1.    14 Jun 2017 #1
    Join Date : Jun 2017
    Posts : 2
    Windows 10

    Possible to open "Restore Point" files from "system volume information


    Hello!
    I've a customer with a vista computer (i know, spare the flame:ing ) it was infected with crypt0l0cker and after restoring it to a previous restore point it seems like the SAM hives or something broke down on it since i cant create new users and some services isnt working as it should included VSS (so I cant do a new system restore).

    So I can't use "system restore" app but the files/snapshots are still present under "system volume information", is there a way to open these files on another computer, to browse them and save some of the files in it?

    EDIT: I found a good solution please se my reply further down. (this will work on other systems then Vista)


    //BR
    Patrik
    Last edited by PatrikL; 14 Jun 2017 at 14:42.
      My ComputerSystem Spec
  2.    14 Jun 2017 #2
    Join Date : Jan 2015
    UK, Midlands
    Posts : 11,025
    Win 10 Pro (1703)

    Your problem statement isn't entirely clear- it does seem as though you can boot..

    You may be able to fix VSS with a utility from Macrium Reflect
    How to troubleshoot Microsoft Volume Shadow copy Service errors (VSS)

    If you can't boot, then you might consider trying to restore your registry backup- which is possible.

    & see
    Vista Forums

    Good luck
      My ComputerSystem Spec
  3.    14 Jun 2017 #3
    Join Date : Jun 2017
    Posts : 2
    Windows 10
    Thread Starter

    Ok! Found a solution!

    I read that the shadow copies have links to \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy

    So I created a symlink on the machine with the following command:

    ex: mklink /D C:\shadow_volume_1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

    which mounts the first shadowcopy to a folder in C: named shadow_volume_1 and there I could explore all the files. So I found which shadowcopy which was closest to before the files were encrypted and then copied them to a external drive.

    I also found out that there are some tools for this ex.
    libvshadow, VSC toolset, etc.

    Info can be found here:

    Mount shadow volumes on disk images - ForensicsWiki

    Windows Shadow Volumes - ForensicsWiki
      My ComputerSystem Spec
  4.    14 Jun 2017 #4
    Join Date : Jan 2015
    UK, Midlands
    Posts : 11,025
    Win 10 Pro (1703)

    Sounds like you'll have a very happy customer! Well done. (Encourage them to start using disk imaging)
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Solved Services "Application Information" or "User Profile Service" high CPU
Recently, one of my service host processes in the task manager showed about 13% CPU usage on my i7. I manually restarted each service in its list and found my problems: Application Information refused to stop on its own, but User Profile Service,...
Performance & Maintenance
How to Bulk Rename files with information from file "properties"?
I recently had a hard drive failure that cost me fifteen years worth of files and data. I am recovering the files currently using Puran file recovery, which seems to be working. However, all the MS Word files (for instance) I recover are simply...
General Support
How to open/access "Windows Information Protection"
first time after finish installing anniversary update i am greeted with Windows Information Protection or windows security center dashboard or WDATP? https://winblogs.azureedge.net/win/2016/02/Security-image-1.jpg now i looking around for it,...
General Support
Removing Libraries from "Open" and "Save as" dialogs in Office 2010
I have removed the Windows 10 "Libraries" from the navigation pane in Windows Explorer and other Microsoft programs (eg. Notepad), but despite an exhaustive internet search I have been unable to discover how to remove Libraries from navigation panes...
Software and Apps
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 22:45.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums