Find files by owner in Windows after virus attack

We have a terminal server that was infected by a Trojan. The trojan changed ownership of several thousand files to the infected and corrupted the data.

Is there a way we can search for files in Windows that will show the FULL PATH of the files owned by a specific user?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can use the powershell commande Get-Acl

Get-Acl C:\Scripts\*.*
Get-ChildItem C:\Scripts -recurse | ForEach-Object {Get-Acl $_.FullName}

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Three things come to mind:

1) Why haven't you simply restored the files from their last known good backup? Anything that has been touched by an unauthorized third-party (in your case, a trojan) cannot be trusted.

2) With some backup programs, such as BackupExec, it is possible to set a restore job where BackupExec only restores the permissions to files already located on the server, based on the permissions that it backed up in a previous job. If you don't use BackupExec, check with your vendor's documentation to see if they support this type of function.

3) Ownership is really a permission that ought not be granted to individual users, because ownership allows that owner to set whatever permissions they wish to those files or folders, irrespective of IT's intentions. I would simply go into the root folder and set Administrators group as the owner and apply that permission to all the child objects. This would be the quickest way to resolve the ownership issue.

Of course, I would only be this cavalier with user-created data... not system-created data.

Good luck.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.