Recovery Options for vssadmin “No items found” error

Hi i'm doing a forensics analysis on a drive containing a Windows 10 System. I have a situation where I need to compare a list of applications that were removed by analyzing the system state before and after the applications were deleted. System Restore does not show any restore points for me to recover from to compare the differences.

I made a image of the disk and examined the file system. The "system volume information" folder exists with various snap shots:

Code:

 K:\System Volume Information\
    {3808876b-c176-4e48-b7ae-04046e6cc752}    65,536    12/14/2015 12:08    12/14/2015 12:08    12/14/2015 12:08
    {7a074314-a711-11e5-8d73-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752}    469,762,048    12/27/2015 01:58    12/28/2015 14:27    12/27/2015 01:58
    {c84c39a0-a42b-11e5-85ed-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752}    4,447,035,392    12/18/2015 12:33    12/27/2015 01:59    12/18/2015 12:33
    {d90c1d4c-a0c9-11e5-85ed-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752}    382,533,632    12/14/2015 12:08    12/18/2015 12:33    12/14/2015 12:08
    IndexerVolumeGuid    76    10/31/2015 14:18    10/31/2015 14:18    10/31/2015 14:18
    MountPointManagerRemoteDatabase    0    1/9/2013 17:03    1/9/2013 17:03    1/9/2013 17:03
    Syscache.hve    19,398,656    1/9/2013 17:04    10/31/2015 13:29    10/31/2015 13:29
    Syscache.hve.LOG1    262,144    1/9/2013 17:04    10/31/2015 13:28    1/9/2013 17:04
    Syscache.hve.LOG2    0    1/9/2013 17:04    1/9/2013 17:04    1/9/2013 17:04
    tracking.log    20,480    1/9/2013 17:04    6/4/2013 02:28    1/9/2013 17:04
    WPSettings.dat    12    12/14/2015 09:49    12/14/2015 09:49    12/14/2015 09:49
    K:\System Volume Information\Chkdsk\
    Chkdsk20141031191126.log    5,120    10/31/2014 11:11    10/31/2014 11:11    10/31/2014 11:11
    Chkdsk20150330154511.log    5,120    3/30/2015 07:45    3/30/2015 07:45    3/30/2015 07:45
    Chkdsk20150604212154.log    29,696    6/4/2015 13:21    6/4/2015 13:21    6/4/2015 13:21
    K:\System Volume Information\Chkdsk\
    K:\System Volume Information\SPP\
    K:\System Volume Information\SPP\OnlineMetadataCache\
    {0f020207-6730-4eeb-9d6c-8e36789dbc7f}_OnDiskSnapshotProp    15,696    12/18/2015 12:33    12/18/2015 12:33    12/18/2015 12:33
    {1dedc651-f0f0-48bc-8cfe-75efd86f9e7c}_OnDiskSnapshotProp    15,696    12/14/2015 12:08    12/14/2015 12:08    12/14/2015 12:08
    {c840a18f-5f36-497b-b321-390438aed0db}_OnDiskSnapshotProp    15,736    12/27/2015 01:58    12/27/2015 01:58    12/27/2015 01:58
    K:\System Volume Information\SPP\OnlineMetadataCache\
    K:\System Volume Information\SPP\SppCbsHiveStore\
    K:\System Volume Information\SPP\SppCbsHiveStore\
    K:\System Volume Information\SPP\SppGroupCache\
    {0F020207-6730-4EEB-9D6C-8E36789DBC7F}_DriverPackageInfo    87,512    12/18/2015 12:43    12/18/2015 12:43    12/18/2015 12:43
    {0F020207-6730-4EEB-9D6C-8E36789DBC7F}_WindowsUpdateInfo    304    12/18/2015 12:43    12/18/2015 12:43    12/18/2015 12:43
    {1DEDC651-F0F0-48BC-8CFE-75EFD86F9E7C}_DriverPackageInfo    87,512    12/15/2015 19:28    12/15/2015 19:28    12/15/2015 19:28
    {1DEDC651-F0F0-48BC-8CFE-75EFD86F9E7C}_WindowsUpdateInfo    176    12/15/2015 19:29    12/15/2015 19:29    12/15/2015 19:29
    {C840A18F-5F36-497B-B321-390438AED0DB}_DriverPackageInfo    87,512    12/27/2015 01:59    12/27/2015 01:59    12/27/2015 01:59
    {C840A18F-5F36-497B-B321-390438AED0DB}_WindowsUpdateInfo    408    12/27/2015 01:59    12/27/2015 01:59    12/27/2015 01:59
    K:\System Volume Information\SPP\SppGroupCache\
    K:\System Volume Information\SPP\
    K:\System Volume Information\SystemRestore\
    K:\System Volume Information\SystemRestore\FRStaging\
    K:\System Volume Information\SystemRestore\FRStaging\
    K:\System Volume Information\SystemRestore\
    K:\System Volume Information\Windows Backup\
    K:\System Volume Information\Windows Backup\Catalogs\
    GlobalCatalogLock.dat    0    7/16/2015 09:36    7/16/2015 09:36    7/16/2015 09:36
    K:\System Volume Information\Windows Backup\Catalogs\
    K:\System Volume Information\Windows Backup\
    K:\System Volume Information

after I mounted the VHD vssadmin gives me an error when I try to list the shadows:

Code:

    C:\Windows\system32>vssadmin list shadows /for=k:\
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2005 Microsoft Corp.

    No items found that satisfy the query.

My question is, is there a way to recover the system state from the snap shot when the vss doesn't recognize it?

I did extensive research online and nobody so far as I can tell even talks about recovering a snap shot that vss does not recognize so please dont vote this down because it was unclear or not properly researched. Thank you.

simrick said:

Hi.
Not well-versed in this sort of thing, but have you tried this program?
ShadowExplorer.com - About
Not sure if it will help or not.

Thanks yes I have tried ShadowExplorer, and system restore explorer the both use vss to access snapshots. its not a problem with VSS i dont think its a problem with a corrupted snapshot or related file that prevents vss from reading the snapshot.

Alright, thanks for the reply.