Why shadow copies do not save you from most ransomware. Recovering files from Windows shadow copies

Shadow Copy is a new feature introduced in Windows XP and Windows Server 2003 that makes it possible to archive open files.

When should you archive open files? For example, suppose that one of your workplaces still has an old accounting program running. It does not have its own archiving mechanism and can only store data on the local computer. The administrator, that is, you, will have to think about archiving its database.

While archiving these files over the network, the accountant's computer must be turned on, but the program must not be running so that the files do not remain open. But this program is written as an automated workstation, starts when the computer is turned on and ends when it is turned off, and you can only curse its author.

The way out of this situation will be to install Windows XP Professional on the accountant's workplace (we believe that the usual program will work under this operating system). After this, you will be able to archive all working files of this program without regard to whether it is completed or not.

Shadow Copies and Shared Folders

Using it, you can return to the previous version of a file in a shared folder on the server. The following fact is much more important. In previous versions of Windows (including Windows 2000), deleting a file from a shared folder over the network resulted in its irretrievable loss - it did not even remain in the Recycle Bin. And in Windows Server 2003, by deleting a file, you can restore its previous version, which may be identical to the current one.

By default, Shadow Copy of Public Folders is disabled. It is enabled on the server for the partition on which the shared folders are physically located. This must be a partition with the NTFS file system.

1.Register on the SERVER as an administrator. Open the C: drive properties window.

2.Go to the Shadow Copy tab. You will see that this feature is disabled.

3.Click the Options button and edit the properties of the current section. You can specify how often the partition will be copied (twice a day by default) and how much disk space is allocated for copies. It is recommended to leave the default values. Close the dialog box by clicking OK.

4.Click the Allow button and in the next dialog box, confirm your decision by clicking Yes.

Immediately after this, the creation of the first copy of the partition will begin. Information about this action in the form of date and time appears at the bottom of the window.

Note.

It is not necessary to copy the partition to the same physical disk. If you have multiple physical disks installed, you can significantly improve disk subsystem performance by pointing the copy to another disk. The only condition is that this disk must be formatted in the NTFS file system.

Organization of shadow copying on a workstation

Client computers running Windows XP Professional cannot use the shadow copy feature right away. First you need to install client software on them. The TWCLI32 .MSI installation file is located on the server (Windows Server 2003) in the %SYSTEMROOT%\system32\clients\twclient\x86 folder.

1.Log in to your COMPUTER as an administrator.

2.Start Explorer and enter the path \\SERVER name\ in the address bar

c$\windows\system32\clients\twclient\x86\twcli32.msi.

The Previous Versions Client will be installed.

Clients for operating systems Windows 2000 Server with SP3 installed and later, Windows 2000 Professional and Windows98 can be downloaded from the Microsoft website at http: / /www. microsoft. com/windowsserver203/downloads/shadowcopyclient.mspx.

There is no such client for Windows NT 4.0 operating systems. For systems lower than Windows XP, the client program must be installed on both the client computer and the server running Windows Server 2003.

Applying shadow copying

To take advantage of shadow copying:

1. Register on COMPUTER as an ordinary user.

2.Open your department's folder in the shared document storage.

3.Display the properties of any file (preferably text). Go to the Previous Version tab. Since the Shadow Copy Client was installed, no previous version has been created, so the list is empty.

4.Open the file, edit it and save it under the same name.

5.Repeat step 3. Now on the Previous Version tab you will see the previous version of the file with the date it was created.

6. You can view it by clicking the Display button. The document copy is read-only and cannot be renamed or saved. To restore a previous version under a different name, you must first copy it to another location by clicking the Copy button.

If you mistakenly deleted a file from a shared folder and want to restore it, proceed as follows:

1.From the client computer, display the properties of the folder where the document was located and go to the Previous Version tab.

2.Click the Display button and view the contents of the previous version of the document. If you are happy with it, create a new document and copy the contents into it via the clipboard.

If you mistakenly edited and saved a document, you can restore the correct version by clicking the Restore button on the Previous Version tab.

Thus, the shadow copy feature helps users quickly recover their documents located in shared folders in the following cases:

* in case of unintentional deletion of files;

* in case of unintentional change in the contents of files (using the Save command instead of Save As);

* if files are damaged.

Please note that the entire partition is copied, and not just folders that have network access at the time of copying. This means that if, after creating a copy, you grant access to a new folder, previous versions of its files will be available to users from the moment you open access.

Important: This article is intended for the case when standard backup is configured on the computer in Windows 7.

Recovering files from Windows shadow copies

Have you ever discovered that a file you needed has been deleted? That some time has passed and the file has disappeared somewhere? Of course, there can be many reasons for this. But, usually at such moments, the first thing that worries us is another question than the reason - “How to restore it now?” If you are a regular reader of the site, then you probably have installed and configured backup programs, which will allow you to recover the missing file.

But what to do if you don’t have such programs, or it’s too late to restore, since the program synchronized the copy with the original and erased this file. What then? Of course, you still have the opportunity to use programs to recover deleted files, but usually this is a rather lengthy procedure that should only be used when there are no other options left. So where should you start?

If you have set up standard Windows backup through the Backup and Restore interface ( see link), or you created restore points, then you still have the opportunity to relatively quickly restore a deleted file. The fact is that Windows 7 creates so-called “shadow copies” of files that are accessible from the “previous versions” interface. These shadow copies store not just one copy of a file, but several previous versions of it. It is this fact that allows you to use the following two methods.

Recovering a deleted file from a shadow copy of the parent directory in Windows

  1. Follow the procedure described in the previous article ( follow this link) to open a list of previous versions for the folder that contained the deleted file
  2. Select the previous version of the directory so that you are sure that the file was exactly in the directory at that moment. Otherwise you will have to iterate through versions until the first successful one
  3. You can click the "Copy" button to save an entire copy of the folder and restore the deleted file from it. If you click the button, a dialog box will appear in which you need to specify a location to save. But, you must understand, such an operation may take time if the directory takes up a lot of space
  4. You can also click the "Restore" button so that all files in the folder are rolled back to the selected version. But keep in mind that this may change other files
  5. If you are not satisfied with both of the previous options, then you can click on the “Open” button, and the entire list of files of the selected backup will open to you. You can drag or copy the remote file wherever you need it
  6. After you restore the file using one of the methods, close the dialog box

Recovering a deleted file from a shadow copy by its name in Windows

  1. Create an empty file with the same name and extension as the remote file and place it in the source directory. File contents don't matter
  2. Right click on an empty file
  3. In the context menu, select "Properties"
  4. Go to the "Previous Versions" tab
  5. If you're lucky, the entire list of backup copies of the deleted file will appear in front of you. In this case, it all depends on the circumstances
  6. Select the backup you want (probably the most recent one) and click the "Restore" button
  7. Close the dialog box

Both of these methods can be used. The only thing you must understand is that the restored file will not necessarily be the latest version, since backups do not occur constantly, but at certain points in time.

Technical Tips

  • Technical Tips

  • If you accidentally deleted a file or folder past the Recycle Bin, don't panic. Data recovery programs are here to stay, so try the system tools first. In Windows, you can restore previous versions of files and folders, even if the GUI does not have this option.

    In Windows 8, there is one less tab in the properties of drives, folders and files. Please note that previous versions have disappeared.

    This is only observed in the client operating system, i.e. in Windows Server 2012 the tab remains. In Windows 10, the tab is back, but... you need to read the article :)

    Article updated in the context of Windows 10.

    Today on the program

    Previous versions on Windows 10

    The article was written during the days of Windows 8, and in Windows 10 the “Previous Versions” tab returned to the folder properties. However, the material is relevant for Windows 10 because it demonstrates how to recover files directly from shadow copies.

    In Windows 10, the tab says that previous versions are formed from file history and shadow copies. First, you need to consider that in Windows 10, system protection is disabled by default, so with standard settings, previous versions are only available from file history, if it is enabled, of course.

    Moreover, my experiment on Windows 10 version 1511 (and later 1709) showed that the tab only shows versions from the file history, even if system protection is enabled!

    On this picture:

    1. Properties of the screenshots folder in the OS. Latest version dated February 27. This is probably the date of the last copy to the file history, which is not working for me right now (the drive is physically disconnected)
    2. The latest shadow copy dated May 11 (appeared when creating a restore point before installing WU updates), I create a symbolic link to step 3
    3. Contents of the shadow copy. It can be seen that it contains files created shortly before the appearance of the shadow copy of May 11th. However, they are absent in paragraph 1

    Thus, you have the best chance of restoring previous versions if file history is enabled. Then the versions are available on a tab in the folder properties or in the file history interface. Otherwise, system protection must be enabled, and if necessary, you will have to get to shadow copies using the methods described later in the article.

    How previous versions work, and why the tab was removed in Windows 8

    This picture in the properties of files and folders is only a consequence of the fact that there is no longer a file recovery option in the Windows 8 system protection settings.

    I’ll say right away that the absence of an entry point in the graphical interface does not mean the absence of technology in the system. Previous versions of files are still available! Therefore, everything said below is fully applicable to Windows 8, and the description of the technology also applies to Windows 7.

    Why was the file protection option and the previous versions tab removed? I don't have a definitive answer, but I have some educated guesses that I'll share with you while also explaining how previous versions work.

    On many systems this tab was always empty

    This has left thousands of people perplexing community forums and Microsoft support with a burning question. But you already guessed what their problem was, didn’t you? These people had their system protection completely disabled!

    People did not understand the principle of storing and displaying previous versions

    Indeed, why are there several versions for some folders, and none for others? The fact is that different editions of the files in these folders could only be created no earlier than the oldest recovery point.

    Agree, when looking at the tab, it is not entirely obvious that saving versions of personal documents and media files is tied to the creation of recovery points (although this is described in Windows help, albeit not without flaws).

    It is common to think of points as a means of rolling back system parameters, especially since personal files are not restored (with the exception of these types of files).

    Meanwhile, recovery points and previous versions of files (not related to file history) are stored in one place - volume shadow copies.

    System Restore simply takes a snapshot of the volume at the right time and stores it in a shadow copy. It is the space allocated for shadow copies that you control in the system protection settings.

    Now it becomes clear why the number of versions of files and folders can vary. The state of the file is recorded at the time the recovery point was created. If it changed between points, its version is saved in the shadow copy. If the file remained unchanged during the period covered by the restore points, it will not have previous versions at all.

    Windows 8 introduces file history

    Once the technology is used, the benefits can be derived from it. In Windows 7, this was not clear to most people, so in Windows 8 they introduced a more visual data backup system - file history.

    It doesn't rely on shadow copies, and you can control the number of file versions by specifying the backup frequency. It all depends on your needs and the space on the target disk.

    The access tab for “obscure” previous versions in Windows 8 was simply removed, along with the accompanying option in the system protection settings. As for IT specialists, they should be well acquainted with the concept of shadow copies - after all, server operating systems have a tab of the same name in the volume properties to manage them. Therefore, in Windows Server 2012, the “Previous Versions” tab is in its usual place.

    In Windows 8+, restore points are created using a special algorithm, and along with them, previous versions of your files and folders are saved. Next I will tell you how to open them.

    How to open previous versions of files and folders from shadow copies

    Below are two methods that will work if you have system protection enabled. The first one is suitable for all supported Windows and will be useful if you don't have file history enabled. The second method makes sense only in Windows 8/8.1, taking into account the note about Windows 10 at the beginning of the article.

    Method 1 - Symbolic link to shadow copies (Windows 7 and later)

    Regular blog readers have already seen this trick in the article about the function of updating a PC without deleting files (Refresh Your PC). It also uses shadow copies to intermediately save the disk when you create your rollback image.

    Then I needed this focus to understand the technology, but now you may need it to solve a very specific problem. In a command prompt running as administrator, run:

    Vssadmin list shadows

    You will see a list of shadow copies on all volumes. Each of them is indicated by a drive letter, so it will be easy for you to navigate. In addition, each shadow copy corresponds by date to one of the recovery points (to list them, run in the console rstrui).

    Select the desired date and copy the shadow copy volume ID. Now use it in the second command (don't forget to add a backslash at the end):

    Mklink /d %SystemDrive%\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\

    You already have a symbolic link in the root of the system drive shadow, leading to the shadow copy! By following the link, you will see a familiar structure of files and folders - these are their previous versions.

    Method 2 - Login to a shared drive over the network (Windows 8 and 8.1)

    Added 01/15/2013. In the comments, reader Alexey shared a simpler way to access shadow copies compared to what was originally described in the article. At first the method worked, but later Microsoft closed the loophole with some update. However, Nick's reader eventually suggested a workaround.

    First you need to make the disk shared, and then access it “over the network”. In the “This PC” window, open “Network” and log into your PC, or using an administrator account, paste the network path into the address bar of Explorer or into the “Run” window:

    \\%computername%\C$

    where C is the letter of the desired drive. In network folders, the “Previous Versions” tab is present:

    Since I've resorted to retrieving data from shadow copies several times, I'm a little sorry for the loss in the GUI. After all, the “Previous Versions” tab was convenient because it immediately allowed you to get to the necessary files.

    However, I didn’t use this opportunity so often that entering two commands into the console gave me terrible inconvenience. After all, the main thing is the presence of previous versions of the files, and I can get to them! Now you can too ;)

    Have you ever had the opportunity to restore previous versions of files from shadow copies? Tell us in the comments why the need arose and whether you managed to restore everything.

    I still think that most readers have never used this feature on home systems, and therefore its disappearance from the GUI will not upset them too much. In the next post, we'll talk about why various Windows features are disappearing or undergoing changes, and what you can do to help change the situation.

    We have to admit: mistakes are inevitable, especially when it comes to computers, networks, technology and the people who use it. All users sometimes happen to delete, change or otherwise damage important documents. In such a situation, the opportunity to return everything to the way it was is highly valued. The volume shadow copy mechanism implemented in , allows you to solve the problem in a few clicks of the mouse - if, of course, it is enabled and configured correctly. Setting up and using this feature is not difficult at all - you just need to know where to look for it.

    Setting up shadow copying

    To be able to use shadow copying, you first need to enable it. Please note that it requires additional system resources, so consider how important the ability to recover files is to you. In most cases, the advantages outweigh the disadvantages, but in some situations the need to allocate additional resources for shadow copying is unacceptable.

    Shadow copy settings are contained in the system properties. Open the System tool in Control Panel (Figure A) or enter the keyword "system" in the Start menu search bar.

    Figure A. System Properties in Vista.

    On the left side of the System window, click the System Protection link (Figure B). Oddly enough, I couldn't find a keyword that would bring up the System Protection window directly from the Start menu search bar. Apparently, we cannot do without an intermediate stage.


    Figure B. System Protection link.

    In the System Properties dialog box, open the System Protection tab (Figure C) and select the check boxes for the drives for which you want to enable shadow copying. After this, you can immediately create a restore point by clicking the “Create” button. Otherwise, it will be created upon shutdown and next startup.

    In this window you can also run a system restore from a previous point, if one exists. After completing the settings, click "OK".


    Figure C. System Protection tab

    Using Shadow Copy

    By setting up shadow copies, you can be sure that important files can be recovered if necessary. As an example, I created a Word 2007 file named "ShadowTest.docx" and saved it in the Documents folder for my profile.


    Figure D. My documents.

    In Fig. E shows the contents of the file - just one line of text.


    Figure E. Text of the "ShadowTest.docx" file.

    After saving the document and closing Word, I right-clicked on the file to bring up the properties window and opened the Previous Versions tab. As can be seen from Fig. F, a shadow copy of this document has not yet been created. Under normal conditions, it will appear after shutdown and next startup.

    Please note that shadow copying does not eliminate the need for standard file backup, but only complements it. Restoring files from a shadow copy still results in the loss of certain data and is time consuming. It should be used only in extreme cases.


    Figure F. File properties.

    As an example, I created a restore point to get a shadow copy of the test file (Figure G).


    Figure G: New restore point.

    Now from the “Previous Versions” tab in the file properties window (Fig. G), you can open a document, copy or restore its previous version. In this case, the current file will be replaced by a shadow copy, which Windows specifically warns about (Fig. H).

    • RELATED ARTICLES