Detecting if Volume Shadow Copies has been explicitly disabled through registry

Ransomware is very fond of disabling Volume Shadow Copies when infecting targets. Here is a script to remotely detect if Volume Shadow Copies has been disabled.

First, we use PSExec from Microsoft Sysinternals and a local reg query command. This is useful if you only have a list of IP addresses, not hostnames of the different machines:

psexec @systems.txt -u domain\ADMINISTRATOR reg query “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore” /v DisableSR

Remember to change the domain and username you want to use for the query.

We can also use only built in commands to query for the information. In this example we use the reg command remotely, providing it with a list of hostnames to query from the file dns.txt: 

for /F %i in (dns.txt) do @reg query “\\%i\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /s >> %i.txt

This command will use your credentials to query for the information, meaning you would likely have to be a domain administrator running this command.

WannaCry

The ransomware dubbed WannaCry disables Volume Shadow Copies like this (warning: running this command will delete your local backups) :

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

This leaves no good marks in the registry for us to audit, and I think the best way to detect this is to query machines where you know you have Volume Shadow Copies enabled, to see if they have any backups stored. To query for this information we can use wmic, another built in command which supports reaching network attached machines: 

wmic /node:@ip.txt shadowcopy list brief

This little command will run off every IP address in the file ip.txt and return the respective backup volumes.

Share