Possible to open "Restore Point" files from "system volume information


  1. Posts : 2
    Windows 10
       #1

    Possible to open "Restore Point" files from "system volume information


    Hello!
    I've a customer with a vista computer (i know, spare the flame:ing :)) it was infected with crypt0l0cker and after restoring it to a previous restore point it seems like the SAM hives or something broke down on it since i cant create new users and some services isnt working as it should included VSS (so I cant do a new system restore).

    So I can't use "system restore" app but the files/snapshots are still present under "system volume information", is there a way to open these files on another computer, to browse them and save some of the files in it?

    EDIT: I found a good solution please se my reply further down. (this will work on other systems then Vista)


    //BR
    Patrik
    Last edited by PatrikL; 14 Jun 2017 at 14:42.
      My Computer

  2. dalchina's Avatar
    Posts : 30,412
    Win 10 Pro (1903)
       #2

    Your problem statement isn't entirely clear- it does seem as though you can boot..

    You may be able to fix VSS with a utility from Macrium Reflect
    How to troubleshoot Microsoft Volume Shadow copy Service errors (VSS)

    If you can't boot, then you might consider trying to restore your registry backup- which is possible.

    & see
    Vista Forums

    Good luck
      My Computers


  3. Posts : 2
    Windows 10
    Thread Starter
       #3

    Ok! Found a solution!

    I read that the shadow copies have links to \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy

    So I created a symlink on the machine with the following command:

    ex: mklink /D C:\shadow_volume_1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

    which mounts the first shadowcopy to a folder in C: named shadow_volume_1 and there I could explore all the files. So I found which shadowcopy which was closest to before the files were encrypted and then copied them to a external drive.

    I also found out that there are some tools for this ex.
    libvshadow, VSC toolset, etc.

    Info can be found here:

    Mount shadow volumes on disk images - ForensicsWiki

    Windows Shadow Volumes - ForensicsWiki
      My Computer

  4. dalchina's Avatar
    Posts : 30,412
    Win 10 Pro (1903)
       #4

    Sounds like you'll have a very happy customer! Well done. (Encourage them to start using disk imaging)
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:29.
Find Us




Windows 10 Forums