Microsoft released advanced hunting queries (AHQs) and a PowerShell script to find and recover some of the Windows application shortcuts deleted Friday morning by a buggy Microsoft Defender ASR rule.
Early morning on January 13th, Microsoft released a new Microsoft Defender signature update that included a change to the Attack Surface Reduction (ASR) rule known as “Block Win32 API calls from Office macro” in Configuration Manager and “Win32 imports from Office macro code” in Intune.
This rule detects and blocks malware from using VBA macros to call Win32 APIs.
However, a bug in the updated rules caused Microsoft Defender to exhibit false positives, deleting application shortcuts from the desktop, the Start menu, and the Windows Taskbar.
This faulty rule caused widespread disruption in corporate environments, with users unable to quickly launch their applications and Windows administrators scrambling to restore shortcuts.
Microsoft later reverted the change in the new signature update 1.381.2164.0 but warned admins that it could take a few hours for the latest signatures to propagate to all environments.
Script released to recreate deleted shortcuts
On Saturday morning, Microsoft released advanced hunting queries to find affected shortcuts and a PowerShell script to recreate shortcuts for some of the more commonly deleted applications.
“Microsoft has confirmed steps that customers can take to recreate start menu links for a significant sub-set of the affected applications that were deleted,” Microsoft explained in a new support document.
“These have been consolidated into the PowerShell script below to help enterprise administrators take recovery actions in their environment.”
To determine the impact of this bug in your organization, Microsoft Defender hunting queries can be used to retrieve events from Friday associated with the faulty rule.
If impacted, you can use this PowerShell script shared on GitHub, which will scan the HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths registry key to check if thirty-three different programs are installed on a computer.
If a program is installed, the script will check if a corresponding shortcut exists in the Start Menu and, if not, recreate it.
The list of applications whose shortcuts will be recreated are:
Adobe Acrobat | Adobe Photoshop 2023 |
Adobe Illustrator 2023 | Adobe Creative Cloud |
Firefox Private Browsing | Firefox |
Google Chrome | Microsoft Edge |
Notepad++ | Parallels Client |
Remote Desktop | TeamViewer |
Royal TS6 | Elgato StreamDeck |
Visual Studio 2022 | Visual Studio Code |
Camtasia Studio | Camtasia Recorder |
Jabra Direct | 7-Zip File Manager |
Access | Excel |
OneDrive | OneNote |
Outlook | PowerPoint |
Project | Publisher |
Visio | Word |
PowerShell 7 (x64) | SQL Server Management Studio |
Azure Data Studio |
Organizations missing shortcuts for programs not listed above can modify the PowerShell script’s $programs
array to include other applications.
Microsoft has also shared steps to deploy this script using Intune to devices in a Windows domain.
For those who wish to recreate the shortcuts manually, Microsoft shared the following steps to repair the installation of a program.
It should be noted that this process will take much longer, as in most cases, it will reinstall the entire program. Furthermore, not all applications offer a repair function.
Repair an application in Windows 10:
-
Select Start > Settings > Apps > Apps & features
-
Select the app you want to fix.
-
Select Modify link under the name of the app if it is available.
-
A new page will launch and allow you to select repair.
Repair an application in Windows 11:
-
Type “Installed Apps” in the search bar.
-
Click “Installed Apps”.
-
Select the app you want to fix.
-
Click on “…”
-
Select Modify or Advanced Options if it is available.
-
A new page will launch and allow you to select repair.
Not a good enough solution
While the released PowerShell script will help recreate shortcuts for some applications, Windows admins report that it does not work well enough.
The script only focuses on thirty-three programs, so it will not recreate the shortcuts for many other applications commonly installed on a computer.
However, even targeted applications like Microsoft Office are not having their shortcuts recreated in some cases.
“Unfortunately, this doesn’t restore Microsoft Office shortcuts which were deployed per-user – which is most 365 C2R installations. This is the default installation behaviour for M365 deployed through Intune, so if this can be reflected in the script – this would be very helpful,” a Windows admin commented about the script.
Windows admins also commented that the script only recreates shortcuts in the Start Menu but fails to recreate those deleted from the Windows Taskbar Quick Launch toolbar or the Windows desktop.
As one admin noted, it may be possible to recover the Start Menu, Quick Launch bar, and Desktop shortcuts by retrieving them from Shadow Volume Copies.
Users can use tools like Shadow Explorer or ShadowCopyView to check if the shortcuts were saved in previous snapshots and simply copy them back to the system drive.
For those with many devices, using PowerShell to check for and recover the files from Shadow Volume Copies may also be possible.
Overall, this bug has created an enormous mess for Windows administrators and IT support, who will likely have to perform the tedious task of manually recreating some of the missing shortcuts.
Source: www.bleepingcomputer.com