Skip to content

Instantly share code, notes, and snippets.

@duncansmart

duncansmart/Volume Shadow Copy Service scripting.md

Created November 25, 2024 15:19
Show Gist options
  • Save duncansmart/03fb0b5742e54561e5fe45fa986b7ed9 to your computer and use it in GitHub Desktop.
Save duncansmart/03fb0b5742e54561e5fe45fa986b7ed9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Volume Shadow Copy Service scripting.md

Viewing VSS shadows

NOTE: all the commands require admin elevation.

To view VSS shadows:

vssadmin list shadows

Output is like:

Contents of shadow copy set ID: {c10ed3d9-41b4-40de-a579-0e4ccebcc803}
    Contained 1 shadow copies at creation time: 14/11/2024 11:39:18 PM
        Shadow Copy ID: {d01d99f4-2333-4102-83d4-e9aedac9457b}
        Original Volume: (C:)\\?\Volume{e0333f87-8c8b-49c5-b399-aa1cba800fad}\
        Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
        Originating Machine: your-machine-name
        Service Machine: your-machine-name
        Provider: 'Microsoft Software Shadow Copy provider 1.0'
        Type: ClientAccessible
        Attributes: Persistent, Client-accessible, No auto release, No writers, Differential

Contents of shadow copy set ID: {94d57607-1ea4-448b-89b2-acc2ec81f2ce}
    Contained 1 shadow copies at creation time: 16/11/2024 1:31:06 AM
        Shadow Copy ID: {1590bfcb-4f61-4d10-90f0-832250bf29e7}
        Original Volume: (C:)\\?\Volume{e0333f87-8c8b-49c5-b399-aa1cba800fad}\
        Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
        Originating Machine: your-machine-name
        Service Machine: your-machine-name
        Provider: 'Microsoft Software Shadow Copy provider 1.0'
        Type: ClientAccessible
        Attributes: Persistent, Client-accessible, No auto release, No writers, Differential

Mounting VSS shadows

To mount the shadow copy use mklink, e.g.

mklink /d C:\HarddiskVolumeShadowCopy3 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\

IMPORTANT: ensure the VSS shadow path ends with a \

Powershell tips

Powershell doesn't have a native equivalent to mklink, so either just use the one cmd provides like so:

$targetDir = 'C:\HarddiskVolumeShadowCopy3'
$vssDir = '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\'

cmd /c mklink /d $targetDir ($vssDir.TrimEnd('\') + '\')

... or you can P/Invoke CreateSymbolicLink like so:

Add-Type -Namespace 'win32' -Name 'kernel32' -MemberDefinition '[DllImport("kernel32.dll", SetLastError = true)] public static extern int CreateSymbolicLink(string lpSymlinkFileName, string lpTargetFileName, int dwFlags);'

$targetDir = 'C:\HarddiskVolumeShadowCopy3\'
$vssDir = '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\'

$result = [win32.kernel32]::CreateSymbolicLink($targetDir, $vssDir.TrimEnd('\') + '\', 1)
if ($result -eq 0) {
    $err = [System.ComponentModel.Win32Exception]::new()
    throw "CreateSymbolicLink Win32 Error $($err.NativeErrorCode): $($err.Message)"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment