2008 R2 file server shared folders are displaying hex names

Question

I have a very strange issue. on one of my 2008R2 file servers that has been around for years

yesterday about half of the folders in one of the shares started showing hex values instead of the folder names. the subfolders still show their correct names.

example ,, share/ {14270683-1693-1584-1493-948150471693}\finance PO

this is affecting about 1000 folders on a 7tb share drive All other folders in that share are listed by their names.

windows 2008R2 fiber connected SAN, Symantec AV, SCCM client installed.

Do you also noticed the original folder name has been converted to a .lnk? We've noticed that recently, I informed our security guy, and he said he didn't see anything about it. But in our situation, the .lnk files point to the HEX value, so I wrote a script that renamed all the HEX names to their original name. — shinjijai, Jul 07 '16 at 12:41
A virus/malware hit a user that used to rename a bunch of folder ? — yagmoth555, Jul 07 '16 at 12:47
shinjijai I did notice a bunch of shortcuts that were created but they all point to the c drives recycle bin. Can you share the script to rename the folders back ? I do not know the commands for that one .. I ran a virus scan and Malwarebytes scan both came up empty. Thanks — briand212, Jul 07 '16 at 13:36

score 0 · Answer 1 · answered Jul 07 '16 at 14:02

0

This is not the answer, but I couldn't fit it in the comments... you need to change the to the location of where those hidden folder with {} are.

What this script does is find all the {} (which are hidden, or should be), and then it takes the .lnk and look at where it points to (recycle bin, explorer.exe).

This is in PowerShell:

$path = "<PATH TO FILES>" 
$hiddenDir = Get-ChildItem -Path $path -Directory -Attributes H 
$links = Get-ChildItem -Path $path -Filter *.lnk   

$sh = New-Object -COM WScript.Shell 
foreach($link in $links){ 
        $tarLink = $sh.CreateShortcut($link.FullName) | Select-Object FullName, Arguments 
        $tarLink -match 'explorer "{(\d*\-)*\d*}' | Out-Null 
        $foundString = $Matches[0].toString().Replace('explorer "',"") 
        $originalName = $link.FullName.ToString().Replace(".lnk","") 
        if($hiddenDir -match $foundString){ 
                Rename-Item "<PATH TO FILE>\$foundString" $originalName 
        }       
}

answered Jul 07 '16 at 14:02

shinjijai

416
1
7
16

Thank you for the script... unfortunately I keep getting a Get-ChildItem : A parameter cannot be found that matches parameter name 'Directory'. – briand212 Jul 07 '16 at 15:27
Make sure you have PowerShell 3 or higher. – shinjijai Jul 07 '16 at 15:38
Thank you for helping with this...I am still see the parameter error .. This is the steps I have taken,, switched over to a win 2012 server, used enter-pssission to the file server and changed directories to the affected drive. below is what I put in for the file path .. .I most likely am missing something simple. .but I cant find it Line 1, $path = "U:\Jdrive" Line 12 Rename-Item "U:\Jdrive \$foundString" $originalName – briand212 Jul 07 '16 at 18:38
Do you have the script loaded in PowerShell ISE? If so, in the console, can you type: test-path "U:\Jdrive" and make sure that comes back True. – shinjijai Jul 07 '16 at 19:15
PS U:\> test-path "U:\Jdrive" True – briand212 Jul 07 '16 at 19:18
What's the error you're getting? It could be related how those .lnk files point to the {} folder. You might have to use a different regex that I'm using ('explorer "{(\d*\-)*\d*}' ) to parse the {} folder name from the lnk. – shinjijai Jul 08 '16 at 11:57
I got one issue fixed.. I did not realize the file server was on an old version of powershell .. I updated powershell I think your right on the .lnk files.. here is the output Rename-Item : Cannot rename because item at 'u:\jdrive \{46017815-4353-3424-4232-232313121212}' does not exist. At line:12 char:17 + Rename-Item "u:\jdrive \$foundString" $originalName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Rename-Item], – briand212 Jul 13 '16 at 19:54
the link file properties look like this C:\Windows\system32\cmd.exe /C ""$RECYCLE.BIN.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\{15933803-6982-7703-5911-769255704368}.cmd" && explorer "{41561389-5843-1558-4470-350925891578}" – briand212 Jul 13 '16 at 19:54
I'm guessing it's because there's a space in "'u:\jdrive \{46017815-4353-3424-4232-232313121212}" remove the space and it should work.. ie: 'u:\jdrive\{46017815-4353-3424-4232-232313121212} – shinjijai Jul 14 '16 at 12:09

2008 R2 file server shared folders are displaying hex names

1 Answers1