Recover Virtual Machine

Recover-VM.ps1

break

$vmhost = '*'
$vcenter = 'vcenter.domain.local'
$vcenter_user = 'administrator@vsphere.local'
$guest_creds = Get-Credential 'administrator'
# Save an encrypted password to a file and retrieve it later for use in a script
# Read-Host -AsSecureString | ConvertFrom-SecureString | Out-File vc_password.txt
$vcenter_password = Get-Content 'vc_password.txt' | ConvertTo-SecureString

if(-not $global:DefaultVIServers) {
    $creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $vcenter_user, $vcenter_password
    Connect-VIServer $vcenter -Credential $creds
}


$infected_vm = 'vm_name'

$infected_vm = Get-VM $infected_vm
$recovered_vm = $infected_vm.Name

# Power off infected VM
if ($infected_vm.PowerState -ne 'PoweredOff') {Stop-VM -VM $infected_vm -Confirm:$false; while ($infected_vm.PowerState -ne 'PoweredOff') {Start-Sleep 2}}; Get-VM $infected_vm | select PowerState

# Rename infected VM
Set-VM -VM $infected_vm -Name "$($infected_vm.Name)-INFECTED" -Confirm:$false | Out-Null; $infected_vm = Get-VM "$($infected_vm.Name)-INFECTED"; $infected_vm | select Name

# Bring snapshot clone online
# Manually Register VM

$recovered_vm = Get-VM $recovered_vm

# Enable recovered VM console copy/paste
New-AdvancedSetting -Entity $recovered_vm -Name "isolation.tools.paste.disable" -Value $false -Confirm:$false -Force; New-AdvancedSetting -Entity $recovered_vm -Name "isolation.tools.copy.disable" -Value $false -Confirm:$false -Force

# Disconnect recovered VM's network adapters
$connected_nics = Get-NetworkAdapter -VM $recovered_vm | where {$_.ConnectionState -match 'StartConnected'}; $connected_nics | Set-NetworkAdapter -StartConnected:$false -Confirm:$false

# Restore original MAC addresses on recovered VM network adapters
Get-NetworkAdapter -VM $infected_vm | select Name, MacAddress | foreach {Get-NetworkAdapter -VM $recovered_vm -Name $_.Name | Set-NetworkAdapter -MacAddress $_.MacAddress -Confirm:$false}

# Power on recovered VM and open console
Start-VM $recovered_vm

# Validate virus free
$cmds = @'
Get-PSDrive -PSProvider FileSystem | foreach {gci -Path $_.Root -Recurse -Filter *.locked -EA SilentlyContinue}
Get-ScheduledTask -TaskName mssystemwatch -EA SilentlyContinue | Unregister-ScheduledTask -Confirm:$false
Resolve-Path C:\Users\*\AppData\Local\Temp\msnet
'@

Invoke-VMScript -VM $recovered_vm -GuestCredential $guest_creds -ScriptText $cmds -OutVariable results

# Scan with Webroot
Open-VMConsoleWindow $recovered_vm

# Connect recovered VM's network adapters
$connected_nics | Set-NetworkAdapter -Connected:$true -StartConnected:$true -Confirm:$false

# Test networking and reboot recovered VM
$cmds = @'
Test-Connection www.boeing.com
Invoke-WebRequest http://www.boeing.com
'@

$results = Invoke-VMScript -VM $recovered_vm -GuestCredential $guest_creds -ScriptText $cmds -OutVariable results
Restart-VM $recovered_vm

# Notify Tony and Nick. Outlook needs to be open.
$outlook = New-Object -ComObject Outlook.Application
$email = $outlook.CreateItem(0)
$email.To = '' # for multiple email, use semi-colon ; to separate
$email.CC = ''
$email.Subject = "$($recovered_vm.Name) is ready for testing"
$email.Body = "Please let us know if it is good to go and we will patch."
$email.Importance = 1   # 2 = high importance email header
$email.Send()
Remove-Variable outlook