{"id":1180,"date":"2019-08-05T18:21:56","date_gmt":"2019-08-05T16:21:56","guid":{"rendered":"http:\/\/itsimple.info\/?p=1180"},"modified":"2019-08-08T23:20:10","modified_gmt":"2019-08-08T21:20:10","slug":"how-to-protect-volume-shadow-copy-from-deletion","status":"publish","type":"post","link":"https:\/\/itsimple.info\/?p=1180","title":{"rendered":"How To Protect Volume Shadow Copy From Deletion"},"content":{"rendered":"

 <\/p>\n

Volume Shadow Copy is a great and value add on to windows and can save data lost very fast and efficient . In the last years when virus\u00a0 and ransom virus appears the first think they do is to delete all of you shadow copies preventing you from fast restoring you lost files or encrypted files. Forcing you to pay or to use the backups you made to you file and data.<\/p>\n

Volume shadow copy are created by the file system with the help of “Providers” accessing this feature with API option is a mean to create\/delete Shadow Copies to a volume. Basically any one can write a code to manipulate the creation or deletion of Shadows with a code to connect to this API and manipulate this Shadows. more information from Microsoft\u00a0 here <\/a><\/p>\n

A full explanation on how Volume Shadow Copy work can be found here :<\/a><\/p>\n

\"\"<\/a><\/p>\n

The Volume Shadow Copy is managed by the service VSS, So if we disable this service the API will not function. now most of the virus script just run this before corrpting the data (if the are lazy writing there own scripts to the API):<\/p>\n

vssadmin.exe Delete Shadows \/All \/Quiet<\/pre>\n
Or<\/p>\n
WMIC.exe shadowcopy delete \/nointeractive<\/pre>\n
But\u00a0 what if the service will be down and disabled ?<\/p>\n
\"\"<\/a><\/p>\n
The API will be blocked for changes and our shadows will Survive\u00a0 !<\/p>\n
Here is a simple script to start and create Volume Shadow Copy For a partition &\u00a0 stop and disable the service for protection (in the example Drive C: and Drive D: ) .<\/p>\n
sc config VSS start= Demand \r\nnet start VSS\r\n\r\nWMIC shadowcopy call create Volume=C:\\\r\nWMIC shadowcopy call create Volume=D:\\\r\n\r\nnet stop VSS\r\nsc config VSS start= disabled<\/pre>\n
Then you can save as BAT file and scheduler this\u00a0 script to run as many times you want to create shadows for protection, Needless to say that when the VSS service is not running you will not be able to access the “Configure Shadow Copies…”<\/p>\n
Please take under consideration that is another program need to use shadow copy service it will fail unless you will execute service start …<\/p>\n
Shadow Copy is no backup !!! please make proper backups to your data<\/strong><\/h2>\n
 <\/p>\n
\n
Good Luck<\/h3>\n","protected":false},"excerpt":{"rendered":"
  Volume Shadow Copy is a great and value add on to windows and can save data lost very fast and efficient . In the last years when virus\u00a0 and ransom virus appears the first think they do is to delete all of you shadow copies preventing you from fast restoring you lost files or […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,4,12,14,15],"tags":[],"class_list":["post-1180","post","type-post","status-publish","format-standard","hentry","category-operating-systems","category-tech","category-tutorials","category-windows","category-windows-server"],"_links":{"self":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/1180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1180"}],"version-history":[{"count":0,"href":"https:\/\/itsimple.info\/index.php?rest_route=\/wp\/v2\/posts\/1180\/revisions"}],"wp:attachment":[{"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsimple.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}