Solved

Hi need a script that can disable the system restore,Take ownership and delete the folder. I have some part of the script.

Posted on 2008-06-23
15
899 Views
Last Modified: 2008-06-25
Hi,

Hi need a script that can disable the system restore,Take ownership and delete the folder. I have some part of the script.

Create a script to
-disable the system restore function
-use command cacls to take ownership of the folder
-delete the folder

Below is the script to disable the system restore. Can the othetr 2 options be added.
Script below is from Farhan.

Regards
Sharath
:: BATCH SCRIPT START 

@ECHO OFF

SETLOCAL EnableDelayedExpansion

SET InputFile=Machines.txt

SET OutputFile=SRSDisableStatus.txt

 

IF NOT EXIST "%InputFile%" ECHO "%InputFile%" file does not exist. &GOTO :EndScript

FOR %%R IN ("%InputFile%") DO IF %%~zR EQU 0 ECHO "%InputFile%" file is empty. &GOTO :EndScript

IF EXIST "%OutputFile%" DEL /F /Q "%OutputFile%"

 

FOR /F %%c IN ('TYPE "%InputFile%"') DO (

	ECHO Processing: %%c

	PING -n 1 -w 1000 %%c|Find /I "TTL" >NUL

	IF NOT ERRORLEVEL 1 (

		SC \\%%c STOP "srservice" >>%OutputFile%

		SC \\%%c config "srservice" start= disabled >>%OutputFile%

	)ELSE (ECHO Unable to connect %%c: system may be offline.))

 

ECHO. &ECHO Script complete. Check "%OutputFile%" file.

:EndScript

ENDLOCAL

EXIT /B 0

:: BATCH SCRIPT END

Open in new window

0
Comment
Question by:bsharath
  • 8
  • 7
15 Comments
 
LVL 24

Expert Comment

by:purplepomegranite
Comment Utility
The batch file looks like it just turns off then disable the System Restore service... WMI can be used to actually disable the monitoring within the System Restore config, which would be a better way of doing it.  In the above example, if the service were started again the System Restore settings would be reinitiated.  If they are disabled using WMI, then there is no need to disable the service - if it is started again it will simply stop immediately as it is not configured to do anything.

Additionally, when this is done using WMI, the folder is automatically deleted.  No need for either of your other requirements - they are already met.

The attached is an example.  Test it out and let me know if it is what you are after.
Set obj = GetObject("winmgmts:{impersonationLevel=impersonate}!root/default:SystemRestore")

If (obj.Disable("")) = 0 Then

    wscript.Echo "System Restore successfully disabled"

Else 

    wscript.Echo "Failed to disable System Restore"

End If

Open in new window

0
 
LVL 24

Expert Comment

by:purplepomegranite
Comment Utility
I can adapt the code to work with remote computers if that is what you need... also, it looks like the batch file processes a list of machines from a file?  I can also amend in this regard if required.
0
 
LVL 11

Author Comment

by:bsharath
Comment Utility
How should i run this file.
vbs or bat?
0
 
LVL 24

Expert Comment

by:purplepomegranite
Comment Utility
This file is a .vbs
0
 
LVL 11

Author Comment

by:bsharath
Comment Utility
I get this

---------------------------
Windows Script Host
---------------------------
Script:      D:\Systemrestore.vbs
Line:      2
Char:      1
Error:      Access denied
Code:      80041003
Source:       SWbemObjectEx

---------------------------
OK  
---------------------------
0
 
LVL 24

Expert Comment

by:purplepomegranite
Comment Utility
Are you running this as a system administrator?  I have tested this script on my own machine, it does work - but you need admin rights to adjust System Restore settings.
0
 
LVL 24

Expert Comment

by:purplepomegranite
Comment Utility
The attached is a version adapted so that it can easily be used against remote computers (the strComputer variable just needs to be given the remote computer name).  Again, you'd need admin rights on the remote machine.
strComputer = "."

Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default")
 

Set objItem = objWMIService.Get("SystemRestore")

errResults = objItem.Disable("")

Open in new window

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 11

Author Comment

by:bsharath
Comment Utility
Thanks this works fine...
Can the script take the machine names from a txt file?
0
 
LVL 11

Author Comment

by:bsharath
Comment Utility
But the folder system voolume information is not deleted?
0
 
LVL 24

Expert Comment

by:purplepomegranite
Comment Utility
System Volume Information is not just used by System Restore - that folder will not be deleted (and should not).  However, all previous restore points ARE deleted.  If you have a computer that has System Restore currently enabled, and also has restore points, then take a note of the free-space on the drive(s) before running the above script.  After running the script the drive(s) will have extra space to the amount that was being used by System Restore.

I'll adapt the script to read from a text file.
0
 
LVL 11

Author Comment

by:bsharath
Comment Utility
Ok...
0
 
LVL 24

Expert Comment

by:purplepomegranite
Comment Utility
Attached code will process list.  Just change the second line to point to your file containing the list of computers.
dim strComputerList

strComputerList="c:\computers.txt" ' Change to the file containing list of computers
 

dim objFSO, objF
 

set objFSO=CreateObject("Scripting.FileSystemObject")

if objFSO.FileExists(strComputerList) then

	set objF=objFSO.OpenTextFile(strComputerList,1)

	while not objF.AtEndOfStream

		wscript.echo DisableSystemRestore(objF.ReadLine)

	wend

	objF.Close

	set objF=Nothing

end if

set objFSO=Nothing
 
 

function DisableSystemRestore(strComputer)

	dim objWMI, objItem, errResults

	on error resume next

	Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default")

 

	Set objItem = objWMI.Get("SystemRestore")

	if Err.Number=0 then

		errResults = objItem.Disable("")

	else

		errResults=-1 ' Failed to get WMI object - possibly the machine is turned off, or some other reason

		Err.Clear

	end if

	if errResults=0 then

		DisableSystemRestore="Successfully disabled system restore on " & strComputer

	else

		DisableSystemRestore="FAILED to disable system restore on " & strComputer

	end if

end function

	

Open in new window

0
 
LVL 11

Author Comment

by:bsharath
Comment Utility
Thanks works fine...
Can i have the results to a txt file that shows success and failure like

Machine name Success
Machine name Failure
0
 
LVL 24

Accepted Solution

by:
purplepomegranite earned 500 total points
Comment Utility
Yes :-)
dim strComputerList

strComputerList="c:\computers.txt" ' Change to the file containing list of computers

strLogFile="c:\log.txt" ' Change to the location of the log file (will be wiped/created each time)
 

dim objFSO, objF

dim strResults

strResults=""
 

set objFSO=CreateObject("Scripting.FileSystemObject")

if objFSO.FileExists(strComputerList) then

	set objF=objFSO.OpenTextFile(strComputerList,1)

	while not objF.AtEndOfStream

		strResults=strResults & DisableSystemRestore(objF.ReadLine)

	wend

	objF.Close

end if

set objF=objFSO.CreateTextFile(strLogFile,true)

objF.Write strResults

objF.Close

set objF=Nothing

set objFSO=Nothing
 
 

function DisableSystemRestore(strComputer)

	dim objWMI, objItem, errResults

	on error resume next

	Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default")

 

	Set objItem = objWMI.Get("SystemRestore")

	if Err.Number=0 then

		errResults = objItem.Disable("")

	else

		errResults=-1 ' Failed to get WMI object - possibly the machine is turned off, or some other reason

		Err.Clear

	end if

	if errResults=0 then

		DisableSystemRestore=strComputer & ": SUCCESS"

	else

		DisableSystemRestore=strComputer & ": FAIL"

	end if

end function

	

Open in new window

0
 
LVL 11

Author Comment

by:bsharath
Comment Utility
Thanks a lot... :-))
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now