From c29f9b4743b5451e12d270da45072e72d1a480af Mon Sep 17 00:00:00 2001 From: Jared Atkinson Date: Wed, 8 Jul 2015 22:27:12 -0400 Subject: Cleaned up Remove-VSC and New-VSC - Changed Remove-VSC to have a single mandatory parameter (DevicePath) - Updated New-VSC to check initial state of the VSS Service and return VSS to its inital state after execution --- Exfiltration/VolumeShadowCopyTools.ps1 | 46 +++++++++------------------------- 1 file changed, 12 insertions(+), 34 deletions(-) (limited to 'Exfiltration') diff --git a/Exfiltration/VolumeShadowCopyTools.ps1 b/Exfiltration/VolumeShadowCopyTools.ps1 index 6d47c34..49fe22d 100644 --- a/Exfiltration/VolumeShadowCopyTools.ps1 +++ b/Exfiltration/VolumeShadowCopyTools.ps1 @@ -77,6 +77,9 @@ function New-VolumeShadowCopy Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.' } + # Save VSS Service initial state + $running = (Get-Service -Name VSS).Status + $class = [WMICLASS]"root\cimv2:win32_shadowcopy" $return = $class.create("$Volume", "$Context") @@ -98,6 +101,12 @@ function New-VolumeShadowCopy 13 {Write-Error "Unknown error."; break} default {break} } + + # If VSS Service was Stopped at the start, return VSS to "Stopped" state + if($running -eq "Stopped") + { + Stop-Service -Name VSS + } } function Remove-VolumeShadowCopy @@ -134,14 +143,6 @@ function Remove-VolumeShadowCopy ----------- Removes all volume shadow copy -.EXAMPLE - - Get-WmiObject Win32_ShadowCopy | Remove-VolumeShadowCopy - - Description - ----------- - Removes all volume shadow copy - .EXAMPLE Remove-VolumeShadowCopy -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4' @@ -150,13 +151,9 @@ function Remove-VolumeShadowCopy ----------- Removes the volume shadow copy at the 'DeviceObject' path \\?\GLOBALROOT\DeviceHarddiskVolumeShadowCopy4 #> + [CmdletBinding(SupportsShouldProcess = $True)] Param( - [Parameter(Mandatory = $False, ValueFromPipeline = $True)] - [ValidateNotNullOrEmpty()] - [Object] - $InputObject, - - [Parameter(Mandatory = $False)] + [Parameter(Mandatory = $True, ValueFromPipeline = $True)] [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')] [String] $DevicePath @@ -164,29 +161,10 @@ function Remove-VolumeShadowCopy PROCESS { - if($PSBoundParameters.ContainsKey("InputObject")) - { - if($InputObject.GetType().Name -eq "String") - { - (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $InputObject}).Delete() - } - else - { - $InputObject.Delete() - } - } - elseif($PSBoundParameters.ContainsKey("DevicePath")) + if($PSCmdlet.ShouldProcess("The VolumeShadowCopy at DevicePath $DevicePath will be removed")) { (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $DevicePath}).Delete() } - else - { - $vsc = Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy - foreach($copy in $vsc) - { - $copy.Delete() - } - } } } -- cgit v1.2.3