Download - VSC Presentation
VOLUME SHADOW COPIES
HISTORY OF VSC’S
VSCs (Volume Shadow Copies) introduced in XP Originally ‘System Restore Points’
Created automatically on driver installor
Created on demand
System restore points don’t backup all files SAM (wouldn’t want to revert to an old password) User data
VSC DATA
In Win7 shell extension to restore previous version Registry keys impacting VSC and VSS (Volume Shadow
Service) HKLM\System\CurrentControlSet\Services\VSS HKLM\System\CurrentControlSet\Control\BackupRestore
Sub keys/values determine which files/folders/keys not to backup or restore
FilesNotToBackup FilesNotToSnapshot KeysNotToRestore
VIEWING THE CONTENTS OF VSC’S
On a live system – C:/>vssadmin list shadows /for=c: (as admin) To access, make a symbolic link to the shadow volume
C:\> mklink /d c:\vsc \\?\GLOBALROOT\Device\HArddiskVolumeShadowCopy20\ You can get VSC identifier from, the vssadmin command and the trailing ‘\’ is required
Navigate to C:\vsc to explore the Shadow Volume When done rm C:\vsc
ShadowExplore.com has a GUI tool as well Old volumes are purged based on FIFO logic (max of 64/Volume)