Ability to create a schedule for Shadow Copies in Windows7

Shadow Copy is a new feature introduced in Windows XP and Windows Server 2003 that makes it possible to archive open files.

When should you archive open files? For example, suppose that one of your workplaces still has an old accounting program running. It does not have its own archiving mechanism and can only store data on the local computer. The administrator, that is, you, will have to think about archiving its database.

While archiving these files over the network, the accountant's computer must be turned on, but the program must not be running so that the files do not remain open. But this program is written as an automated workstation, starts when the computer is turned on and ends when it is turned off, and you can only curse its author.

The way out of this situation will be to install Windows XP Professional on the accountant's workplace (we believe that the usual program will work under this operating system). After this, you will be able to archive all working files of this program without regard to whether it is completed or not.

Shadow Copies and Shared Folders

Using it, you can return to the previous version of a file in a shared folder on the server. The following fact is much more important. In previous versions of Windows (including Windows 2000), deleting a file from a shared folder over the network resulted in its irretrievable loss - it did not even remain in the Recycle Bin. And in Windows Server 2003, by deleting a file, you can restore its previous version, which may be identical to the current one.

By default, Shadow Copy of Public Folders is disabled. It is enabled on the server for the partition on which the shared folders are physically located. This must be a partition with the NTFS file system.

1.Register on the SERVER as an administrator. Open the C: drive properties window.

2.Go to the Shadow Copy tab. You will see that this feature is disabled.

3.Click the Options button and edit the properties of the current section. You can specify how often the partition will be copied (twice a day by default) and how much disk space is allocated for copies. It is recommended to leave the default values. Close the dialog box by clicking OK.

4.Click the Allow button and in the next dialog box, confirm your decision by clicking Yes.

Immediately after this, the creation of the first copy of the partition will begin. Information about this action in the form of date and time appears at the bottom of the window.

Note.

It is not necessary to copy the partition to the same physical disk. If you have multiple physical disks installed, you can significantly improve disk subsystem performance by pointing the copy to another disk. The only condition is that this disk must be formatted in the NTFS file system.

Organization of shadow copying on a workstation

Client computers running Windows XP Professional cannot use the shadow copy feature right away. First you need to install client software on them. The TWCLI32 .MSI installation file is located on the server (Windows Server 2003) in the %SYSTEMROOT%\system32\clients\twclient\x86 folder.

1.Log in to your COMPUTER as an administrator.

2.Start Explorer and enter the path \\SERVER name\ in the address bar

c$\windows\system32\clients\twclient\x86\twcli32.msi.

The Previous Versions Client will be installed.

Clients for operating systems Windows 2000 Server with SP3 installed and later, Windows 2000 Professional and Windows98 can be downloaded from the Microsoft website at http: / /www. microsoft. com/windowsserver203/downloads/shadowcopyclient.mspx.

There is no such client for Windows NT 4.0 operating systems. For systems lower than Windows XP, the client program must be installed on both the client computer and the server running Windows Server 2003.

Applying shadow copying

To take advantage of shadow copying:

1. Register on COMPUTER as an ordinary user.

2.Open your department's folder in the shared document storage.

3.Display the properties of any file (preferably text). Go to the Previous Version tab. Since the Shadow Copy Client was installed, no previous version has been created, so the list is empty.

4.Open the file, edit it and save it under the same name.

5.Repeat step 3. Now on the Previous Version tab you will see the previous version of the file with the date it was created.

6. You can view it by clicking the Display button. The document copy is read-only and cannot be renamed or saved. To restore a previous version under a different name, you must first copy it to another location by clicking the Copy button.

If you mistakenly deleted a file from a shared folder and want to restore it, proceed as follows:

1.From the client computer, display the properties of the folder where the document was located and go to the Previous Version tab.

2.Click the Display button and view the contents of the previous version of the document. If you are happy with it, create a new document and copy the contents into it via the clipboard.

If you mistakenly edited and saved a document, you can restore the correct version by clicking the Restore button on the Previous Version tab.

Thus, the shadow copy feature helps users quickly recover their documents located in shared folders in the following cases:

* in case of unintentional deletion of files;

* in case of unintentional change in the contents of files (using the Save command instead of Save As);

* if files are damaged.

Please note that the entire partition is copied, and not just folders that have network access at the time of copying. This means that if, after creating a copy, you grant access to a new folder, previous versions of its files will be available to users from the moment you open access.

The previous article talked about the backup capabilities of Windows 7 - creating file archives and disk images. This article is devoted to restoring files from an archive and system from a disk image, as well as restoring previous versions of files.

On this page:

Recovering files from an archive

In Windows 7, you can restore files from an archive using the Control Panel item.

In the main window of the Control Panel item, there are three file recovery options:

  • Recover my files- allows you to select individual files and folders for recovery.
  • Recover files of all users- also allows you to select individual files and folders, but for all computer users.
  • Select another backup to restore files- allows you to restore files of all users, as well as select an archive located on a network drive.

Below we discuss the recovery of “my” files. The first window of the File Recovery Wizard is full of options, so let's go in order.

Selecting the archive date. By default, the most recent archive is used, which the system reports in the window. You can choose an earlier date - for example, if you need an older copy of the file.

The interface seems to be designed for very frequent archiving - by default, archives for the last week are displayed (in my opinion, it makes more sense to immediately display archives for the month), but you can select older ones, of course.

Search files. This is a very convenient tool that allows you to instantly find the files you need in the archive.

Please note that the window uses an explorer interface, i.e. in the search results you can select the desired columns of file properties and sort by them (however, there is no grouping).

Adding files and folders. Along with the search, it is possible to add individual files and folders - each action has its own button.

List of recoverable files. The names of added folders and individual files are displayed.

Removing files and folders from the list. Files and folders are deleted only from the list of recoverable ones, but not from the archive.

Proceed to selecting the destination for the recovered files. You can recover files:

  • to the original location. In this case, if a file with the same name exists, the system will display a standard dialog asking you to overwrite the file, save both copies in a folder, or refuse copying.
  • to the location you specified. In this case, it is possible to restore files while maintaining the folder structure, starting from the archive root (highlighted in the figure).

Having decided on the final location of the files to be restored, click the button Restore.

Restoring previous versions of files and folders

Imagine that while working with a document, you deleted part of it, saved the file and closed the application. And then they suddenly remembered that they had deleted something very important. Or imagine that you deleted a file past the trash can, and a month later you really needed it. In both cases, you have a good chance to restore previous versions of files that can be saved in Windows 7 in two ways:

  • file archives created using Windows Backup
  • shadow copies created by System Protection using Volume Shadow Copy Service

Restore previous versions is accessed from the file or folder properties on the tab Previous versions.

Restoring previous versions of files from archives

If the file is included in the archive using Windows backup tools, in its properties on the tab Previous versions Archiving.

If, when restoring a file, the system detects that a file with the same name already exists, you will be prompted to overwrite the existing file, save it with a different name, or refuse recovery.

Of course, the same file can be restored from the control panel, but doing this from the file properties may be more convenient and faster.

Recovering previous versions of files and folders from shadow copies

In order to be able to restore files and folders from shadow copies, system protection must be working, which is turned on for each disk separately. It may not be too obvious, but system protection settings control the operation and amount of disk space for the Volume Copy Shadow Copy service, which provides storage for system restore points and shadow copies of files and folders.

Shadow copies are not stored indefinitely. They are allocated a certain percentage of disk space, and when the specified limit is reached, old copies are replaced with new ones. Since it talks about system protection and recovery, here I will only consider restoring previous versions.

From shadow copies you can restore previous versions:

  • separate files
  • file folders

Restoring an individual file from a shadow copy is almost the same as restoring a file from an archive. In the file properties tab Previous versions you will see a list of versions, and the location will be indicated Restore point.

Unlike a file saved in an archive, in this case you will have options to open and copy the file to a folder of your choice.

In addition to individual files, you can restore folders from shadow copies. The list of versions can be seen in properties folders on the tab Previous versions.

You can open the folder, copy it to another location, or restore it to the old location. When restoring, as in the case of files from archives, the system will warn you if there is a file with the same name in the folder.

Recovering deleted files from shadow copies

If you need to restore a previous copy of an existing file, just go to the tab in the file properties Previous versions. What to do if the file is deleted? You have two ways:

  • folder recovery
  • file search

From the shadow copy, you can restore the folder where the file was located, as described above. If you don't remember the exact location of a file, but have a rough idea of ​​where it was in the folder tree, you can restore the parent folder.

However, before you restore the folder, you can try to find the deleted file using Windows Search. Let's look at the sequence of actions using an example. I deleted the file support_center01.png, and now I need it. I know which folder it was in, and I look for the file in it (and if I didn’t know the exact location, I would look in the nearest parent one).

Shadow copies are not indexed, and the deleted file is immediately excluded from the index, so the search does not find it. Therefore, you need to search in non-indexed places by clicking Computer. Searching for non-indexed files takes longer, but your patience will be rewarded.

In the shadow copies I found not only the PNG file I needed, but also a long-deleted BMP file with the same name, which I had forgotten about.

Why shadow copies may be missing

After reading about previous versions of files, you might want to check if they are being created on your system. If you didn't find any previous versions, it could mean that:

  • system protection is disabled, i.e. there are no restore points where previous versions of system files are stored
  • Little disk space is allocated to protect the system, so there is not enough space for shadow copies of user files
  • the file or folder contents have not changed - in this case, shadow copies are not created

To summarize the story about file recovery, I want to emphasize that Windows technologies are interconnected. You'll have the best chance of recovering your files if you use Windows Backup along with System Protection. You can increase these chances by creating backup system images, the restoration of which will be discussed below.

Restoring the system from a previously created image

During the installation of Windows 7, a service partition is automatically created on your hard drive containing the Windows RE (Recovery Environment). Using this section you can:

  • boot into recovery environment from hard drive
  • create a system repair disk and boot from it

By booting into the recovery environment, you can restore the system from a pre-created image.

Attention! For a detailed description of creating a system repair disc, the recovery environment, and options for booting into it, see the article Using the Windows RE Recovery Environment in Windows 7. Below we discuss only booting into Windows RE from a hard drive.

Booting to Recovery Environment from Hard Drive

To enter the menu Additional download options, press F8 after turning on the computer, but before loading the operating system.

Select the first menu item - Troubleshooting your computer and press Enter. The Windows Recovery Environment will launch, where the first thing you will be asked to do is select your keyboard layout.

Select the language in which your administrative account password is set, as you will be asked to enter it in the next step.

After entering your password, you will see a menu with recovery options, one of which is Restoring a system image.

Restoring a system image from Windows RE

Windows RE provides various system recovery tools.

You can also choose a different recovery image. After selecting an image, click the button Further to begin the recovery process.

You can format disks and create partitions, and you have the option to exclude disks from the formatting operation (the disk containing the archive image is automatically excluded). Also, you can simply restore the image to an existing system partition. Behind the button Additionally There are two more options hidden.

Having decided on the recovery options, click the button Further, and then, in the last window of the wizard, click the button Ready. Windows 7 will warn you that all data will be deleted from the partition and begin the recovery process.

If you don't have a Windows 7 installation disc, be sure to create a system repair disc. This disk will allow you to restore a system backup image even if the Windows RE service partition on your hard drive is damaged.

If you accidentally deleted a file or folder past the Recycle Bin, don't panic. Data recovery programs are here to stay, so try the system tools first. In Windows, you can restore previous versions of files and folders, even if the GUI does not have this option.

In Windows 8, there is one less tab in the properties of drives, folders and files. Please note that previous versions have disappeared.

This is only observed in the client operating system, i.e. in Windows Server 2012 the tab remains. In Windows 10, the tab is back, but... you need to read the article :)

Article updated in the context of Windows 10.

Today on the program

Previous versions on Windows 10

The article was written during the days of Windows 8, and in Windows 10 the “Previous Versions” tab returned to the folder properties. However, the material is relevant for Windows 10 because it demonstrates how to recover files directly from shadow copies.

In Windows 10, the tab says that previous versions are formed from file history and shadow copies. First, you need to consider that in Windows 10, system protection is disabled by default, so with standard settings, previous versions are only available from file history, if it is enabled, of course.

Moreover, my experiment on Windows 10 version 1511 (and later 1709) showed that the tab only shows versions from the file history, even if system protection is enabled!

On this picture:

  1. Properties of the screenshots folder in the OS. Latest version dated February 27. This is probably the date of the last copy to the file history, which is not working for me right now (the drive is physically disconnected)
  2. The latest shadow copy dated May 11 (appeared when creating a restore point before installing WU updates), I create a symbolic link to step 3
  3. Contents of the shadow copy. It can be seen that it contains files created shortly before the appearance of the shadow copy of May 11th. However, they are absent in paragraph 1

Thus, you have the best chance of restoring previous versions if file history is enabled. Then the versions are available on a tab in the folder properties or in the file history interface. Otherwise, system protection must be enabled, and if necessary, you will have to get to shadow copies using the methods described later in the article.

How previous versions work, and why the tab was removed in Windows 8

This picture in the properties of files and folders is only a consequence of the fact that there is no longer a file recovery option in the Windows 8 system protection settings.

I’ll say right away that the absence of an entry point in the graphical interface does not mean the absence of technology in the system. Previous versions of files are still available! Therefore, everything said below is fully applicable to Windows 8, and the description of the technology also applies to Windows 7.

Why was the file protection option and the previous versions tab removed? I don't have a definitive answer, but I have some educated guesses that I'll share with you while also explaining how previous versions work.

On many systems this tab was always empty

This has left thousands of people perplexing community forums and Microsoft support with a burning question. But you already guessed what their problem was, didn’t you? These people had their system protection completely disabled!

People did not understand the principle of storing and displaying previous versions

Indeed, why are there several versions for some folders, and none for others? The fact is that different editions of the files in these folders could only be created no earlier than the oldest recovery point.

Agree, when looking at the tab, it is not entirely obvious that saving versions of personal documents and media files is tied to the creation of recovery points (although this is described in Windows help, albeit not without flaws).

It is common to think of points as a means of rolling back system parameters, especially since personal files are not restored (with the exception of these types of files).

Meanwhile, recovery points and previous versions of files (not related to file history) are stored in one place - volume shadow copies.

System Restore simply takes a snapshot of the volume at the right time and stores it in a shadow copy. It is the space allocated for shadow copies that you control in the system protection settings.

Now it becomes clear why the number of versions of files and folders can vary. The state of the file is recorded at the time the recovery point was created. If it changed between points, its version is saved in the shadow copy. If the file remained unchanged during the period covered by the restore points, it will not have previous versions at all.

Windows 8 introduces file history

Once the technology is used, the benefits can be derived from it. In Windows 7, this was not clear to most people, so in Windows 8 they introduced a more visual data backup system - file history.

It doesn't rely on shadow copies, and you can control the number of file versions by specifying the backup frequency. It all depends on your needs and the space on the target disk.

The access tab to “obscure” previous versions in Windows 8 was simply removed, along with the accompanying option in the system protection settings. As for IT specialists, they should be well acquainted with the concept of shadow copies - after all, server operating systems have a tab of the same name in the volume properties to manage them. Therefore, in Windows Server 2012, the “Previous Versions” tab is in its usual place.

In Windows 8+, restore points are created using a special algorithm, and along with them, previous versions of your files and folders are saved. Next I will tell you how to open them.

How to open previous versions of files and folders from shadow copies

Below are two methods that will work if you have system protection enabled. The first one is suitable for all supported Windows and will be useful if you don't have file history enabled. The second method makes sense only in Windows 8/8.1, taking into account the note about Windows 10 at the beginning of the article.

Method 1 - Symbolic link to shadow copies (Windows 7 and later)

Regular blog readers have already seen this trick in the article about the function of updating a PC without deleting files (Refresh Your PC). It also uses shadow copies to intermediately save the disk when you create your rollback image.

Then I needed this focus to understand the technology, but now you may need it to solve a very specific problem. In a command prompt running as administrator, run:

Vssadmin list shadows

You will see a list of shadow copies on all volumes. Each of them is indicated by a drive letter, so it will be easy for you to navigate. In addition, each shadow copy corresponds by date to one of the recovery points (to list them, run in the console rstrui).

Select the desired date and copy the shadow copy volume ID. Now use it in the second command (don't forget to add a backslash at the end):

Mklink /d %SystemDrive%\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\

You already have a symbolic link in the root of the system drive shadow, leading to the shadow copy! By following the link, you will see a familiar structure of files and folders - these are their previous versions.

Method 2 - Login to a shared drive over the network (Windows 8 and 8.1)

Added 01/15/2013. In the comments, reader Alexey shared a simpler way to access shadow copies compared to what was originally described in the article. At first the method worked, but later Microsoft closed the loophole with some update. However, Nick's reader eventually suggested a workaround.

First you need to make the disk shared, and then access it “over the network”. In the This PC window, open Network and log into your PC, or as an administrator, paste the network path into the address bar of Explorer or into the Run window:

\\%computername%\C$

where C is the letter of the desired drive. In network folders, the “Previous Versions” tab is present:

Since I've resorted to retrieving data from shadow copies several times, I'm a little sorry for the loss in the GUI. After all, the “Previous Versions” tab was convenient because it immediately allowed you to get to the necessary files.

However, I didn’t use this opportunity so often that entering two commands into the console gave me terrible inconvenience. After all, the main thing is the presence of previous versions of the files, and I can get to them! Now you can too ;)

Have you ever had the opportunity to restore previous versions of files from shadow copies? Tell us in the comments why the need arose and whether you managed to restore everything.

I still think that most readers have never used this feature on home systems, and therefore its disappearance from the GUI will not upset them too much. In the next post, we'll talk about why various Windows features are disappearing or undergoing changes, and what you can do to help change the situation.

Volume Shadow Copy Service (VSS) stores recovery points and supports file backup and recovery using a snapshot mechanism called shadow copies. VSS creates static copies of open files and applications that are otherwise too volatile to be backed up.

It sounds convincing, but VSS takes up a lot of disk space. To get started, use the "vssadmin" command to see how much space the current volume shadow copies are using with the "vssadmin list shadowstorage" command. (For more information, click the "Start" button, type cmd in the search bar, and then type vssadmin /? for help.)

In the screenshot below, recovery points for drives C: and D are activated; There are also shadow copies on these same disks. Let's see how much disk space is wasted on shadow copies of these drives: 22.079 GB on drive D: (total volume: 149 GB; volume occupied by shadow copies = 15.5%) and 64.448 GB on drive C: (total volume: 465 GB; volume occupied by shadow copies = 14.9%).

At one point, we found only 230 GB of free space on the 465 GB C: drive, even though we knew for sure that it contained only 120 GB of files. The search for the missing 115 GB led us to the Volume Shadow Copy Service. We again used the "vssadmin list shadows" command (we did not show the result here because it is very long: it lists all the shadow copies on the disk) and found out that one of the shadow copies takes up 85 GB! Since we were recently copying a large collection of music files from an old 200GB USB drive to our new, faster SATA drive, VSS apparently created a shadow copy of those files at the same time it copied them to a user-accessible folder.

How to get rid of this unnecessary shadow copy? By default, Vista allocates 15% of disk space to shadow copies, but the operating system does not strictly limit the total size of shadow copies. If the shadow copy needs more space, Vista will be happy to provide it. Using the vssadmin command line utility, you can set a clear disk space limit for shadow copies. Here's how to do it:

Vssadmin resize shadowstorage /For=T: /On=T: /MaxSize=Num

Instead of the letter "T", substitute the name of your disk and replace "Num" with a number equal to 15% of the capacity of this disk. In the case of our C: drive, this command will look like this:

Vssadmin resize shadowstorage /For=C: /On=C: /Maxsize=69GB

Before using this trick, take a backup of your system and create a restore point immediately after rebooting your system. After running the above command, Vista automatically deletes the oldest restore points first until it reaches the limit you set.

There are not many ways to recover files encrypted by a ransomware attack without paying a ransom for them. If we're lucky, there may be some free tools to recover them, but a more realistic option is restoring your files from your backups. However, not everyone has backup copies of their files, although Windows offers a very useful feature known as Shadow Copy, which, in a nutshell, is a backup of your files. Cyber ​​criminals have known about it for a long time, and therefore, a few months after ransomware attacks became popular, the first thing they do when they infect your computer is delete the shadow copy of your files before starting to encrypt your information.

There are a number of technologies that can be used to stop ransomware attacks: some are almost useless, such as signatures or heuristics (these are the first things malware authors check before releasing them), others can sometimes be more effective, but even a combination All of these techniques do not guarantee that you will be protected from all such attacks.

More than 2 years ago, the antivirus laboratory PandaLabs used a simple but quite effective approach: if some process tries to delete shadow copies, then most likely (but not always, by the way), we are dealing with a malicious program, and most likely with cryptographer These days, most ransomware families remove shadow copies, because if you don't, people won't pay the ransom when they can recover their files for free. Let's look at how many infections were stopped in our laboratory thanks to this approach. It is logical to assume that this number should grow exponentially, because The number of ransomware attacks using this technique is also growing rapidly. For example, here's the number of attacks we've blocked over the past 12 months using our approach:

But in the diagram we see exactly the opposite of what we expected. How is this possible? In fact, there is a very simple explanation for this “phenomenon”: we use this approach as a “last resort” when no other security techniques could detect anything suspicious, and therefore this rule is triggered, which blocks the ransomware attack. We also use this approach for internal purposes, as a result of which we can analyze in more detail those attacks that were blocked at the “last line”, and then improve all previous security levels. We also use this approach to evaluate how well or poorly we are stopping ransomware: in other words, the lower the values, the better our core technologies perform. So, as you can see, the efficiency of our work is increasing.

Original article.