Because of a ransomware attack (no big deal, all recovered from backup) I want to clean up the directories and sub directories on the network share where the attack happened to create a lot of scrambeled files. They are all owned by the user who works on the PC that was infected.
My best attempt up to now looks like this:
Get-ChildItem Z:\ -Recurse | get-acl | where {($_.Owner -eq "DOMAIN\username")} | foreach { $_.Delete()}
But it does not work because of get-acl
does not support $_.Delete()
This $
or $_
is not my problem I think. I do have some other commands that are a bit likely. They run.
Like this one here:
Get-ChildItem -filter "~*.*" -path Z:\ -recurse | where {($_.LastWriteTime -lt (get-date).AddDays(-7))} | foreach { $_.Delete()}
I use this since days in order to delete files that were created by restoring files from backup that were untouched by the malware. I simply restored the whole share
But I'll give it a try.
Concerning your other hint I have to explain that the user account which ran the ransomware has no self-created files on that network drive. Read permission would have been enough for that user.
Unfortunately this share has Change Access for everyone. That is from earlier days where we all did not have too much to do with ransomware. Of course I will change these access rights when the main work is done.
So please I need advice in order to delete files owned by this special account.