Shadow copies

If you are experiencing problems with "Everything", post here for assistance.
Post Reply
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Shadow copies

Post by harryray2 »

I'm guessing the answer is no to this but is there a way for Everything to find files in shadow copy...along roughly the same lines as Nirsoft's shadow copy view and shadow explorer?

Also, and I apologise for nagging, is there a timeline on the possibility of being able to select the path column. So sorry to keep wittering on about this :0)
therube
Posts: 4979
Joined: Thu Sep 03, 2009 6:48 pm

Re: Shadow copies

Post by therube »

Isn't a search for
System Volume Information
going to do it?
Enable 'Match Path' if you want to see the files within.

(That will give you the "raw" files, not prettified & explorable as in ShadowCopyView.)
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

No, that doesn't seem to work. I'm looking for a good way to search for specific files and then I can use Nirsoft to restore them.
horst.epp
Posts: 1447
Joined: Fri Apr 04, 2014 3:24 pm

Re: Shadow copies

Post by horst.epp »

I use the output of
vssadmin list shadows /for=C:\
Screenshot - 15.07.2021 , 17_30_56.png
Screenshot - 15.07.2021 , 17_30_56.png (23.97 KiB) Viewed 33853 times

to browse the "Shadow copy volume" in Total Commander with
cd \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
horst.epp
Posts: 1447
Joined: Fri Apr 04, 2014 3:24 pm

Re: Shadow copies

Post by horst.epp »

Its also possible to mount the shadow copy into the file system on C:
I do this with the following batch

Code: Select all

@echo off
set /P id=Enter id:
mklink /D C:\Shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%id%\
The batch asks for the Id number (the last digit in "Shadow Copy Volume:"
which is derived from the vssadmin list shadows /for=C:\
The the shadow copy files can be browsed and used under the path
c:\shadowcopy
Unfortunately Everything doesn't index this path even when I do a forced rebuild after the mount.
Even Folder indexing of C:\shadowcopy doesn't produce any result after a Rescan.
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

It's no problem browsing the shadow as this can be done very easily with Nirsoft or shadow explorer, which are both good, easy to use and have a UI

My problem is searching for a specific file as the search facility in either programme is not very good.

If for instance I was searching for a file called config.ini I would like to know the exact location and then I can fire up Nirsoft or shadow explorer and extract it.
horst.epp
Posts: 1447
Joined: Fri Apr 04, 2014 3:24 pm

Re: Shadow copies

Post by horst.epp »

harryray2 wrote: Thu Jul 15, 2021 3:53 pm It's no problem browsing the shadow as this can be done very easily with Nirsoft or shadow explorer, which are both good, easy to use and have a UI

My problem is searching for a specific file as the search facility in either programme is not very good.

If for instance I was searching for a file called config.ini I would like to know the exact location and then I can fire up Nirsoft or shadow explorer and extract it.
I found a way now to get the shadow copy indexed by Everything :D
Use my method described above to mount a shadow copy into c:\shadowcopy
and make a Folder index but with the option "Add Custom..."
This works perfect for me.
Attachments
Screenshot - 15.07.2021 , 17_58_24.png
Screenshot - 15.07.2021 , 17_58_24.png (28.84 KiB) Viewed 33840 times
void
Developer
Posts: 16753
Joined: Fri Oct 16, 2009 11:31 pm

Re: Shadow copies

Post by void »

To add a shadow copy to your Everything index:
  • In Everything 1.5, from the Tools menu, click Options.
  • Click the NTFS tab on the left.
  • Right click the NTFS volumes list and click Add....
  • Change the GUID to: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
  • Change the Path to: C:
    (Use the mount location if you have mounted this shadow copy)
  • Leave Root blank.
  • Click OK.
To list shadow copies:
  • From a Powershell running as an admin, run the following command:
    Get-CimInstance -ClassName Win32_ShadowCopy
Last edited by void on Fri Jul 16, 2021 8:17 am, edited 2 times in total.
Reason: added: From a Powershell running as an admin, run the following command:
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

Thanks, That's really concise. I'll give it a try.
horst.epp
Posts: 1447
Joined: Fri Apr 04, 2014 3:24 pm

Re: Shadow copies

Post by horst.epp »

void wrote: Fri Jul 16, 2021 1:19 am To list shadow copies:
  • In Powershell, run the following command:
    Get-CimInstance -ClassName Win32_ShadowCopy
A small addition
you must run Powershell as admin to get the list.

Also this procedure doesn't work for me (tried it with and without a mount).
Even after a Force rebuild the content of the shadow copy is not indexed.
My version with mount and Folder index Add custom works fine.
Last edited by horst.epp on Fri Jul 16, 2021 8:31 am, edited 2 times in total.
void
Developer
Posts: 16753
Joined: Fri Oct 16, 2009 11:31 pm

Re: Shadow copies

Post by void »

Updated my post, thanks!
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

Void: I tried this but I couldn't get it to work...
horst.epp
Posts: 1447
Joined: Fri Apr 04, 2014 3:24 pm

Re: Shadow copies

Post by horst.epp »

harryray2 wrote: Fri Jul 16, 2021 7:26 pm Void: I tried this but I couldn't get it to work...
As I also said above.
Take my method with folder indexing and you have your shadow copy indexed.
void
Developer
Posts: 16753
Joined: Fri Oct 16, 2009 11:31 pm

Re: Shadow copies

Post by void »

There's a permission issue when indexing \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 as a standard user.
Currently the Everything Service does not support \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 volumes.

I will add this functionality to the next alpha update.
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

Great, thanks...I'll try it again then.
void
Developer
Posts: 16753
Joined: Fri Oct 16, 2009 11:31 pm

Re: Shadow copies

Post by void »

Everything 1.5.0.1270a fixes an issue with the Everything Service accessing shadow copies.

To add a shadow copy to your Everything index:
  • In Everything 1.5, from the Tools menu, click Options.
  • Click the NTFS tab on the left.
  • Right click the NTFS volumes list and click Add....
  • Change the GUID to: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
  • Change the Path to: C:
    (Use the mount location if you have mounted this shadow copy)
  • Leave Root blank.
  • Click OK.
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

I have several restore points, in Nirsoft shadowview they are:

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
etc.

Do they all have to be entered individually?
void
Developer
Posts: 16753
Joined: Fri Oct 16, 2009 11:31 pm

Re: Shadow copies

Post by void »

Yes.
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

OK. I've just tried it and it seems to work well...

If I have more than one entry, is it possible to tell from the listing which entry is the shadow copy?

I will only need this now and then to track down an old file...rather than remove and add the entries in options each time is there a way (aside from putting on the exclude list) of disabling it until I need it?

I've disabled the 'include in database' option...this seems to work.
It's easier than putting in the paths each time. The only downside is, is that it takes a while to index the properties when I enable the database.
Last edited by harryray2 on Wed Jul 28, 2021 12:58 pm, edited 1 time in total.
horst.epp
Posts: 1447
Joined: Fri Apr 04, 2014 3:24 pm

Re: Shadow copies

Post by horst.epp »

harryray2 wrote: Wed Jul 28, 2021 12:12 pm OK. I've just tried it and it seems to work well...

If I have more than one entry, is it possible to tell from the listing which entry is the shadow copy?

I will only need this now and then to track down an old file...rather than remove and add the entries in options each time is there a way (aside from putting on the exclude list) of disabling it until I need it?
Thats the reason why I mount the shadow copies and make a folder index.
This way the mount point is part of the found files path and tells me what version it is.
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

I think I can tell which is which with the Everything properties tab...wondering if there's an easier way, such as a column possibly?
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

I suspect the answer is no but if I load several restore points and do a search, is there anyway of telling which points contain the file(s) I'm looking for?
If i try the 'open path' it just goes to the main C drive.

Hope that makes sense...
void
Developer
Posts: 16753
Joined: Fri Oct 16, 2009 11:31 pm

Re: Shadow copies

Post by void »

Please try mounting each shadow copy as:
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyx

For example:
  • In Everything, from Tools menu, click Options.
  • Click the NTFS tab on the left.
  • Click Add....
  • Set the GUID to:
    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
  • Set the Path to:
    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
  • Click OK.
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

Thanks, that works nicely...

I've managed, by opening the folders, sidebar, to get a directory tree for \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 but there are no files visible

Is it possible to do a search just within the shadow drive?
I did a search for pagefile.sys, I got two results, one for shadow copy and one for C drive which is great, but if I want to limit the search to the shadow drive I don't get a result.
I've tried all the usual search parameters.

I also tried via the context menu from within Everything but the usual 'search Everything' doesn't appear.

While trying the context menu on the shadow folder I noticed the delete command...I don't want to try it as I'm worried it could screw up the shadow copy...Any idea of whether delete would work on individual files and folders?
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

Aside from the context menu issue, I think I now have this sussed. It works better than I expected.

Regarding system volume information....I assume that any shadow files that aren't in one of my system restore points are written to a system volume information file.
As far as I can tell the files are the ones with such wonderful names as
'C:\System Volume Information\{9eb7063e-f589-11eb-3743-1cc1de5842d2}{3808876b-c176-4e48-b7ae-04046e6cc752}'

Is it possible to index these files?

So, in a nutshell, I'm trying to index shadow files that haven't yet ben written as a system restore point.
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

I can't work this one out at all...any ideas please?
void
Developer
Posts: 16753
Joined: Fri Oct 16, 2009 11:31 pm

Re: Shadow copies

Post by void »

The context menu will not work on \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\... files.

The Windows shell doesn't understand this path.



Indexes of your shadow copies and your normal NTFS volume will include \System Volume Information.
Please make sure your are not excluding the folder under Tools -> Options -> Exclude.
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

OK, thanks...out of interest, on the add NTFS volume dialogue box there is select, which list my two hard drives. Is there a difference between adding this or just putting in C: or D:
void
Developer
Posts: 16753
Joined: Fri Oct 16, 2009 11:31 pm

Re: Shadow copies

Post by void »

Everything expects a volume GUID in the following format:

\\?\Volume{00000000-0000-0000-000000000000}

The select dialog allows you to select a volume GUID from an existing volume by drive letter.



Everything also supports the following format for volume GUIDs:

\\.\C:
harryray2
Posts: 1104
Joined: Sat Oct 15, 2016 9:56 am

Re: Shadow copies

Post by harryray2 »

Thanks, apologies if I've asked this before but I noticed that there is a delete option on the shadow copies.

Will deleting a file screw up an existing system restore point?
Post Reply