shadow copy vss
The Volume Shadow Copy Service (VSS) takes read-only snapshots of entire volumes periodically. In the case of VSS, a volume refers to a drive letter, typically the C drive.
These snapshots are used as backup points in a similar way to ‘restore’ points found in XP and any prior version. However, unlike a standard versioning system, VSS does not allow for shadow copies of individual files to be created, dealing only in full volumes. To optimize space these shadow copies are only a difference in the state of a snapshot, not a full copy of the file structure.
Standard users have no access to the VSS. Administrators have access to vssadmin, which can be used to create, list, and recover data from a shadow copy.
It is possible to list and recover individual files from the VSS, as per the three-step process below:
vssadmin list shadowsset VSHADOW_DEVICE=\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1for /R %VSHADOW_DEVICE%\ %i in (*) do @echo %i(Be aware that the output is verbose)
It’s also possible to copy specific files from the Volume Shadow Copy, directly to your own local system. An example of what that command would look like has been provided below:
copy %VSHADOW_DEVICE%\Users\Administrator\Desktop\file.txt c:\Users\Administrator
VSS is useful for recovering files that have been encrypted by ransomware, logs, and files that have been removed by an attacker, or even just for accidentally deleted files. Please refer to the following MSDN article and vssadmin usage guide for more information on the subject.