What is Shadow Volume Copies?

Since Windows XP Service Pack 2 and Windows Server 20013, Microsoft has integrated technology into operating systems called Volume Shadow Copy Service or VSS. This service allows Windows to automatically or manually back up or take snapshots of the current state of files on a specific volume (drive letter). An essential part of this process is that backups can be made of files even when opened. So this provides a mechanism for backing up programs and Windows can use to keep a reliable history of your computer’s files.

When backups are created, they are stored in a particular container called Shadow Volume Copy. These Shadow Volume Copies can then be used by backup software, utilities, or Windows to recover files that have been deleted or changed somehow. When a backup is created using the Volume Shadow Copy Service, files are backed up using a versioning method to back up changes in a file rather than the entire file. This allows multiple versions of the same file to be available without using a large amount of disk space.

As you can see, this technology is beneficial as it allows us to recover deleted or changed files if needed. I have found many applications for this feature, such as restoring old saved games, recovering files encrypted with ransomware, or recovering files that I deleted by accident.

In this tutorial, I have outlined two methods that you can use to recover files from shadow volume copies. The first method of using the built-in Windows feature is called Previous Versions. The second method uses the Shadow Explorer tool, which allows you to browse and restore files and folders from different shadow copies on the computer.

How do I recover files using Windows Previous Versions?

Windows has a feature called Windows Previous Versions that allows you to restore copies of a previous file from a Shadow Volume Copy snapshot. The method described below is only to recover individual files from Shadow Volume Copies. If you want to restore the entire folder, please read this section instead.

To restore individual files, open the folder containing the files you want to recover, as shown below.

Mở thư mục

Now right-click on the file you want to restore and select properties as shown below.

Nhấp chuột phải vào tệp

In the context menu that appears, click the Properties option. This will open the properties for the file. When the properties screen opens, click on the Windows Previous Versions tab. You will now be on the screen showing all previous versions saved in the shadow copy. Note that each version will have the corresponding date and time that it was backed up.

Các phiên bản trước cho một tệp tin

To restore a previous version of the file, you can click the Copy or Restore button. The copy button will restore the file to the location you specify, while the Restore button will overwrite the existing file on your hard drive with Windows Previous Versions. I suggest you create a folder on your hard drive and use the Copy button to restore Windows Previous Versions to that folder to make sure it’s the file you want.

To do this, click the Copy button, and Windows will prompt you to find a folder to restore the file from.

Sao chép hộp thoại

Browse to the folder or create a new folder that you want to restore to an earlier version. When you are ready, click the Copy button.

Windows will restore the previous version of the file from Shadow Volume Copies and save it in the specified folder. You can now close the properties window and access your file if needed.

If you want to learn how to restore an entire folder, you can read the next section.

How do I Restore folders using Windows Previous Versions?

Restoring an entire folder using Windows Previous Versions is almost like fixing a file. However, these steps are a bit different, so I felt the reserved section would be helpful.

To restore a folder, open the folder containing the file you want to recover, as shown below.

Mở thư mục

Now right-click on a space within the folder to open the context menu for the folder as shown below.

Nhấp chuột phải lên một thư mục

In the context menu that appears, click the Properties option. This will open the properties for the folder. When the Properties window opens, click on the Previous Versions tab. It would be best if you were on a screen showing all previous versions of the folder saved in the shadow copy. Note that each version will have the corresponding date and time that it was backed up.

Các phiên bản trước cho một thư mục

To restore a previous version of the folder, you can click the Copy or Restore button. The Copy button will restore this folder to the location you specified, while the Restore button will overwrite the existing folder on your hard drive with previous versions of all the files contained in it. I suggest you create a folder on your hard drive and use the Copy button to restore an earlier version to that folder, so you don’t mistakenly overwrite files well.

To do this, click the Copy button, and Windows will prompt you to find the folder recovery location.

Sao chép hộp thoại

Browse to the folder or create a new folder for which you want to restore an earlier version of the folder. When you are ready, click the Copy button.

Windows will restore an entire previous version of the folder from Shadow Volume Copies to the specified folder. Now you can close Properties Window and access your recovery folder to see if it has the files you need.

Use ShadowExplorer to Recover Files and Folders from Shadow Volume Copies

To restore files and folders from Shadow Volume Copies, you can also use a program called ShadowExplorer. I prefer this method over the previous version as I feel it is easier to find and restore the versions of files you need in an easy-to-use interface. When downloading the program, you can either use the full install download or the portable version to function.

ShadowExplorer can be downloaded from this link: Shadow Explorer Download Link.

Once you download and start ShadowExplorer, you will be shown a screen that lists all drives and the dates that a shadow copy was created. Select the drive (blue arrow) you want to recover files or folders from and the date (red arrow) you wish to recover. This is shown in the image below.

Then navigate to the folder or file you want to recover. When ready, right-click on the folder or file and choose Export, as shown below.

Xuất tệp tin bằng Shadow Explorer

When you click Export, ShadowExplorer will display a prompt asking you to restore the files, as shown below.

Trình khám phá Trình khám phá Xóa Bóng tối

Navigate to or create a new folder to recover your files from, and then click the OK button. ShadowExplorer will now restore the files to that location.

Why is the ransomware trying to delete Shadow Volume Copies?

A common trick caused by a computer ransomware infection is to remove Shadow Volume Copies when encrypting a victim’s computer. Since you have now found it easy to recover files using Shadow Volume Copies, the ransomware program deletes them so that the victim cannot do so.

When ransomware tries to delete shadow volume copies, it will usually use the command:

C: Windows Sysnative vssadmin.exe ”Delete Shadows / All / Quiet

When this command is executed, Windows will display a UAC prompt asking if the victim wants the command to run with administrator privileges. If the user allows the command to continue, vssadmin.exe will delete all computer drives’ shadow volume copies. In some cases, Ransomware will use PowerShell or WMIC commands to remove SVCs instead.

No matter how these copies are deleted, the ransomware will remove the SVCs so that you cannot recover files encrypted by the ransomware.