VOLUME SHADOW COPIES

HISTORY OF VSC’S

VSCs (Volume Shadow Copies) introduced in XP Originally ‘System Restore Points’

Created automatically on driver installor

Created on demand

System restore points don’t backup all files SAM (wouldn’t want to revert to an old password) User data

VSC DATA

In Win7 shell extension to restore previous version Registry keys impacting VSC and VSS (Volume Shadow

Service) HKLM\System\CurrentControlSet\Services\VSS HKLM\System\CurrentControlSet\Control\BackupRestore

Sub keys/values determine which files/folders/keys not to backup or restore

FilesNotToBackup FilesNotToSnapshot KeysNotToRestore

VIEWING THE CONTENTS OF VSC’S

On a live system – C:/>vssadmin list shadows /for=c: (as admin) To access, make a symbolic link to the shadow volume

C:\> mklink /d c:\vsc \\?\GLOBALROOT\Device\HArddiskVolumeShadowCopy20\ You can get VSC identifier from, the vssadmin command and the trailing ‘\’ is required

Navigate to C:\vsc to explore the Shadow Volume When done rm C:\vsc

ShadowExplore.com has a GUI tool as well Old volumes are purged based on FIFO logic (max of 64/Volume)