Solved

volume shadow copy had disappeared

Posted on 2014-02-15
4
234 Views
Last Modified: 2014-10-24
I was using a shadow copy to restore files that had been encrypted by a virus.  Halfway through that process, Windows (apparently) decide I no longer needed that file.  My question is, where is it?  The other shadow copies are all too new; I need one (the one) that existed before the virus hit.
0
Comment
Question by:mspink
  • 2
4 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 39861051
It's probably gone - removed because you had allocated only so much space to shadow copies and the copy schedule needed that space.  Especially if you see other copies, I would expect that's the case - you'll have to go to your backups (the ones you use in the event your hard drive(s) fail).
0
 

Author Comment

by:mspink
ID: 39861054
I can appreciate that it is "probably gone", but how does one know that for sure.  For whatever reason, these files are missing from the backup sets, so  I think this could be my only shot at recovery.  Where would it be if not gone?
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 39861087
Shadow copy does NOT store actual files.  It stores changed blocks.  Since it sounds like you were hit with CryptoLocker, all files have had all their blocks changed.  So ShadowCopy probably lost everything (or nearly everything) prior.  I say probably because maybe I'm missing something but my understanding of the technology and the description of the situation says to me 99.9% certain the previous copies are gone.  If you had disabled the scheduled tasks that create the copies you could have recovered... but now, I think you're out of luck.
0
 
LVL 11

Expert Comment

by:Pradeep Dubey
ID: 39861089
vssadmin list shadows

also you can use vshadow for all vss related options.

First of all you need the date of infection then list out all the shadow copies.

Check if you have before infection date shadow copy.

probably gone: It can be happen when you have low disk space for the new shadow and new shadow creation schedule is comes. In this case it will overwite oldest one. you will not get that one again as it is deleted by the system.

For more information and command line option read below link:
http://krypted.com/windows-server/shadow-copy-from-the-command-line/
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Suggested Solutions

My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now