Find files by owner in Windows after virus attack

We have a terminal server that was infected by a Trojan. The trojan changed ownership of several thousand files to the infected and corrupted the data.

Is there a way we can search for files in Windows that will show the FULL PATH of the files owned by a specific user?
Who is Participating?
BxozConnect With a Mentor Commented:
You can use the powershell commande Get-Acl

Get-Acl C:\Scripts\*.*
Get-ChildItem C:\Scripts -recurse | ForEach-Object {Get-Acl $_.FullName}

Open in new window

Three things come to mind:

1) Why haven't you simply restored the files from their last known good backup? Anything that has been touched by an unauthorized third-party (in your case, a trojan) cannot be trusted.

2) With some backup programs, such as BackupExec, it is possible to set a restore job where BackupExec only restores the permissions to files already located on the server, based on the permissions that it backed up in a previous job. If you don't use BackupExec, check with your vendor's documentation to see if they support this type of function.

3) Ownership is really a permission that ought not be granted to individual users, because ownership allows that owner to set whatever permissions they wish to those files or folders, irrespective of IT's intentions. I would simply go into the root folder and set Administrators group as the owner and apply that permission to all the child objects. This would be the quickest way to resolve the ownership issue.

Of course, I would only be this cavalier with user-created data... not system-created data.

Good luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.