Look at LSB init scripts for more information.
Copy to /etc/init.d
:
# replace "$YOUR_SERVICE_NAME" with your service's name (whenever it's not enough obvious)
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org> | |
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows" | |
# IMPORTANT: This must run with Administrator privileges! | |
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action { | |
# Kill all parent processes from detected vssadmin process | |
$p = $EventArgs.NewEvent.TargetInstance | |
while ($p) { | |
$ppid = $p.ParentProcessID | |
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid" | |
Write-Host $p.ProcessID |
Look at LSB init scripts for more information.
Copy to /etc/init.d
:
# replace "$YOUR_SERVICE_NAME" with your service's name (whenever it's not enough obvious)
I hereby claim:
To claim this, I am signing this object: