Shadow copy. Windows Server

There are not many ways to recover files encrypted by a ransomware attack without paying a ransom for them. If we're lucky, there may be some free tools to recover them, but a more realistic option is restoring your files from your backups. However, not everyone has backup copies of their files, although Windows offers a very useful feature known as Shadow Copy, which, in a nutshell, is a backup of your files. Cyber ​​criminals have known about it for a long time, and therefore, a few months after ransomware attacks became popular, the first thing they do when they infect your computer is delete the shadow copy of your files before starting to encrypt your information.

There are a number of technologies that can be used to stop ransomware attacks: some are almost useless, such as signatures or heuristics (these are the first things malware authors check before releasing them), others can sometimes be more effective, but even a combination All of these techniques do not guarantee that you will be protected from all such attacks.

More than 2 years ago, the antivirus laboratory PandaLabs used a simple but quite effective approach: if some process tries to delete shadow copies, then most likely (but not always, by the way), we are dealing with a malicious program, and most likely with cryptographer These days, most ransomware families remove shadow copies, because if you don't, people won't pay the ransom when they can recover their files for free. Let's look at how many infections were stopped in our laboratory thanks to this approach. It is logical to assume that this number should grow exponentially, because The number of ransomware attacks using this technique is also growing rapidly. For example, here's the number of attacks we've blocked over the past 12 months using our approach:

But in the diagram we see exactly the opposite of what we expected. How is this possible? In fact, there is a very simple explanation for this “phenomenon”: we use this approach as a “last resort” when no other security techniques could detect anything suspicious, and therefore this rule is triggered, which blocks the ransomware attack. We also use this approach for internal purposes, as a result of which we can analyze in more detail those attacks that were blocked at the “last line”, and then improve all previous security levels. We also use this approach to evaluate how well or poorly we are stopping ransomware: in other words, the lower the values, the better our core technologies perform. So, as you can see, the efficiency of our work is increasing.

Original article.

The previous article talked about the backup capabilities of Windows 7 - creating file archives and disk images. This article is devoted to restoring files from an archive and system from a disk image, as well as restoring previous versions of files.

On this page:

Recovering files from an archive

In Windows 7, you can restore files from an archive using the Control Panel item.

In the main window of the Control Panel item, there are three file recovery options:

  • Recover my files- allows you to select individual files and folders for recovery.
  • Recover files of all users- also allows you to select individual files and folders, but for all computer users.
  • Select another backup to restore files- allows you to restore files of all users, as well as select an archive located on a network drive.

Below we discuss the recovery of “my” files. The first window of the File Recovery Wizard is full of options, so let's go in order.

Selecting the archive date. By default, the most recent archive is used, which the system reports in the window. You can choose an earlier date - for example, if you need an older copy of the file.

The interface seems to be designed for very frequent archiving - by default, archives for the last week are displayed (in my opinion, it makes more sense to immediately display archives for the month), but you can select older ones, of course.

Search files. This is a very convenient tool that allows you to instantly find the files you need in the archive.

Please note that the window uses an explorer interface, i.e. in the search results you can select the desired columns of file properties and sort by them (however, there is no grouping).

Adding files and folders. Along with the search, it is possible to add individual files and folders - each action has its own button.

List of recoverable files. The names of added folders and individual files are displayed.

Removing files and folders from the list. Files and folders are deleted only from the list of recoverable ones, but not from the archive.

Proceed to selecting the destination for the restored files. You can recover files:

  • to the original location. In this case, if a file with the same name exists, the system will display a standard dialog asking you to overwrite the file, save both copies in a folder, or refuse copying.
  • to the location you specified. In this case, it is possible to restore files while maintaining the folder structure, starting from the archive root (highlighted in the figure).

Having decided on the final location of the files to be restored, click the button Restore.

Restoring previous versions of files and folders

Imagine that while working with a document, you deleted part of it, saved the file and closed the application. And then they suddenly remembered that they had deleted something very important. Or imagine that you deleted a file past the trash can, and a month later you really needed it. In both cases, you have a good chance to restore previous versions of files that can be saved in Windows 7 in two ways:

  • file archives created using Windows Backup
  • shadow copies created by System Protection using Volume Shadow Copy Service

Restore previous versions is accessed from the file or folder properties on the tab Previous versions.

Restoring previous versions of files from archives

If the file is included in the archive using Windows backup tools, in its properties on the tab Previous versions Archiving.

If, when restoring a file, the system detects that a file with the same name already exists, you will be prompted to overwrite the existing file, save it with a different name, or refuse recovery.

Of course, the same file can be restored from the control panel, but doing this from the file properties may be more convenient and faster.

Recovering previous versions of files and folders from shadow copies

In order to be able to restore files and folders from shadow copies, system protection must be working, which is turned on for each disk separately. It may not be too obvious, but system protection settings control the operation and amount of disk space for the Volume Copy Shadow Copy service, which provides storage for system restore points and shadow copies of files and folders.

Shadow copies are not stored indefinitely. They are allocated a certain percentage of disk space, and when the specified limit is reached, old copies are replaced with new ones. Since it talks about system protection and recovery, here I will only consider restoring previous versions.

From shadow copies you can restore previous versions:

  • separate files
  • file folders

Restoring an individual file from a shadow copy is almost the same as restoring a file from an archive. In the file properties tab Previous versions you will see a list of versions, and the location will be indicated Restore point.

Unlike a file saved in an archive, in this case you will have options to open and copy the file to a folder of your choice.

In addition to individual files, you can restore folders from shadow copies. The list of versions can be seen in properties folders on the tab Previous versions.

You can open the folder, copy it to another location, or restore it to the old location. When restoring, as in the case of files from archives, the system will warn you if there is a file with the same name in the folder.

Recovering deleted files from shadow copies

If you need to restore a previous copy of an existing file, just go to the tab in the file properties Previous versions. What to do if the file is deleted? You have two ways:

  • folder recovery
  • file search

From the shadow copy, you can restore the folder where the file was located, as described above. If you don't remember the exact location of a file, but have a rough idea of ​​where it was in the folder tree, you can restore the parent folder.

However, before you restore the folder, you can try to find the deleted file using Windows Search. Let's look at the sequence of actions using an example. I deleted the file support_center01.png, and now I need it. I know which folder it was in, and I look for the file in it (and if I didn’t know the exact location, I would look in the nearest parent one).

Shadow copies are not indexed, and the deleted file is immediately excluded from the index, so the search does not find it. Therefore, you need to search in non-indexed places by clicking Computer. Searching for non-indexed files takes longer, but your patience will be rewarded.

In the shadow copies I found not only the PNG file I needed, but also a long-deleted BMP file with the same name, which I had forgotten about.

Why shadow copies may be missing

After reading about previous versions of files, you might want to check if they are being created on your system. If you didn't find any previous versions, it could mean that:

  • system protection is disabled, i.e. there are no restore points where previous versions of system files are stored
  • Little disk space is allocated to protect the system, so there is not enough space for shadow copies of user files
  • the file or folder contents have not changed - in this case, shadow copies are not created

To summarize the story about file recovery, I want to emphasize that Windows technologies are interconnected. You'll have the best chance of recovering your files if you use Windows Backup along with System Protection. You can increase these chances by creating backup system images, the restoration of which will be discussed below.

Restoring the system from a previously created image

During the installation of Windows 7, a service partition is automatically created on your hard drive containing the Windows RE (Recovery Environment). Using this section you can:

  • boot into recovery environment from hard drive
  • create a system repair disk and boot from it

By booting into the recovery environment, you can restore the system from a pre-created image.

Attention! For a detailed description of creating a system repair disc, the recovery environment, and options for booting into it, see the article Using the Windows RE Recovery Environment in Windows 7. Below we discuss only booting into Windows RE from a hard drive.

Booting to Recovery Environment from Hard Drive

To enter the menu Additional download options, press F8 after turning on the computer, but before loading the operating system.

Select the first menu item - Troubleshooting your computer and press Enter. The Windows Recovery Environment will launch, where the first thing you will be asked to do is select your keyboard layout.

Select the language in which your administrative account password is set, as you will be asked to enter it in the next step.

After entering your password, you will see a menu with recovery options, one of which is Restoring a system image.

Restoring a system image from Windows RE

Windows RE provides various system recovery tools.

You can also choose a different recovery image. After selecting an image, click the button Further to begin the recovery process.

You can format disks and create partitions, and you have the option to exclude disks from the formatting operation (the disk containing the archive image is automatically excluded). Also, you can simply restore the image to an existing system partition. Behind the button Additionally There are two more options hidden.

Having decided on the recovery options, click the button Further, and then, in the last window of the wizard, click the button Ready. Windows 7 will warn you that all data will be deleted from the partition and begin the recovery process.

If you don't have a Windows 7 installation disc, be sure to create a system repair disc. This disk will allow you to restore a system backup image even if the Windows RE service partition on your hard drive is damaged.

If you accidentally deleted a file or folder past the Recycle Bin, don't panic. Data recovery programs are here to stay, so try the system tools first. In Windows, you can restore previous versions of files and folders, even if the GUI does not have this option.

In Windows 8, there is one less tab in the properties of drives, folders and files. Please note that previous versions have disappeared.

This is only observed in the client operating system, i.e. in Windows Server 2012 the tab remains. In Windows 10, the tab is back, but... you need to read the article :)

Article updated in the context of Windows 10.

Today on the program

Previous versions on Windows 10

The article was written during the days of Windows 8, and in Windows 10 the “Previous Versions” tab returned to the folder properties. However, the material is relevant for Windows 10 because it demonstrates how to recover files directly from shadow copies.

In Windows 10, the tab says that previous versions are formed from file history and shadow copies. First, you need to consider that in Windows 10, system protection is disabled by default, so with standard settings, previous versions are only available from file history, if it is enabled, of course.

Moreover, my experiment on Windows 10 version 1511 (and later 1709) showed that the tab only shows versions from the file history, even if system protection is enabled!

On this picture:

  1. Properties of the screenshots folder in the OS. Latest version dated February 27. This is probably the date of the last copy to the file history, which is not working for me right now (the drive is physically disconnected)
  2. The latest shadow copy dated May 11 (appeared when creating a restore point before installing WU updates), I create a symbolic link to step 3
  3. Contents of the shadow copy. It can be seen that it contains files created shortly before the appearance of the shadow copy of May 11th. However, they are absent in paragraph 1

Thus, you have the best chance of restoring previous versions if file history is enabled. Then the versions are available on a tab in the folder properties or in the file history interface. Otherwise, system protection must be enabled, and if necessary, you will have to get to shadow copies using the methods described later in the article.

How previous versions work, and why the tab was removed in Windows 8

This picture in the properties of files and folders is only a consequence of the fact that there is no longer a file recovery option in the Windows 8 system protection settings.

I’ll say right away that the absence of an entry point in the graphical interface does not mean the absence of technology in the system. Previous versions of files are still available! Therefore, everything said below is fully applicable to Windows 8, and the description of the technology also applies to Windows 7.

Why was the file protection option and the previous versions tab removed? I don't have a definitive answer, but I have some educated guesses that I'll share with you while also explaining how previous versions work.

On many systems this tab was always empty

This has left thousands of people perplexing community forums and Microsoft support with a burning question. But you already guessed what their problem was, didn’t you? These people had their system protection completely disabled!

People did not understand the principle of storing and displaying previous versions

Indeed, why are there several versions for some folders, and none for others? The fact is that different editions of the files in these folders could only be created no earlier than the oldest recovery point.

Agree, when looking at the tab, it is not entirely obvious that saving versions of personal documents and media files is tied to the creation of recovery points (although this is described in Windows help, albeit not without flaws).

It is common to think of points as a means of rolling back system parameters, especially since personal files are not restored (with the exception of these types of files).

Meanwhile, recovery points and previous versions of files (not related to file history) are stored in one place - volume shadow copies.

System Restore simply takes a snapshot of the volume at the right time and stores it in a shadow copy. It is the space allocated for shadow copies that you control in the system protection settings.

Now it becomes clear why the number of versions of files and folders can vary. The state of the file is recorded at the time the recovery point was created. If it changed between points, its version is saved in the shadow copy. If the file remained unchanged during the period covered by the restore points, it will not have previous versions at all.

Windows 8 introduces file history

Once the technology is used, the benefits can be derived from it. In Windows 7, this was not clear to most people, so in Windows 8 they introduced a more visual data backup system - file history.

It doesn't rely on shadow copies, and you can control the number of file versions by specifying the backup frequency. It all depends on your needs and the space on the target disk.

The access tab to “obscure” previous versions in Windows 8 was simply removed, along with the accompanying option in the system protection settings. As for IT specialists, they should be well acquainted with the concept of shadow copies - after all, server operating systems have a tab of the same name in the volume properties to manage them. Therefore, in Windows Server 2012, the “Previous Versions” tab is in its usual place.

In Windows 8+, restore points are created using a special algorithm, and along with them, previous versions of your files and folders are saved. Next I will tell you how to open them.

How to open previous versions of files and folders from shadow copies

Below are two methods that will work if you have system protection enabled. The first one is suitable for all supported Windows and will be useful if you don't have file history enabled. The second method makes sense only in Windows 8/8.1, taking into account the note about Windows 10 at the beginning of the article.

Method 1 - Symbolic link to shadow copies (Windows 7 and later)

Regular blog readers have already seen this trick in the article about the function of updating a PC without deleting files (Refresh Your PC). It also uses shadow copies to intermediately save the disk when you create your rollback image.

Then I needed this focus to understand the technology, but now you may need it to solve a very specific problem. In a command prompt running as administrator, run:

Vssadmin list shadows

You will see a list of shadow copies on all volumes. Each of them is indicated by a drive letter, so it will be easy for you to navigate. In addition, each shadow copy corresponds by date to one of the recovery points (to list them, run in the console rstrui).

Select the desired date and copy the shadow copy volume ID. Now use it in the second command (don't forget to add a backslash at the end):

Mklink /d %SystemDrive%\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\

You already have a symbolic link in the root of the system drive shadow, leading to the shadow copy! By following the link, you will see a familiar structure of files and folders - these are their previous versions.

Method 2 - Login to a shared drive over the network (Windows 8 and 8.1)

Added 01/15/2013. In the comments, reader Alexey shared a simpler way to access shadow copies compared to what was originally described in the article. At first the method worked, but later Microsoft closed the loophole with some update. However, Nick's reader eventually suggested a workaround.

First you need to make the disk shared, and then access it “over the network”. In the This PC window, open Network and log into your PC, or as an administrator, paste the network path into the address bar of Explorer or into the Run window:

\\%computername%\C$

where C is the letter of the desired drive. In network folders, the “Previous Versions” tab is present:

Since I've resorted to retrieving data from shadow copies several times, I'm a little sorry for the loss in the GUI. After all, the “Previous Versions” tab was convenient because it immediately allowed you to get to the necessary files.

However, I didn’t use this opportunity so often that entering two commands into the console gave me terrible inconvenience. After all, the main thing is the presence of previous versions of the files, and I can get to them! Now you can too ;)

Have you ever had the opportunity to restore previous versions of files from shadow copies? Tell us in the comments why the need arose and whether you managed to restore everything.

I still think that most readers have never used this feature on home systems, and therefore its disappearance from the GUI will not upset them too much. In the next post, we'll talk about why various Windows features are disappearing or undergoing changes, and what you can do to help change the situation.