Shadow copies
Shadow copies
I'm guessing the answer is no to this but is there a way for Everything to find files in shadow copy...along roughly the same lines as Nirsoft's shadow copy view and shadow explorer?
Also, and I apologise for nagging, is there a timeline on the possibility of being able to select the path column. So sorry to keep wittering on about this :0)
Also, and I apologise for nagging, is there a timeline on the possibility of being able to select the path column. So sorry to keep wittering on about this :0)
Re: Shadow copies
Isn't a search for going to do it?
Enable 'Match Path' if you want to see the files within.
(That will give you the "raw" files, not prettified & explorable as in ShadowCopyView.)
System Volume Information
Enable 'Match Path' if you want to see the files within.
(That will give you the "raw" files, not prettified & explorable as in ShadowCopyView.)
Re: Shadow copies
No, that doesn't seem to work. I'm looking for a good way to search for specific files and then I can use Nirsoft to restore them.
Re: Shadow copies
I use the output of
vssadmin list shadows /for=C:\
to browse the "Shadow copy volume" in Total Commander with
cd \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
vssadmin list shadows /for=C:\
to browse the "Shadow copy volume" in Total Commander with
cd \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Re: Shadow copies
Its also possible to mount the shadow copy into the file system on C:
I do this with the following batch
The batch asks for the Id number (the last digit in "Shadow Copy Volume:"
which is derived from the vssadmin list shadows /for=C:\
The the shadow copy files can be browsed and used under the path
c:\shadowcopy
Unfortunately Everything doesn't index this path even when I do a forced rebuild after the mount.
Even Folder indexing of C:\shadowcopy doesn't produce any result after a Rescan.
I do this with the following batch
Code: Select all
@echo off
set /P id=Enter id:
mklink /D C:\Shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%id%\
which is derived from the vssadmin list shadows /for=C:\
The the shadow copy files can be browsed and used under the path
c:\shadowcopy
Unfortunately Everything doesn't index this path even when I do a forced rebuild after the mount.
Even Folder indexing of C:\shadowcopy doesn't produce any result after a Rescan.
Re: Shadow copies
It's no problem browsing the shadow as this can be done very easily with Nirsoft or shadow explorer, which are both good, easy to use and have a UI
My problem is searching for a specific file as the search facility in either programme is not very good.
If for instance I was searching for a file called config.ini I would like to know the exact location and then I can fire up Nirsoft or shadow explorer and extract it.
My problem is searching for a specific file as the search facility in either programme is not very good.
If for instance I was searching for a file called config.ini I would like to know the exact location and then I can fire up Nirsoft or shadow explorer and extract it.
Re: Shadow copies
I found a way now to get the shadow copy indexed by Everythingharryray2 wrote: ↑Thu Jul 15, 2021 3:53 pm It's no problem browsing the shadow as this can be done very easily with Nirsoft or shadow explorer, which are both good, easy to use and have a UI
My problem is searching for a specific file as the search facility in either programme is not very good.
If for instance I was searching for a file called config.ini I would like to know the exact location and then I can fire up Nirsoft or shadow explorer and extract it.
Use my method described above to mount a shadow copy into c:\shadowcopy
and make a Folder index but with the option "Add Custom..."
This works perfect for me.
- Attachments
-
- Screenshot - 15.07.2021 , 17_58_24.png (28.84 KiB) Viewed 33844 times
Re: Shadow copies
To add a shadow copy to your Everything index:
- In Everything 1.5, from the Tools menu, click Options.
- Click the NTFS tab on the left.
- Right click the NTFS volumes list and click Add....
- Change the GUID to: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Change the Path to: C:
(Use the mount location if you have mounted this shadow copy) - Leave Root blank.
- Click OK.
- From a Powershell running as an admin, run the following command:
Get-CimInstance -ClassName Win32_ShadowCopy
Last edited by void on Fri Jul 16, 2021 8:17 am, edited 2 times in total.
Reason: added: From a Powershell running as an admin, run the following command:
Reason: added: From a Powershell running as an admin, run the following command:
Re: Shadow copies
Thanks, That's really concise. I'll give it a try.
Re: Shadow copies
A small addition
you must run Powershell as admin to get the list.
Also this procedure doesn't work for me (tried it with and without a mount).
Even after a Force rebuild the content of the shadow copy is not indexed.
My version with mount and Folder index Add custom works fine.
Last edited by horst.epp on Fri Jul 16, 2021 8:31 am, edited 2 times in total.
Re: Shadow copies
Updated my post, thanks!
Re: Shadow copies
Void: I tried this but I couldn't get it to work...
Re: Shadow copies
There's a permission issue when indexing \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 as a standard user.
Currently the Everything Service does not support \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 volumes.
I will add this functionality to the next alpha update.
Currently the Everything Service does not support \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 volumes.
I will add this functionality to the next alpha update.
Re: Shadow copies
Great, thanks...I'll try it again then.
Re: Shadow copies
Everything 1.5.0.1270a fixes an issue with the Everything Service accessing shadow copies.
To add a shadow copy to your Everything index:
To add a shadow copy to your Everything index:
- In Everything 1.5, from the Tools menu, click Options.
- Click the NTFS tab on the left.
- Right click the NTFS volumes list and click Add....
- Change the GUID to: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Change the Path to: C:
(Use the mount location if you have mounted this shadow copy) - Leave Root blank.
- Click OK.
Re: Shadow copies
I have several restore points, in Nirsoft shadowview they are:
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
etc.
Do they all have to be entered individually?
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
etc.
Do they all have to be entered individually?
Re: Shadow copies
OK. I've just tried it and it seems to work well...
If I have more than one entry, is it possible to tell from the listing which entry is the shadow copy?
I will only need this now and then to track down an old file...rather than remove and add the entries in options each time is there a way (aside from putting on the exclude list) of disabling it until I need it?
I've disabled the 'include in database' option...this seems to work.
It's easier than putting in the paths each time. The only downside is, is that it takes a while to index the properties when I enable the database.
If I have more than one entry, is it possible to tell from the listing which entry is the shadow copy?
I will only need this now and then to track down an old file...rather than remove and add the entries in options each time is there a way (aside from putting on the exclude list) of disabling it until I need it?
I've disabled the 'include in database' option...this seems to work.
It's easier than putting in the paths each time. The only downside is, is that it takes a while to index the properties when I enable the database.
Last edited by harryray2 on Wed Jul 28, 2021 12:58 pm, edited 1 time in total.
Re: Shadow copies
Thats the reason why I mount the shadow copies and make a folder index.harryray2 wrote: ↑Wed Jul 28, 2021 12:12 pm OK. I've just tried it and it seems to work well...
If I have more than one entry, is it possible to tell from the listing which entry is the shadow copy?
I will only need this now and then to track down an old file...rather than remove and add the entries in options each time is there a way (aside from putting on the exclude list) of disabling it until I need it?
This way the mount point is part of the found files path and tells me what version it is.
Re: Shadow copies
I think I can tell which is which with the Everything properties tab...wondering if there's an easier way, such as a column possibly?
Re: Shadow copies
I suspect the answer is no but if I load several restore points and do a search, is there anyway of telling which points contain the file(s) I'm looking for?
If i try the 'open path' it just goes to the main C drive.
Hope that makes sense...
If i try the 'open path' it just goes to the main C drive.
Hope that makes sense...
Re: Shadow copies
Please try mounting each shadow copy as:
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyx
For example:
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyx
For example:
- In Everything, from Tools menu, click Options.
- Click the NTFS tab on the left.
- Click Add....
- Set the GUID to:
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Set the Path to:
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Click OK.
Re: Shadow copies
Thanks, that works nicely...
I've managed, by opening the folders, sidebar, to get a directory tree for \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 but there are no files visible
Is it possible to do a search just within the shadow drive?
I did a search for pagefile.sys, I got two results, one for shadow copy and one for C drive which is great, but if I want to limit the search to the shadow drive I don't get a result.
I've tried all the usual search parameters.
I also tried via the context menu from within Everything but the usual 'search Everything' doesn't appear.
While trying the context menu on the shadow folder I noticed the delete command...I don't want to try it as I'm worried it could screw up the shadow copy...Any idea of whether delete would work on individual files and folders?
I've managed, by opening the folders, sidebar, to get a directory tree for \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 but there are no files visible
Is it possible to do a search just within the shadow drive?
I did a search for pagefile.sys, I got two results, one for shadow copy and one for C drive which is great, but if I want to limit the search to the shadow drive I don't get a result.
I've tried all the usual search parameters.
I also tried via the context menu from within Everything but the usual 'search Everything' doesn't appear.
While trying the context menu on the shadow folder I noticed the delete command...I don't want to try it as I'm worried it could screw up the shadow copy...Any idea of whether delete would work on individual files and folders?
Re: Shadow copies
Aside from the context menu issue, I think I now have this sussed. It works better than I expected.
Regarding system volume information....I assume that any shadow files that aren't in one of my system restore points are written to a system volume information file.
As far as I can tell the files are the ones with such wonderful names as
'C:\System Volume Information\{9eb7063e-f589-11eb-3743-1cc1de5842d2}{3808876b-c176-4e48-b7ae-04046e6cc752}'
Is it possible to index these files?
So, in a nutshell, I'm trying to index shadow files that haven't yet ben written as a system restore point.
Regarding system volume information....I assume that any shadow files that aren't in one of my system restore points are written to a system volume information file.
As far as I can tell the files are the ones with such wonderful names as
'C:\System Volume Information\{9eb7063e-f589-11eb-3743-1cc1de5842d2}{3808876b-c176-4e48-b7ae-04046e6cc752}'
Is it possible to index these files?
So, in a nutshell, I'm trying to index shadow files that haven't yet ben written as a system restore point.
Re: Shadow copies
I can't work this one out at all...any ideas please?
Re: Shadow copies
The context menu will not work on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\... files.
The Windows shell doesn't understand this path.
Indexes of your shadow copies and your normal NTFS volume will include \System Volume Information.
Please make sure your are not excluding the folder under Tools -> Options -> Exclude.
The Windows shell doesn't understand this path.
Indexes of your shadow copies and your normal NTFS volume will include \System Volume Information.
Please make sure your are not excluding the folder under Tools -> Options -> Exclude.
Re: Shadow copies
OK, thanks...out of interest, on the add NTFS volume dialogue box there is select, which list my two hard drives. Is there a difference between adding this or just putting in C: or D:
Re: Shadow copies
Everything expects a volume GUID in the following format:
\\?\Volume{00000000-0000-0000-000000000000}
The select dialog allows you to select a volume GUID from an existing volume by drive letter.
Everything also supports the following format for volume GUIDs:
\\.\C:
\\?\Volume{00000000-0000-0000-000000000000}
The select dialog allows you to select a volume GUID from an existing volume by drive letter.
Everything also supports the following format for volume GUIDs:
\\.\C:
Re: Shadow copies
Thanks, apologies if I've asked this before but I noticed that there is a delete option on the shadow copies.
Will deleting a file screw up an existing system restore point?
Will deleting a file screw up an existing system restore point?