Is there a way to prevent shadow copies to be deleted by non-admin-users? The only thing I found right now were group policies which hide the tab in Windows explorer from the user (so that he can't see the copies and therefore can't restore/view/delete(?) them in Explorer). Is this enough? Or can the user do this via script/on command line?
The reason I ask: Currently there's a lot of ransomware around and a shadow copy seems to be reasonable way to prevent data loss. But current ransomware also deletes shadow copies. So my idea: If the user doesn't have the rights to delete shadow copies the ransomware will not be able to delete the shadow copies. As this tip is missing in articles dealing with ransomware prevention this is perhaps a bad idea at all or simply not possible?
The question applies to Windows 7 Home Premium and Windows 7 Professional.
To make it clear: I have backups, firewall etc. so please consider this when answering/commenting.
Best Answer
Ransomware (at the time of this post) calls WinExec and launches "vssadmin.exe Delete Shadows /All /Quiet".
It also downgrades UAC before running this using the RtlQueryElevationFlags so that the UAC prompts don't occur.
Your question was: Is there a way to prevent shadow copies to be deleted by non-admin-users?
You can go this route: Why Everyone should disable vssadmin but be forewarned that in a corporate environment that wouldn't likely happen or get approved. But if you are a small shop or know the risks you can go that route.
To be honest though, like Joe alluded to, this isn't the way to prevent anything from really infecting you. You should look more into Applocker or the CryptoPrevent software if you want to help prevent Ransomware from coming in. However, nothing has been proven as foolproof and 100% effective...so having good backups is your best layer in a layered approach here.