From fbbdd008ac4545183a588526b7fbb72ee21b8821 Mon Sep 17 00:00:00 2001
From: Brian Thacker <neillthacker101@gmail.com>
Date: Thu, 9 Sep 2021 13:05:16 -0500
Subject: [PATCH] Add test Windows - Disable the SR scheduled task (#1622)

Use schtasks.exe to disable the System Restore (SR) scheduled task

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1490/T1490.yaml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index 3c0facd0..0f60cf90 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -101,4 +101,16 @@ atomic_tests:
     command: |
       wbadmin delete systemstatebackup -keepVersions:0
     name: command_prompt
-    elevation_required: true
\ No newline at end of file
+    elevation_required: true
+- name: Windows - Disable the SR scheduled task
+  description: |
+    Use schtasks.exe to disable the System Restore (SR) scheduled task
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
+    cleanup_command: |
+      schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable
+    name: powershell
+    elevation_required: true