Solved

volume shadow copy had disappeared

Posted on 2014-02-15
4
248 Views
Last Modified: 2014-10-24
I was using a shadow copy to restore files that had been encrypted by a virus.  Halfway through that process, Windows (apparently) decide I no longer needed that file.  My question is, where is it?  The other shadow copies are all too new; I need one (the one) that existed before the virus hit.
0
Comment
Question by:mspink
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 39861051
It's probably gone - removed because you had allocated only so much space to shadow copies and the copy schedule needed that space.  Especially if you see other copies, I would expect that's the case - you'll have to go to your backups (the ones you use in the event your hard drive(s) fail).
0
 

Author Comment

by:mspink
ID: 39861054
I can appreciate that it is "probably gone", but how does one know that for sure.  For whatever reason, these files are missing from the backup sets, so  I think this could be my only shot at recovery.  Where would it be if not gone?
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 39861087
Shadow copy does NOT store actual files.  It stores changed blocks.  Since it sounds like you were hit with CryptoLocker, all files have had all their blocks changed.  So ShadowCopy probably lost everything (or nearly everything) prior.  I say probably because maybe I'm missing something but my understanding of the technology and the description of the situation says to me 99.9% certain the previous copies are gone.  If you had disabled the scheduled tasks that create the copies you could have recovered... but now, I think you're out of luck.
0
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39861089
vssadmin list shadows

also you can use vshadow for all vss related options.

First of all you need the date of infection then list out all the shadow copies.

Check if you have before infection date shadow copy.

probably gone: It can be happen when you have low disk space for the new shadow and new shadow creation schedule is comes. In this case it will overwite oldest one. you will not get that one again as it is deleted by the system.

For more information and command line option read below link:
http://krypted.com/windows-server/shadow-copy-from-the-command-line/
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Know what services you can and cannot, should and should not combine on your server.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question