Cleaned up Remove-VSC and New-VSC

jaredcatkinson · jaredcatkinson · commit c29f9b4743b5 · 2015-07-08T22:27:12.000-04:00
- Changed Remove-VSC to have a single mandatory parameter (DevicePath)
- Updated New-VSC to check initial state of the VSS Service and return
VSS to its inital state after execution
diff --git a/Exfiltration/VolumeShadowCopyTools.ps1 b/Exfiltration/VolumeShadowCopyTools.ps1
@@ -77,6 +77,9 @@ function New-VolumeShadowCopy
         Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
     }
 
+    # Save VSS Service initial state
+    $running = (Get-Service -Name VSS).Status
+
     $class = [WMICLASS]"root\cimv2:win32_shadowcopy"
 
     $return = $class.create("$Volume", "$Context")
@@ -98,6 +101,12 @@ function New-VolumeShadowCopy
         13 {Write-Error "Unknown error."; break}
         default {break}
     }
+
+    # If VSS Service was Stopped at the start, return VSS to "Stopped" state
+    if($running -eq "Stopped")
+    {
+        Stop-Service -Name VSS
+    }
 }
 
 function Remove-VolumeShadowCopy
@@ -134,14 +143,6 @@ function Remove-VolumeShadowCopy
     -----------
     Removes all volume shadow copy
 
-.EXAMPLE
-
-    Get-WmiObject Win32_ShadowCopy | Remove-VolumeShadowCopy
-
-    Description
-    -----------
-    Removes all volume shadow copy
-
 .EXAMPLE
 
     Remove-VolumeShadowCopy -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
@@ -150,43 +151,20 @@ function Remove-VolumeShadowCopy
     -----------
     Removes the volume shadow copy at the 'DeviceObject' path \\?\GLOBALROOT\DeviceHarddiskVolumeShadowCopy4
 #>
+    [CmdletBinding(SupportsShouldProcess = $True)]
     Param(
-        [Parameter(Mandatory = $False, ValueFromPipeline = $True)]
-        [ValidateNotNullOrEmpty()]
-        [Object]
-        $InputObject,
-
-        [Parameter(Mandatory = $False)]
+        [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
         [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')]
         [String]
         $DevicePath
     )
 
     PROCESS
     {
-        if($PSBoundParameters.ContainsKey("InputObject"))
-        {
-            if($InputObject.GetType().Name -eq "String")
-            {
-                (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $InputObject}).Delete()
-            }
-            else
-            {
-                $InputObject.Delete() 
-            }
-        }
-        elseif($PSBoundParameters.ContainsKey("DevicePath"))
+        if($PSCmdlet.ShouldProcess("The VolumeShadowCopy at DevicePath $DevicePath will be removed"))
         {
             (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $DevicePath}).Delete()
         }
-        else
-        {
-            $vsc = Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy
-            foreach($copy in $vsc)
-            {
-                $copy.Delete()
-            }
-        }
     }
 }
 
