Jimadine/asr-cockup-fixer.cmd Secret

## asr-cockup-fixer.cmd
@ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION

REM Hack to check the operator has admin privileges
OPENFILES.EXE 1>NUL 2>&1
IF ERRORLEVEL 1 ECHO You need to run this script from an elevated command prompt. Exiting. & EXIT /B 1

REM This checks whether the user tried to invoke the Help text
IF [%1]==[/?] (GOTO HELP
) ELSE IF [%1]==[--help] ( GOTO HELP )

REM Process named parameters
SET "prev="
SET "current="
FOR %%A IN (%*) DO (
    SET "current=%%~A"
    IF DEFINED prev (
        SET "!prev!=%%~A"
        SET "prev="
    ) ELSE (
        SET prev=%%A
    )
)

REM Check whether a --username parameter was specified, enabling .lnk files in the corresponding user profile folder to be restored
IF NOT DEFINED --username (SET CHECK_USER_AREA=false) ELSE (
    IF NOT EXIST "%SystemDrive%\Users\%--username%" (
        ECHO Specified username profile folder does not exist! Exiting...
        EXIT /B 1
    )
    SET CHECK_USER_AREA=true
)

REM Sets the Robocopy /L (List) option which does a dry-run (default mode in this script)
IF NOT DEFINED --do-restore (SET "DO_RESTORE=/L") ELSE (
    IF /I [%--do-restore%]==[true] (SET "DO_RESTORE= ") ELSE (SET "DO_RESTORE=/L")
)

REM Try five Shadow Copies
FOR %%G IN (1 2 3 4 5) DO (
    ECHO.
    ECHO Attempting to mount Shadow Copy %%G
    MKLINK /D "%SystemDrive%\shadowrestore" \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%%G\ || ECHO Could not create directory symlink to \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%%G ^(Shadow Copy %%G^).
    SET SHADOW_RESTORE_HAS_FILES=true
    REM Crudely test whether the shadowrestore directory symlink contains a Windows installation. If not, remove the directory symlink and move onto the next FOR loop iteration
    DIR "%SystemDrive%\shadowrestore" /AS /B >nul 2>&1 || SET SHADOW_RESTORE_HAS_FILES=false
    IF [!SHADOW_RESTORE_HAS_FILES!]==[true] (
      ROBOCOPY %DO_RESTORE% /S /XO /XC /FP /R:1 /W:1 "%SystemDrive%\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs" *.lnk
      ROBOCOPY %DO_RESTORE% /S /XO /XC /FP /R:1 /W:1 "%SystemDrive%\shadowrestore\Users\Public\Desktop" "%SystemDrive%\Users\Public\Desktop" *.lnk
      IF [%CHECK_USER_AREA%]==[true] (
        ROBOCOPY %DO_RESTORE% /S /XO /XC /FP /R:1 /W:1 "%SystemDrive%\shadowrestore\Users\%--username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" "%SystemDrive%\Users\%--username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" *.lnk
        ROBOCOPY %DO_RESTORE% /S /XO /XC /FP /R:1 /W:1 "%SystemDrive%\shadowrestore\Users\%--username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" "%SystemDrive%\Users\%--username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" *.lnk
      )
    ) ELSE (
      ECHO Empty directory - shadow copy %%G probably does not exist!
    )
    RD "%SystemDrive%\shadowrestore"
)
EXIT /B 0

:HELP
ECHO.
ECHO == ASR Cockup - Restore Shortcuts From Shadow Copy script - 15/01/2023 ==
ECHO.
ECHO Usage: %~nx0 [options...]
ECHO --username=^<username^> ^(default: omit user profile^)
ECHO --do-restore=true^|false ^(default: false^)
ECHO.
ECHO Inspired by the work started at
ECHO https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/bc-p/3716248/highlight/true#M2146
EXIT /B 0

REM Notes:
REM Start menu shortcut locations:
REM %AppData%\Microsoft\Windows\Start Menu\Programs
REM %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs

REM Taskbar shortcut locations:
REM %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

REM Desktop:
REM %SystemDrive%\Users\Public\Desktop

REM VSSADMIN LIST SHADOWS /FOR=C:
	@ECHO OFF
	SETLOCAL ENABLEDELAYEDEXPANSION

	REM Hack to check the operator has admin privileges
	OPENFILES.EXE 1>NUL 2>&1
	IF ERRORLEVEL 1 ECHO You need to run this script from an elevated command prompt. Exiting. & EXIT /B 1

	REM This checks whether the user tried to invoke the Help text
	IF [%1]==[/?] (GOTO HELP
	) ELSE IF [%1]==[--help] ( GOTO HELP )

	REM Process named parameters
	SET "prev="
	SET "current="
	FOR %%A IN (%*) DO (
	SET "current=%%~A"
	IF DEFINED prev (
	SET "!prev!=%%~A"
	SET "prev="
	) ELSE (
	SET prev=%%A
	)
	)

	REM Check whether a --username parameter was specified, enabling .lnk files in the corresponding user profile folder to be restored
	IF NOT DEFINED --username (SET CHECK_USER_AREA=false) ELSE (
	IF NOT EXIST "%SystemDrive%\Users\%--username%" (
	ECHO Specified username profile folder does not exist! Exiting...
	EXIT /B 1
	)
	SET CHECK_USER_AREA=true
	)

	REM Sets the Robocopy /L (List) option which does a dry-run (default mode in this script)
	IF NOT DEFINED --do-restore (SET "DO_RESTORE=/L") ELSE (
	IF /I [%--do-restore%]==[true] (SET "DO_RESTORE= ") ELSE (SET "DO_RESTORE=/L")
	)

	REM Try five Shadow Copies
	FOR %%G IN (1 2 3 4 5) DO (
	ECHO.
	ECHO Attempting to mount Shadow Copy %%G
	MKLINK /D "%SystemDrive%\shadowrestore" \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%%G\ \|\| ECHO Could not create directory symlink to \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%%G ^(Shadow Copy %%G^).
	SET SHADOW_RESTORE_HAS_FILES=true
	REM Crudely test whether the shadowrestore directory symlink contains a Windows installation. If not, remove the directory symlink and move onto the next FOR loop iteration
	DIR "%SystemDrive%\shadowrestore" /AS /B >nul 2>&1 \|\| SET SHADOW_RESTORE_HAS_FILES=false
	IF [!SHADOW_RESTORE_HAS_FILES!]==[true] (
	ROBOCOPY %DO_RESTORE% /S /XO /XC /FP /R:1 /W:1 "%SystemDrive%\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs" *.lnk
	ROBOCOPY %DO_RESTORE% /S /XO /XC /FP /R:1 /W:1 "%SystemDrive%\shadowrestore\Users\Public\Desktop" "%SystemDrive%\Users\Public\Desktop" *.lnk
	IF [%CHECK_USER_AREA%]==[true] (
	ROBOCOPY %DO_RESTORE% /S /XO /XC /FP /R:1 /W:1 "%SystemDrive%\shadowrestore\Users\%--username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" "%SystemDrive%\Users\%--username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" *.lnk
	ROBOCOPY %DO_RESTORE% /S /XO /XC /FP /R:1 /W:1 "%SystemDrive%\shadowrestore\Users\%--username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" "%SystemDrive%\Users\%--username%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" *.lnk
	)
	) ELSE (
	ECHO Empty directory - shadow copy %%G probably does not exist!
	)
	RD "%SystemDrive%\shadowrestore"
	)
	EXIT /B 0

	:HELP
	ECHO.
	ECHO == ASR Cockup - Restore Shortcuts From Shadow Copy script - 15/01/2023 ==
	ECHO.
	ECHO Usage: %~nx0 [options...]
	ECHO --username=^<username^> ^(default: omit user profile^)
	ECHO --do-restore=true^\|false ^(default: false^)
	ECHO.
	ECHO Inspired by the work started at
	ECHO https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/bc-p/3716248/highlight/true#M2146
	EXIT /B 0

	REM Notes:
	REM Start menu shortcut locations:
	REM %AppData%\Microsoft\Windows\Start Menu\Programs
	REM %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs

	REM Taskbar shortcut locations:
	REM %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

	REM Desktop:
	REM %SystemDrive%\Users\Public\Desktop

	REM VSSADMIN LIST SHADOWS /FOR=C: