Windows 10: Possible to open "Restore Point" files from "system volume information Solved

  1.    14 Jun 2017 #1

    Possible to open "Restore Point" files from "system volume information

    I've a customer with a vista computer (i know, spare the flame:ing :)) it was infected with crypt0l0cker and after restoring it to a previous restore point it seems like the SAM hives or something broke down on it since i cant create new users and some services isnt working as it should included VSS (so I cant do a new system restore).

    So I can't use "system restore" app but the files/snapshots are still present under "system volume information", is there a way to open these files on another computer, to browse them and save some of the files in it?

    EDIT: I found a good solution please se my reply further down. (this will work on other systems then Vista)

    Last edited by PatrikL; 14 Jun 2017 at 14:42.
      My ComputerSystem Spec

  2.    14 Jun 2017 #2

    Your problem statement isn't entirely clear- it does seem as though you can boot..

    You may be able to fix VSS with a utility from Macrium Reflect
    How to troubleshoot Microsoft Volume Shadow copy Service errors (VSS)

    If you can't boot, then you might consider trying to restore your registry backup- which is possible.

    & see
    Vista Forums

    Good luck
      My ComputerSystem Spec

  3.    14 Jun 2017 #3

    Ok! Found a solution!

    I read that the shadow copies have links to \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy

    So I created a symlink on the machine with the following command:

    ex: mklink /D C:\shadow_volume_1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

    which mounts the first shadowcopy to a folder in C: named shadow_volume_1 and there I could explore all the files. So I found which shadowcopy which was closest to before the files were encrypted and then copied them to a external drive.

    I also found out that there are some tools for this ex.
    libvshadow, VSC toolset, etc.

    Info can be found here:

    Mount shadow volumes on disk images - ForensicsWiki

    Windows Shadow Volumes - ForensicsWiki
      My ComputerSystem Spec

  4.    14 Jun 2017 #4

    Sounds like you'll have a very happy customer! Well done. (Encourage them to start using disk imaging)
      My ComputerSystem Spec


Related Threads
Recently, one of my service host processes in the task manager showed about 13% CPU usage on my i7. I manually restarted each service in its list and found my problems: Application Information refused to stop on its own, but User Profile Service,...
I recently had a hard drive failure that cost me fifteen years worth of files and data. I am recovering the files currently using Puran file recovery, which seems to be working. However, all the MS Word files (for instance) I recover are simply...
first time after finish installing anniversary update i am greeted with Windows Information Protection or windows security center dashboard or WDATP? now i looking around for it,...
I have removed the Windows 10 "Libraries" from the navigation pane in Windows Explorer and other Microsoft programs (eg. Notepad), but despite an exhaustive internet search I have been unable to discover how to remove Libraries from navigation panes...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:46.
Find Us