[German]Friday January 13, 2023 Windows users worldwide were affected by a buggy Defender signature update that deleted desktop shortcuts and more via an ASR rule. In a follow-up, I shed some light on why even home Windows 10/11 users could have been affected. And there's still an approach to restoring the deleted shortcuts from volume shadow copies.
Advertising
ASRmageddon: What happened?
OnFriday morning, users and administrators noticed that shortcuts on the desktop, taskbar and Start menu were suddenly deleted on Windows machines worldwide. Other users noticed that Office applications suddenly wouldn't launch. I had addressed the issue in time within my blog post Microsoft Defender update/ASR deletes desktop shortcuts, taskbar broken, Office apps don't start anymore and provided some hints about the root cause.
The signature update build 1.381.2140.0 (referred to by Microsoft as the Security Intelligence Update) was incorrect. On affected devices, the incorrect signature caused shortcuts to be detected as malicious and deleted when the ASR rule "Block Win32 API calls from Office macro" was enabled. The acronym ASR stands for Attack Surface Reduction, a functionality in Windows to protect devices from certain attacks. Later, the whole thing was confirmed by Microsoft in a statement (see Windows deleted shortcuts; Microsoft explains Windows Defender ASR issue Jan. 13, 2023). The following Windows 10/11 clients were affected:
- Windows 11 21H2 and 22H2;
- Windows 10 20H2 till 22H2
- Windows 10 Enterprise LTSC 2019
- Windows 10 Enterprise LTSC 2016
- Windows 10 Enterprise 2015 LTSB
as long, as ASR was enabled. Microsoft said that the incident only took effect with Windows Defender for Endpoint (Plan 1 and higher). But there were also reports from users who only had Windows 10/11 in use.
Defender UI users also affected
I had individual reports from users who reported being affected by the deleted shortcuts on their home computers as well. Ad-hoc, this seemed unlikely, since Microsoft Defender for Endpoint (Plan 1 and higher) is not in use there. I explained it to myself in such a way that the affected persons had perhaps activated ASR on their standalone systems under Windows 10 or Windows 11 using group policies or the Powershell.
Now German blog reader Wolf J. confirmed in this comment not only that home users were affected. Regarding my assumption "possibly, if ASR was enabled on Windows 10/11 via PowerShell or Group Policy" he also writes why it hit some home users. Here is his translated explanation:
Advertising
In fact, our investigation revealed that home users who had deployed Defender UI were affected.
The bug was reported quite early by a user in the Windows 10 forum.
Defender UI is a free tool that promises a better user interface for Microsoft Defender (see the following screenshot from the developers' website). And with this tool, people have brought the issue onto their systems.
Wolf J. has followed the question, why it has hit private users with ASRmageddon. In his comment it writes then:
At first, we couldn't narrow down the problem either, until other users told us that Defender UI was in use.
Then I installed the software on a test computer and saw that the ASR rules were activated without any changes. Even the "warn" setting is enough to observe the now familiar effects.
Per Powershell with the command:
Get-MpPreference | select AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actionsyou can inspect that. And with the following comment, you can delete the ASR use.
Remove-MpPreference -AttackSurfaceReductionRules_IdsResetting via Defender UI to "factory settings" also deleted the set ASR rules.
At this point, my thanks to the blog reader for sharing his findings with us. The episode again shows the risk you expose yourself to when using such tools if you don't understand exactly what is being done.
Retrieve .lnk shortcuts
I had already pointed to scripts that can restore the deleted shortcuts in the blog posts Microsoft Defender update/ASR deletes desktop shortcuts, taskbar broken, Office apps don't start anymore and Windows deleted shortcuts; Microsoft explains Windows Defender ASR issue Jan. 13, 2023. However, German blog reader Phillipp Schweizer notes in this comment that the Microsoft script solution does not work on a localized Windows:
MS's solution is really lousy – if you roll out the script via Intune it doesn't run properly (32/64Bit issue), plus the permissions in it are hard coded and not usable on a German Windows.
What is also missing – had the user pinned the apps from the start menu to the taskbar remains a white box – we could not solve this via script yet.
On Twitter, however, I came across two sites that deal with the restoration of the deleted .lnk files, which I do not want to withhold from the readership.
If the volume shadow copy service is running, the deleted .lnk files should still be found in the volume shadow copies. Tero Alhonen points out a solution in the above tweet that Matt Rouse posted as a comment on the Techcommunity post.
I believe I've found a general purpose command line solution that can be deployed to leverage any existing shadow copies and put shortcuts back on the Start Menu. Shadow copies are predictably named which is helpful. I believe they only persist for a couple of weeks so the contents should be recent enough to be useful as well.
Consider the following script which will mount the last five shadow copies, one-by-one, attempt to copy the contents of the Start Menu folder back to the live location, and then dismount the shadow copy. If the shadow copies don't exist, the command will fail but no damage will be done and nothing will be overwritten. Note this script does require admin privileges.
mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" rmdir c:\shadowrestore mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\ robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" rmdir c:\shadowrestore mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\ robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" rmdir c:\shadowrestore mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\ robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" rmdir c:\shadowrestore mklink /d c:\shadowrestore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\ robocopy /e /r:1 /w:1 "c:\shadowrestore\ProgramData\Microsoft\Windows\Start Menu\Programs" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" rmdir c:\shadowrestoreThoughts or comments? This seems to work well in my test environment. Note that you can list shadow copies for a volume with the following command:
vssadmin list shadows /for=c:
Hope this helps someone.
In addition, Microsoft MVP Nicklas Ahlberg has published a script for restoring the deleted shortcut files, which he points out in the following tweet.
Perhaps one of the above solutions will help those affected.
Similar articles:
Microsoft Defender update/ASR deletes desktop shortcuts, taskbar broken, Office apps don't start anymore
Windows deleted shortcuts; Microsoft explains Windows Defender ASR issue Jan. 13, 2023
