O365Undo

O365Undo is a great script you can use to roll back actions of your user(s) in Office 365. Most likely, actions your user wasn’t aware of but were actually done by a CryptoLocker or by RansomWare. These nasty virusses can cause havoc on your mapped or synced Sharepoint Online or Onedrive for Business libraries in the form of file level encryption or file name obfuscation.

O365Undo requires that you have enabled the Unified Audit Log in Office 365.

If you have done so, O365Undo can reverse the following actions your user took in Onedrive, Sharepoint or an Office 365 Group up till a given date (max time back is when you enabled the Universal Audit Log):

  • FileCopy
  • FileRenamed
  • FileMoved
  • FileModified

How to use

  1. Install the Sharepoint Client Components
  2. Identify the login of the user you wish to target, e.g.: jos.haarbos@lieben.nu
  3. Identity the moment in time you want to go back to (your local time in MM-DD-YYYY HH:MM:SS format)
  4. Do not let the user Modify anything for 15-30 minutes (UA log sync time)
  5. Run the script: .\O365Undo.ps1 -affectedUserLogin jos.haarbos@lieben.nu -infectionDateTime “05-13-2016 00:00:00” -login “jos.haarbos@lieben.nu” -password “Welcome123”
  6. View the screen and/or log in %Appdata% for the results

What it won’t (yet) do:

  1. restore deleted files from the recycle bin
  2. check files back in when checked out
  3. delete new files
  4. rename / move folders

Disclaimer

Use at your own risk, this is not a commercial product and I offer no guarantees whatsoever.

Download

O365Undo_V0.5.ps1 (right click, save as)

Leave a Reply

19 Comments on "O365Undo"

Notify of
avatar
Sort by:   newest | oldest | most voted
Rikard Strand
Guest
Found this script today and wanted to give it a try (really smart use of the Audit log). 🙂 However when testing this on a Office 365 group (i.e. a user with changes on Office 365 groups) I got a lot of errors and tried to debug myself but didn’t manage to get it working. From the original script I get errors on both reverse_RenameOrCopy and restore_PreviousVersion function. Error: reverse_RenameOrCopy Join-Path : Cannot find drive. A drive with the name ‘siteszzz-testhttps’ does not exist. At C:tempO365Undo_v0.3.ps1:156 char:24 It seems like it’s trying to build a “wrong” URL somehow (notice siteszzz-testhttps)… Read more »
Ruth de Groot
Guest
I noticed the same behaviour as Rikard even in version 0.4, the url gets messed up. It looks like the format of the url provided by the auditlog changed recently? Join-Path : Cannot find drive. A drive with the name ‘personaltest2_imap_company_behttps’ does not exist. At C:tempO365UndoO365Undo_v0.4.ps1:167 char:28 + … $fileUrl = Join-Path -Path $fileUrl -ChildPath $newName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (personaltest2_imap_company_behttps:String) [Join-Path], DriveNotFoundException + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.JoinPathCommand I tested the script on a onedrive of a user where I renamed some files for testing.
Damien
Guest

Hi,
I get the following message:
C:tempO365Undo.ps1 : A parameter cannot be found that matches parameter name ‘affectedUserLogin’.At line:1 char:16
+ .O365Undo.ps1 -affectedUserLogin xxxxxx@xxxxx.com -infectionDateTi …
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [O365Undo.ps1], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,O365Undo.ps1

Any idea to solve the issue?
Thanks

Marius Fjeld
Guest

Fantastic! Thank you!

Michael
Guest

I get the error: There was a problem with the Unified Audit Log, The term ‘Search-UnifiedAuditLog’ is not recognized as the name of a cmdlet

How do I get around this?

Trond Skille
Guest

Hi Jos,
Been trying to use this script today, but it fails:
First line:
Failed to connect to https://tenant.sharepoint.com/, Exception calling “ExecuteQuery” with “0” argument(s): “For security reasons DTD is prohibited in thi
s XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.”
Second line (and ongoing):
Rename or Copy of filename.xlsx.ulentl to filename.xlsx failed, Cannot bind argument to parameter ‘Path’ because it is null.

Do you have any clue? Using a licensed Global Administrator.

Best regards, Trond S.

trackback

[…] O365Undo […]

Alexp011
Guest

Hello Jos i want to know if you have a solution for undo a sharepoint site by audit like that ? Thank you

wpDiscuz