Why Should You Disable VSSAdmin.exe Utility
Ransomware is a type of malicious program that uses deceptive and alarming messages to extort money from a victim. The messages are usually accompanied by harmful actions on the user's computer or mobile device - for example, by 'locking' it to prevent normal use - so that the user feels pressured into paying the money demanded.
Crypto-ransomware propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin.
When crypto-ransomware encrypts a user's files, it is essentially taking those files hostage; a ransom demand is then displayed offering the user the decryption key needed to restore the files, if a specified sum is paid. In some cases, the user only has a limited time period to make the payment.
Although Crypto-ransomware itself is readily removed, files remained encrypted in a way which researchers considered unfeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.
Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. A number of Microsoft Windows components have been updated to make use of Shadow Copy. Backup and Restore in Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2, Windows 8, Windows 8.1 and Windows 10 use shadow copies of files in both file-based and sector-by-sector backup. VSS is also used by the System Protection component which creates and maintains periodic copies of system and user data on the same local volume allows it to be locally accessed by System Restore. System Restore allows reverting to an entire previous set of shadow copies called a restore point. Shadow copies are created automatically once per day, or manually when triggered by the backup utility or installer applications which create a restore point. The "Previous Versions" feature is available in the Business, Enterprise, and Ultimate editions of Windows Vista and in all Windows 7 editions. These snapshots will attempt to be created every day and allows you to restore documents to previous versions or even to restore them if they were deleted.
Since Windows Vista, Microsoft has been bundling a utility called VSSAdmin.exe in Windows that allows an administrator to manage the Shadow Volume Copies that are on the computer. With the rise of Crypto Ransomware, this tool has become more of a problem than a benefit and everyone should disable it. Unfortunately, the developers of Crypto Ransomware are aware of Shadow Volume Copies and design their infections so that they delete ALL Shadow Volume Copies when the ransomware infects your computer. This is done to prevent you from using Shadow Volumes to recover encrypted files.
By disabling VSSAdmin.exe utility the shadow copies of users files can be recovered when computer gets infected by ransomware. This will not be 100% effective against all ransomware infections but it helps for many ransomware infections.
The vssadmin.exe also use by Windows when creating scheduled system restore points. There is a work around for this, scheduled task can be created using WMIC command that can create the restore points for us. You can read my tutorial to learn how to create scheduled task in Windows link is below.
Set Programs To Run At Certain Times
The WMIC command can be used to create scheduled system restore point:
Crypto-ransomware propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin.
When crypto-ransomware encrypts a user's files, it is essentially taking those files hostage; a ransom demand is then displayed offering the user the decryption key needed to restore the files, if a specified sum is paid. In some cases, the user only has a limited time period to make the payment.
Although Crypto-ransomware itself is readily removed, files remained encrypted in a way which researchers considered unfeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.
Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. A number of Microsoft Windows components have been updated to make use of Shadow Copy. Backup and Restore in Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2, Windows 8, Windows 8.1 and Windows 10 use shadow copies of files in both file-based and sector-by-sector backup. VSS is also used by the System Protection component which creates and maintains periodic copies of system and user data on the same local volume allows it to be locally accessed by System Restore. System Restore allows reverting to an entire previous set of shadow copies called a restore point. Shadow copies are created automatically once per day, or manually when triggered by the backup utility or installer applications which create a restore point. The "Previous Versions" feature is available in the Business, Enterprise, and Ultimate editions of Windows Vista and in all Windows 7 editions. These snapshots will attempt to be created every day and allows you to restore documents to previous versions or even to restore them if they were deleted.
Since Windows Vista, Microsoft has been bundling a utility called VSSAdmin.exe in Windows that allows an administrator to manage the Shadow Volume Copies that are on the computer. With the rise of Crypto Ransomware, this tool has become more of a problem than a benefit and everyone should disable it. Unfortunately, the developers of Crypto Ransomware are aware of Shadow Volume Copies and design their infections so that they delete ALL Shadow Volume Copies when the ransomware infects your computer. This is done to prevent you from using Shadow Volumes to recover encrypted files.
By disabling VSSAdmin.exe utility the shadow copies of users files can be recovered when computer gets infected by ransomware. This will not be 100% effective against all ransomware infections but it helps for many ransomware infections.
The vssadmin.exe also use by Windows when creating scheduled system restore points. There is a work around for this, scheduled task can be created using WMIC command that can create the restore points for us. You can read my tutorial to learn how to create scheduled task in Windows link is below.
Set Programs To Run At Certain Times
The WMIC command can be used to create scheduled system restore point:
Code:
Wmic.exe /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "%DATE%", 100, 7When it is done it should look like the image below.
After finish creating scheduled task for creating system restore points from General tab make sure you have it set to Run whether user is logged on or not and to Run with highest privileges.
At the Triggers tab, set it to run as often as you want.
When the you have finished, you can then apply the scheduled task and it should create new restore points at the times you have specified.
Rename vssadmin Utility
Batch script attached to this thread will automatically rename the vssadmin.exe utility.
- To rename VSSAdmin.exe utility execute RenVSSAdmin.bat batch script and type Y letter and press Enter key.
- To restore back VSSAdmin.exe utility execute RenVSSAdmin.bat batch script and type N letter and press Enter key.