Kaseya Community

XP System Restore Disable/Reenable

  • Hello. The AV console shows a virus in the System Restore file. Has anyone created a script that will disable the System Restore then re-enable it in order to eliminate the virus contained within? Thanks, Mark

    Legacy Forum Name: XP System Restore Disable/Reenable,
    Legacy Posted By Username: DeltaESC
  • DisableSystemRestore.vbs.txt
    Attached are 2 vbs scripts that we use to enable and disable system restore. Works on both on XP and Vista.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: eddy@dgs.com.au
  • enablesystemresotre.vbs.txt
    Attachment refers to previous post.

    Legacy Forum Name: ,
    Legacy Posted By Username: eddy@dgs.com.au
  • do you run the scripts manually or do you have it where you can run it from kaseya? if you have it running from kaseya... do you execute it as a user or system? basicly with or without the user logged in?

    this is what i had to do to get it to work for me..... but i still have a problem.

    i had to make a batch file called disablebatch.cmd which is located \\mikeyx\patchstaging$\austinsscripts\disablebatch.cmd - inside the .cmd file is

    @echo off
    echo Disableing System Restore
    start wscript.exe "\\mikeyx\patchstaging$\AustinsScripts\DisableSystemRestore.wsh"
    exit

    i then had to make a wscript file named DisableSystemRestore.wsh which is located at \\mikeyx\patchstaging$\austinsscripts\DisableSystemRestore.wsh - inside the .wsh file is

    [ScriptFile]
    Path="\\mikeyx\patchstaging$\AustinsScripts\DisableSystemRestore.vbs"
    [Options]
    Timeout=5
    DisplayLogo=1
    BatchMode=0

    i then had to make a vbs script named DisableSystemRestore.vbs which is located at \\mikeyx\patchstaging$\austinsscripts\DisableSystemRestore.vbs - which inside the vbs file is

    'Set Args = wscript.Arguments
    'If Args.Count() > 0 Then
    ' Drive = Args.item(0)
    'Else
    Drive = "C:\"
    'End If

    Set obj = GetObject("winmgmts:{impersonationLevel=impersonate}!root/default:SystemRestore")

    If (obj.Disable(Drive)) = 0 Then
    'wscript.Echo "Success"
    Else
    'wscript.Echo "Failed"
    End If

    'Set Args = wscript.Arguments
    'If Args.Count() > 0 Then
    ' Drive = Args.item(0)
    'Else
    Drive = "D:\"
    'End If

    Set obj = GetObject("winmgmts:{impersonationLevel=impersonate}!root/default:SystemRestore")

    If (obj.Disable(Drive)) = 0 Then
    'wscript.Echo "Success"
    Else
    'wscript.Echo "Failed"
    End If

    'Set Args = wscript.Arguments
    'If Args.Count() > 0 Then
    ' Drive = Args.item(0)
    'Else
    Drive = "E:\"
    'End If

    Set obj = GetObject("winmgmts:{impersonationLevel=impersonate}!root/default:SystemRestore")

    If (obj.Disable(Drive)) = 0 Then
    'wscript.Echo "Success"
    Else
    'wscript.Echo "Failed"
    End If

    'Set Args = wscript.Arguments
    'If Args.Count() > 0 Then
    ' Drive = Args.item(0)
    'Else
    Drive = "F:\"
    'End If

    Set obj = GetObject("winmgmts:{impersonationLevel=impersonate}!root/default:SystemRestore")

    If (obj.Disable(Drive)) = 0 Then
    'wscript.Echo "Success"
    Else
    'wscript.Echo "Failed"
    End If

    i then uploaded the files and distributed them to the server in kaseya.

    i made a script in kaseya called disable system restore this is how i set it up

    if true - always returns True, executing THEN branch.
    then step 1 execute file disablebatch.cmd located at \\mikeyx\patchstaging$\AustinsScripts\disablebatch.cmd and have it executed as user and wait for completion

    if i run this script on my computer on the mikeyx domain with windows xp it works.
    if i run this script on my home computer not on the mikey domain with windows xp it fails.

    ive also made 3 more files to enable system restore. which has the same problem

    if i run the script on my computer on the mikeyx domain with windows xp it works.
    if i run the script on my home computer not on the mikey domain with windows xp it fails.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Austin
  • I upload all my vbs to the Kaseya server. I have the agent download the vbs script to the agent temp directory and run the vbs script from that location.

    IF True
    THEN
    Get Variable
    Parameter 1 : 10
    Parameter 2 :
    Parameter 3 : temp
    OS Type : 0
    Write File
    Parameter 1 : #temp#\enable_system_restore.vbs
    Parameter 2 : VSASharedFiles\DesktopManagement\enable_system_restore.vbs
    OS Type : 0
    Execute Shell Command
    Parameter 1 : cscript "#temp#\enable_system_restore.vbs"
    Parameter 2 : 1
    OS Type : 0
    Delete File
    Parameter 1 : #temp#\enable_system_restore.vbs
    OS Type : 0
    ELSE

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: cnwicsurrett
  • sweet thanks. works perfectly now. plus i dont have to use any other files to call the vbs script Smile. kinda new to scripting.. but wanted to do a few things to make life easyer

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: Austin
  • Here is an easier method using kaseya scripting only.

    To disable...

    Script Name: Disable - Windows - System Restore
    Script Description: This script will disable Windows System Restore.

    IF Check Registry Value
    Parameter 1 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
    Exists :
    THEN
    Execute Shell Command
    Parameter 1 : net stop srservice
    Parameter 2 : 1
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
    Parameter 2 : 1
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice\Start
    Parameter 2 : 4
    Parameter 3 : REG_DWORD
    OS Type : 0
    ELSE



    To enable...

    Script Name: Enable - Windows - System Restore
    Script Description: This script will Enable Windows System Restore.

    IF Check Registry Value
    Parameter 1 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
    Exists :
    THEN
    Set Registry Value
    Parameter 1 : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
    Parameter 2 : 0
    Parameter 3 : REG_DWORD
    OS Type : 0
    Set Registry Value
    Parameter 1 : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice\Start
    Parameter 2 : 2
    Parameter 3 : REG_DWORD
    OS Type : 0
    Execute Shell Command
    Parameter 1 : net start srservice
    Parameter 2 : 1
    OS Type : 0
    ELSE



    Hope this helps.
    Cheers.

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: XeviouS