe you won't be able to run notepad,

so you could experiment by renaming notepad and se when notepad commands does not happen.

windows do protect some files especially important dll-files and some exe-files (Application Extension and Applications)

 

The MUI files or Windows Multilingual User Interface are simply files needed for Windows to display messages etc. in different languages.

Those are not porgrams / applications. Read more here: https://msdn.microsoft.com/en-us/goglobal/bb978454.aspx

The last line, I have no idea, about the whereabouts.

 

In general I disable all files with similar names in different locations, if I want to disable something.

in cmd you might try to run a command, after it is renamed, just to see if another verison is running (in cmd set, or simply the command path)

Here you will se details about how your windows is set up.

 

 

in cmd with admin rights (elevated rights) , you can run this command.

c:

cd \

dir c:\vssadmin.exe /s /a /b

or as you have done

dir c:\vssadmin.* /s /a /b

 

Then you can find the exact locations.

dir /? gives you help and is similar to help dir. Pretty much all MS-commands supports /?

 

If you want to save the lines in a report you could do this

dir c:\vssadmin.exe /s /a /b >> c:\myreport.txt

You might have to save at a different location, depending on policy setting on your windows

c:\users\yourusername\Desktop Assuming you run Windows 7


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0.1b or newer (if needed)

The master key is released so there is no need to pay to get the key.

About 200 550 different ransomwares exist so think safe backups at all time.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:22 PM

Posted 05 April 2016 - 07:50 PM

Why Everyone Should disable VSSAdmin.exe Now!

Comment by Grinler, site owner of Bleeping Computer.

VSSadmin is an administrative tool to manipulate shadow copies. Renaming it It does not affect system restore or disable shadow volume copies....renaming vssadmin has no affect unless you routinely use the tool All it does is make it so that a ransomware is unable to use it to remove shadow volume copies. Since a ransomware will not be able to use this tool, you now have an extra method of possibly recovering files in the event that you do become infected with ransomware.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 vilhavekktesla

vilhavekktesla

  • Members
  • 918 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:22 PM

Posted 10 April 2016 - 04:06 AM

At quietman7, is it possible you use your MS influence and tell MS about this thing with vssadmin, so the can make updates / patches to their way of doing things.

In my oppinion, if running vssadmin cause moure trouble than good things it should be disabled by dafault for all users not needing it.

 

Then for servers if vssadmin is essential it could be left on. There could also be include extra security layer to vssadmin when certain parameter are used.

I for my sake does not rely or use shadowcopy ( it justs takes space) so I enter the system in control panel and turns it off by default and enables it if I think that is the best.

 

For servers however I'm glad previous version exists (if they do) Many companies turns shadow copy of both to save space, but also to gain control, and there might be other solutions implemented, like sync to backup servers etc.

 

Do you think it is possible to persuade MS to uses shadowcopies, ssytem restore, vssadmin and other programs and services in a different manner.

I don't think my arguments with them wil be enough, they seldom are, until worst case happens.

 

Regards


Edited by vilhavekktesla, 10 April 2016 - 04:08 AM.

The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0.1b or newer (if needed)

The master key is released so there is no need to pay to get the key.

About 200 550 different ransomwares exist so think safe backups at all time.


#5 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:22 AM

Posted 10 April 2016 - 07:01 PM

Why Everyone Should disable VSSAdmin.exe Now!


If you don't want to disable VSSAdmin.exe then use How To Password Protect Any Windows Program. http://www.makeuseof.com/tag/how-to-password-protect-any-windows-program/

In my opinion, if running vssadmin cause more trouble than good things it should be disabled by default for all users not needing it.

Then for servers if vssadmin is essential it could be left on. There could also be include extra security layer to vssadmin when certain parameter are used.


To disabled by default VSSAdmin.exe

http://computerstepbystep.com/volume_shadow_copy_service.html
http://computerstepbystep.com/microsoft_software_shadow_copy_provider_service.html

Also a user-defined Access Protection Rule for "vssadmin.exe Delete Shadows /All /Quiet" can be created.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#6 vilhavekktesla

vilhavekktesla

  • Members
  • 918 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:22 PM

Posted 11 April 2016 - 01:50 PM

 

Why Everyone Should disable VSSAdmin.exe Now!


If you don't want to disable VSSAdmin.exe then use How To Password Protect Any Windows Program. http://www.makeuseof.com/tag/how-to-password-protect-any-windows-program/

In my opinion, if running vssadmin cause more trouble than good things it should be disabled by default for all users not needing it.

Then for servers if vssadmin is essential it could be left on. There could also be include extra security layer to vssadmin when certain parameter are used.
 


To disabled by default VSSAdmin.exe

http://computerstepbystep.com/volume_shadow_copy_service.html
http://computerstepbystep.com/microsoft_software_shadow_copy_provider_service.html

Also a user-defined Access Protection Rule for "vssadmin.exe Delete Shadows /All /Quiet" can be created.

 

Nice one, I remember protect exe from paehl long time ago.

I understand you can protect files the way mentioned. My angle was more this:

When someone comes to BC for help it is because the vssadmin was not disabled, so previous copy does not work...

All data is therefore lost when the user is a victim of ransomware. If the user followed the computerstepbytstep instructions, it is also likely the user had a backup befor the incident, so Albert had a point, maybe not one user will repeat, but the user as in general will definitely repeat the mistakes.

 

I think it is still back to square one, Windows is not designed secure enough, because either they require UAC on all, or nothing...

vssadmin should require uac by default, and the user would have to confirm that this is not neccesary.

 

Anyway, this is just one small piece in the puzzle, and thans for the lniks, nice reading.

 

Regards


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0.1b or newer (if needed)

The master key is released so there is no need to pay to get the key.

About 200 550 different ransomwares exist so think safe backups at all time.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:22 PM

Posted 11 April 2016 - 03:57 PM

Security is a constant effort to stay one step ahead of the bad guys but Microsoft always seems to be playing catch up instead.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:22 PM

Posted 12 April 2016 - 08:37 AM

To answer the original ops questions, you only care about the vssadmin.exe located in C:\Windows\system32. The others are not in the execution path and will not be executed.



#9 munozbasols

munozbasols

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 12 April 2016 - 04:30 PM

To answer the original ops questions, you only care about the vssadmin.exe located in C:\Windows\system32. The others are not in the execution path and will not be executed.

But if you delete the vssadmin copies are still running for backup? or this will completely stop?



#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:22 PM

Posted 12 April 2016 - 04:35 PM

It will stop schduled backups. You would need to utilize the scheduled task as shown here:

http://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/

#11 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:22 AM

Posted 13 April 2016 - 12:44 AM

Just to be clear, stopping or deleting the Service name: VSS, Display name: Volume Shadow Copy WILL stop "vssadmin.exe Delete Shadows /All /Quiet" from executing.

Description: Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.

http://computerstepbystep.com/volume_shadow_copy_service.html

You can test this for yourself?

(1) Stop Volume Shadow Copy, and reboot PC.
(2) Run Command Prompt as Administrator
(3) Run "vssadmin.exe Delete Shadows /All" without the " "

Error message,

Error: Unexpected failure: The service cannot be started, either because it is disabled or because it has no enabled device associated with it.


 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:22 PM

Posted 13 April 2016 - 08:37 AM

Yes, do not delete the Volume Shadow Copy service (VSS). That is a major mistake.

What you want to do it rename vssadmin.exe, but then create a scheduled task to perform the nightly (or whenever you iwish) system restore points.

If you do not created a schedule task, then the nightly restore points will NOT work.

#13 AndreasBln

AndreasBln

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 30 August 2016 - 01:39 PM

There is actually a program which does this for you, Z-VSScopy. It creates a wrapper for vssadmin (and wmic) and prevents deletion of shadow copies. All other functionality is preserved.



#14 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,029 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:22 PM

Posted 30 September 2016 - 09:36 PM

I didn't want to create a new topic on this, but if you do an sfc /scannow will vssadmin.exe return to its original state? I just disabled vssadmin.exe

 

Thanks! :)


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users