Skip to content

Microsoft released advanced hunting queries (AHQs) and a PowerShell script to find and recover some Windows application shortcuts that were deleted Friday morning using the Microsoft Defender ASR rule.

In the early morning hours of January 13, Microsoft released a new Microsoft Defender signature update that included a change to the Attack Surface Reduction (ASR) rule known as “Block Win32 API calls from an Office macro” in Configuration Manager and “Win32 imports from Office macro code”. In Intune.

This rule detects and blocks malware using VBA macros to call Win32 APIs.

However, a bug in the updated rules caused Microsoft Defender to show false positives by deleting app shortcuts from the desktop, Start menu, and Windows Taskbar.

This flawed rule became widespread in corporate environments when users were unable to launch their applications quickly and Windows administrators tried to restore shortcuts.

Microsoft later reverted the change to a new signature update, 1.381.2164.0, but warned administrators that it may take several hours to distribute the latest signatures to all environments.

Script released to recreate deleted shortcuts

On Saturday morning, Microsoft released advanced hunting queries to find the affected shortcuts and a PowerShell script to recreate shortcuts for some of the more frequently deleted apps.

“Microsoft has confirmed steps customers can take to recreate Start Menu links for a significant subset of affected apps that have been deleted,” Microsoft’s new support document explains.

“These have been compiled into the PowerShell script below to help enterprise administrators perform recovery operations in their environment.”

To determine the impact of this bug on your organization, Microsoft Defender hunting queries can be used to retrieve the Friday events associated with the bug rule.

If affected, you can use this PowerShell script shared on GitHub that will scan the HKLMSOFTWAREMicrosoftWindowsCurrentVersionApp Paths registry key to check if thirty-three different programs are installed on the computer.

If any program is installed, the script will check if there is a corresponding shortcut in the Start menu, and if not, it will recreate it.

The list of apps whose shortcuts will be recreated are:

Adobe Acrobat: Adobe Photoshop 2023
Adobe Illustrator 2023 Adobe Creative Cloud
Firefox Private Browsing Firefox:
Google Chrome Microsoft Edge
Notepad ++ Parallels client
Remote desktop TeamViewer
Royal TS6 Elgato StreamDeck
Visual Studio 2022 Visual Studio Code
Camtasia studio Camtasia recorder
Jabra Direct: 7-Zip file manager
Access: Excel:
OneDrive: OneNote:
Outlook: PowerPoint:
Project Publisher:
Visio: Speech
PowerShell 7 (x64) SQL Server Management Studio
Azure Data Studio

Organizations that lack the shortcuts for the above programs can modify the PowerShell scripts $programs array to include other applications.

Microsoft also shared the steps to deploy this script to Windows domain devices using Intune.

For those who want to recreate the shortcuts manually, Microsoft has shared the following steps to repair the program installation.

It should be noted that this process will take much longer, because in most cases it will reinstall the entire program. Furthermore, not all apps offer a repair feature.

Restore application in Windows 10.

  1. Choose: Start >: Settings >: Applications: >: Applications and features

  2. Select the app you want to fix.

  3. Under the app name, select Edit link if available.

  4. A new page will open allowing you to select the repair.

Restore application in Windows 11.

  1. Type “Installed apps” in the search bar.

  2. Click on Installed Apps.

  3. Select the app you want to fix.

  4. Click “…”

  5. Select Modify or Advanced options if available.

  6. A new page will open allowing you to select the repair.

Not a good enough solution

While the released PowerShell script will help recreate shortcuts for some apps, Windows administrators report that it doesn’t work well enough.

The script only focuses on thirty-three programs, so it won’t recreate shortcuts for many other applications commonly installed on the computer.

However, even targeted applications such as Microsoft Office do not recreate their shortcuts in some cases.

“Unfortunately, this does not restore the Microsoft Office shortcuts that were installed per user, which is one of the 365 C2R installations. This is the default setup behavior for M365 deployed via Intune, so if it can be reflected in a script, this will be. very useful,” commented a Windows admin about the script.

Windows administrators have also commented that the script only recreates shortcuts in the Start menu, but fails to recreate those deleted from the Windows Taskbar Quick Launch toolbar or from the Windows desktop.

As one admin pointed out, it may be possible to restore the Start Menu, Quick Launch Bar, and Desktop shortcuts by retrieving them from Shadow Volume Copies.

Users can use tools like Shadow Explorer or ShadowCopyView to check if shortcuts have been saved in previous snapshots and simply copy them back to the system drive.

For those with multiple devices, using PowerShell to verify and restore files from shadow volume copies may also be possible.

All in all, this bug has created a huge mess for Windows administrators and IT support, who most likely have to do the tedious task of manually recreating the missing shortcuts.


Leave a Reply

Your email address will not be published. Required fields are marked *