prestoncooper
commented
7 years ago It is an example script you have to modify it as needed. SC \\SERVERNAME stop DFSR SC is the command program to stop a windows service on any server in the same domain. You pass the computer name preceded with two backslashes as the first argument followed by the command to stop or start the service followed by the name of the service that you want to stop or start.
Hello,
Having installed and configured the service and confirmed that the service is monitoring as it should, I attempt to force a services shutdown by choosing one of the source check files in the shared folder, right-clicking the file and in properties going to the Advanced option and enabling the option Encrypt File. Following this I checked the NTFS permissions and they were the same as previous (which was what I expected). On the next check the services did not shut down as the Ransomware Check service failed th read the encrypted file, the following error was reported in the log:
Access is denied : D:\Liquiform\Shared\CheckAgainstSourceFiles\source4.txt: Delimon.Win32.IO inside main for each at Delimon.Win32.IO.Helpers.GetLastErrorAndThrowIfFailed(String extra) at Delimon.Win32.IO.Helpers.CreateFile(String path, FileAccess access, FileShare share, FileMode mode, UInt32 dwFlagsAndAttributes) at Delimon.Win32.IO.FileInfo.OpenRead() at RansomwareDetection.DetectionLib.CompareFolder.Compare_Files(String fileName1, String fileName2) at RansomwareDetection.DetectionLib.CompareFolder.Execute(Boolean& blShuttingDown)
I checked the services and none of them had shut down, but manually running the commands in the StopAllWindowsFileServerAfterRansomwareActivityDetected script was successful. The content of the script file is as follows:
sc \DC1 stop DFSR timeout 5 sc \DC1 stop Dfs timeout 5 sc \DC1 stop LanmanServer
I left the settings for the working directory and command script as is.