2

Because of a ransomware attack (no big deal, all recovered from backup) I want to clean up the directories and sub directories on the network share where the attack happened to create a lot of scrambeled files. They are all owned by the user who works on the PC that was infected.

My best attempt up to now looks like this:

Get-ChildItem Z:\ -Recurse | get-acl | where {($_.Owner -eq "DOMAIN\username")} | foreach { $_.Delete()}

But it does not work because of get-acl does not support $_.Delete()


This $ or $_ is not my problem I think. I do have some other commands that are a bit likely. They run.

Like this one here:

Get-ChildItem -filter "~*.*" -path Z:\ -recurse | where {($_.LastWriteTime -lt (get-date).AddDays(-7))} | foreach { $_.Delete()}

I use this since days in order to delete files that were created by restoring files from backup that were untouched by the malware. I simply restored the whole share

But I'll give it a try.

Concerning your other hint I have to explain that the user account which ran the ransomware has no self-created files on that network drive. Read permission would have been enough for that user.

Unfortunately this share has Change Access for everyone. That is from earlier days where we all did not have too much to do with ransomware. Of course I will change these access rights when the main work is done.

So please I need advice in order to delete files owned by this special account.

Tim Penner
  • 1,799
  • 12
  • 22
Anna Nuema
  • 23
  • 4

1 Answers1

6

First of all, you had some typos in your code. The individual object of a list within a where-clause is addressed by $_, not $.

And you were thinking around the corner. Your approach was a little complicated. Try this instead :)

Get-ChildItem Z:\ -Recurse | where { $_.GetAccessControl().Owner -eq "DOMAIN\username"} | Remove-Item

Although personally, I don't feel like this is really the best approach, as the Owner may not always be who you think it is.

Daniel
  • 6,780
  • 5
  • 31
  • 60
  • 2
    Agreed, I would also just to be safe limit the files to a time frame unless it is a ransom-ware infection that randomizes that stuff. – Nick Young Jan 12 '16 at 03:15
  • What a mess. I did not read carefully. Your command line `Get-ChildItem Z:\ -Recurse | where { $_.GetAccessControl().Owner -eq "DOMAIN\username"} | Remove-Item` works absolutely perfect. Sorry. Thank you a lot. – Anna Nuema Jan 13 '16 at 14:04
  • 1
    @AnnaNuema If the answer solves your problem, please click the checkmark below the voting buttons to mark it "Accepted" – Mathias R. Jessen Jan 13 '16 at 16:23