I am trying to write a PS script that would do the following:
Creates a persistent, client accessible, shadow copy of the volume
Parses the existing snapshots and deletes those having the same date, but different timestamp, older than yesterday, keeping only the latest of that date.
Deletes snapshots older than a month
The script will run as a scheduled task every hour since power on.
This is an effort to circumscribe the damage of a cryptoplocker attack.
I found some code to accomplish part of it (the first and the third), but i don’t know how to accomplish the second one. Follows the code I found googling:
I am confused by your request. Do you need to keep the latest shadow copy for each day then, at a later date, delete latest copies that are a month old? So far, what I have below will group copies, select the groups older than yesterday, and select the latest copy of each group.
# Group shadowcopies by date
$groups = (Get-WmiObject -Class win32_shadowcopy) | ForEach-Object {
$datetime = $_.convertToDateTime($_.installdate)
[pscustomobject]@{
pscomputername = $_.pscomputername
deviceobject = $_.deviceobject
id = $_.id
providerid = $_.providerid
installdate = $_.installdate
datetime = $datetime
date = $datetime.date
ClientAccessible = $_.ClientAccessible
}} | Group-Object -Property date
# Select shadow copy groups older than yesterday
$groups | Where-Object {$_.group.date -lt (Get-Date).AddDays(-1)}
# Select latest copy for each date
$groups | ForEach-Object {$_.group | Select-Object -Last 1}
Thank you both very much. in a few days i’ll test the final script and let know. @random: Yes the idea is to keep all the snapshots of the last two days and the last snapshot of the day not more than a month. So in 24/7 system when the script starts it will take ≈ 24 snapshots a day for a total of ≈ 48 snapshots in two days. After that, on the third day of execution, it will delete all the snapshots that are more than 2 days older but the latest of that day. This way after 31 days of execution i’ll have 28 latest of the day snapshots plus ≈ 48 hourly snapshots of the last two days.
@random commandline
I tried the script. I have to find a manner to select not the last of the day but all the others but the last to delete them. I tried the -SkipLast 1 but it is not supported in PSH 4. I tried also the sort-object reverse and keep -Skip 1 but it keeps sorting from the farest to the latest.
@Yuan Li
I tried also your script, but it deletes all snapshots but the last of today also. I’ll try to find a manner to make it work.
@both of you
Thank you very much. At least i’m in the right way.