Accessing locked files with the volume shadow copy service

[Vortex]

Here is my new tool vscopy.exe , the volume shadow copy creator for Windows XP.            

The volume shadow copy feature is a service to make a consistent backup of a volume. Accessing the volume shadow copy, you can copy files locked by the operating system and even backup a complete volume. The volume shadow copy ( VSC ) has an attribute of read-only and just one VSC instance per volume can be created. Windows XP cannot create persistant shadow copies surviving reboots.

The tool takes three command line parameters :

Code Select Expand

vscopy <volume_letter> <assigned_letter> <file_to_execute>

The volume_letter represents the volume from which you wish to create the volume shadow copy.

The assigned_letter parameter is the letter assigned to the volume shadow copy. The symbolic name of a volume shadow copy is like the following :

Code Select Expand

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

Assigning a letter to this path makes easier the access to the volume shadow copy.

The file_to_execute parameter can be any batch, .vbs or exe file handling the volume shadow copy. For example, a batch file named backup.bat could access the VSC to copy locked files.

Example usage:

Code Select Expand

vscopy.exe C: M: test.bat

C: is the volume selected to shadow copy.
M: is the letter assigned to the volume shadow copy.
Test.bat is a batch file to read the content of the VSC.

A typical output of the tool :

Volume shadow copy path = \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Snapshot release status = 0x0

Notice that the release status displaying a value of 0x0 indicates that the resources used by the VSC service is released successfully.

Test.bat can be coded to view the content of the VSC fixed to be "persistant" for a while :

Code Select Expand

@echo Assign a second letter to the VSC to view it via Windows Explorer

subst R: M:\

explorer R:

@echo Wait while the user reads data from the VSC

Pause

subst /D R:


Notice that this version works only on Windows XP as the methods exposed by the IvssBackupComponents interface are different across
different versions of Windows.

As I mentioned above, a typical usage of the volume shadow copy service is to access locked files. Another example, copying the current user hive
of the registry, copy_ntuser_dat.bat

Code Select Expand

@echo Copy ntuser.dat to the current directory

xcopy "M:\%homepath%\ntuser.dat" . /H /Y

@echo Remove the hidden attribute

attrib -h ntuser.dat

Another interesting usage of the tool is the complete backup of the system volume with ntbackup. I noticed thatntbackup does not read all the files
in the system directory and restoring the .bkf file in a preinstallation environment like BartPE creates an unbootable volume because of missing files.
The script below can be used to backup the system volume. You can use a BartPE disc to restore the operating system :

Backup_volume.bat

Code Select Expand

C:\WINDOWS\system32\ntbackup.exe backup "@D:\vscopy\Backup_job.bks" /n "Backup.bkf Date: 11.01.2010 , 10:10" /d "11.01.2010 - 10:42" /v:no /r:no /rs:no /hc:off /m normal /j "Backup_job" /l:s /Snap:Off /f "Z:\Backup.bkf"


Backup_job.bks ( UNICODE file )

Code Select Expand

M:\
M:\RECYCLER\ /Exclude
M:\System Volume Information\ /Exclude

The only trick in the script is to avoid running ntbackup in volume shadow copy mode as ntbackup is instructed to read the "M volume" containing the
shadow copy. You need to modify the source directory D:\vscopy to run the tool and the destination directory Z:\ to reflect the correct paths in your system.

Code Select Expand

vscopy.exe C: M: Backup_volume.bat

Project built with Solar Assembler version 0.33.04

http://vortex.masmcode.com/files/vscopy10b1.zip

[BogdanOntanu]

Hi Vortex,

Thanks for creating another small and simple interesting sample .... and thanks for using Sol_Asm  :U

[dedndave]

very cool Erol   :U

[Vortex]

Here is V1.0 supporting both Windows XP and Server 2003.

http://vortex.masmcode.com/files/vscopy10.zip

[BogdanOntanu]

Thank you again  :U

[bozo]

very useful tool, Vortex  :)

just to let you know, it didn't work for me on windows 7 64-bit.
maybe it's a windows 7 issue or maybe it's problem with 32-bit/64-bit code..not sure really.
i was running cmd.exe as administrator but the error i got back was:

Volume shadow could not be created - InitializeForBackup error = 0x80042302

in the application event logs were 2 entries

Volume Shadow Copy Service error: A critical component required by the Volume Shadow Copy service is not registered. This might happened if an error occurred during Windows setup or during installation of a Shadow Copy provider. The error returned from CoCreateInstance on class with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and Name IVssCoordinatorEx2 is [0x80040154, Class not registered
].

Operation:
   Instantiating VSS server

Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80040154, Class not registered
.

Operation:
   Instantiating VSS server

[GregL]

Kernel_Gaddafi,

Notice that this version works only on Windows XP

later

Here is V1.0 supporting both Windows XP and Server 2003.

[bozo]

Yes, I can read Greg Lyon.

thanks

[GregL]

Yes, I can read Greg Lyon.

Then why are you wondering why it isn't working on Windows 7 64-bit?

[bozo]

some 32-bit programs can run on 64-bit windows without any problem at all, as you probably know.
i assumed my post might be useful information for Vortex if he ever wanted functionality on 64-bit o/s.

32-bit version of hobocopy for win2k3 will also run on 32-bit vista and win7.

I wasn't attempting to belittle the usefulness of the program because IT IS definitely very useful..just not on 64-bit operating systems.

[GregL]

Kernel_Gaddafi,

I see.  I misunderstood.

Peace.

[bozo]

no worries  :bg

[Vortex]

Hi Kernel_Gaddafi,

The methods of the interface IVssBackupComponents are not the same on every version of Windows. I have to modify the source code to work on Windows 7. Thanks for your kind words. I hope I will be able to release a new version for Windows 7.

[hutch--]

It probably makes sense to do an OS version detect and have different code for different OS versions. So far almost everything has run on Win7 64 bit but I have yet to do any serious testing on it yet.

[bozo]

just thought i'd mention Win32_ShadowCopy for anyone interested.

there's a method to create shadow copy of drive for local or remote machine so long as the class is supported..
i tried using VBScript running on Windows 7 Ultimate x64 and it worked fine..
against win2k8 32-bit remotely, it worked fine..but not XP 32-bit locally or remotely.

probably some patch or software is missiing on my xp 32-bit because vscopy and hobocopy didn't work either.
anyway, the vbscript was this.

Code Select Expand



Set loc = CreateObject("WbemScripting.SWbemLocator")
Set svc = loc.ConnectServer("192.168.1.2", "root\cimv2", "corp\administrator", "password")

Set shadow = svc.Get("Win32_ShadowCopy")
errResult  = shadow.Create("C:\", "ClientAccessible", strShadowID)

if errResult <> 0 Then
    wscript.echo "Error:" & errResult
else
    wscript.echo "Created Shadow successfully"
    Set colItems = svc.ExecQuery("Select * From Win32_ShadowCopy Where ID = '" & strShadowID & "'")

    For Each objItem in colItems
      Set objFSO = CreateObject("Scripting.FileSystemObject")
      WScript.Echo "Path to files is " & objItem.DeviceObject
      objItem.Delete_
    Next
end if

although the above is for a remote machine..some examples which i worked off show local access here

btw, i didn't copy files from the remote machine, don't know how you could do it.
CopyFile / CopyFolder from FileSystemObject don't seem to like UNC paths such as \\?\GLOBALROOT

maybe someone will figure out how to solve this,  but i'm guessing it would be better to write app in HLL which uses CopyFile() and then execute remotely using something like psexec.