1.    08 Jan 2016 #1
    Join Date : Nov 2015
    Posts : 14
    Windows 10 X64

    Recovery Options for vssadmin “No items found” error


    Hi i'm doing a forensics analysis on a drive containing a Windows 10 System. I have a situation where I need to compare a list of applications that were removed by analyzing the system state before and after the applications were deleted. System Restore does not show any restore points for me to recover from to compare the differences.

    I made a image of the disk and examined the file system. The "system volume information" folder exists with various snap shots:

    Code:
     K:\System Volume Information\
        {3808876b-c176-4e48-b7ae-04046e6cc752}    65,536    12/14/2015 12:08    12/14/2015 12:08    12/14/2015 12:08
        {7a074314-a711-11e5-8d73-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752}    469,762,048    12/27/2015 01:58    12/28/2015 14:27    12/27/2015 01:58
        {c84c39a0-a42b-11e5-85ed-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752}    4,447,035,392    12/18/2015 12:33    12/27/2015 01:59    12/18/2015 12:33
        {d90c1d4c-a0c9-11e5-85ed-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752}    382,533,632    12/14/2015 12:08    12/18/2015 12:33    12/14/2015 12:08
        IndexerVolumeGuid    76    10/31/2015 14:18    10/31/2015 14:18    10/31/2015 14:18
        MountPointManagerRemoteDatabase    0    1/9/2013 17:03    1/9/2013 17:03    1/9/2013 17:03
        Syscache.hve    19,398,656    1/9/2013 17:04    10/31/2015 13:29    10/31/2015 13:29
        Syscache.hve.LOG1    262,144    1/9/2013 17:04    10/31/2015 13:28    1/9/2013 17:04
        Syscache.hve.LOG2    0    1/9/2013 17:04    1/9/2013 17:04    1/9/2013 17:04
        tracking.log    20,480    1/9/2013 17:04    6/4/2013 02:28    1/9/2013 17:04
        WPSettings.dat    12    12/14/2015 09:49    12/14/2015 09:49    12/14/2015 09:49
        K:\System Volume Information\Chkdsk\
        Chkdsk20141031191126.log    5,120    10/31/2014 11:11    10/31/2014 11:11    10/31/2014 11:11
        Chkdsk20150330154511.log    5,120    3/30/2015 07:45    3/30/2015 07:45    3/30/2015 07:45
        Chkdsk20150604212154.log    29,696    6/4/2015 13:21    6/4/2015 13:21    6/4/2015 13:21
        K:\System Volume Information\Chkdsk\
        K:\System Volume Information\SPP\
        K:\System Volume Information\SPP\OnlineMetadataCache\
        {0f020207-6730-4eeb-9d6c-8e36789dbc7f}_OnDiskSnapshotProp    15,696    12/18/2015 12:33    12/18/2015 12:33    12/18/2015 12:33
        {1dedc651-f0f0-48bc-8cfe-75efd86f9e7c}_OnDiskSnapshotProp    15,696    12/14/2015 12:08    12/14/2015 12:08    12/14/2015 12:08
        {c840a18f-5f36-497b-b321-390438aed0db}_OnDiskSnapshotProp    15,736    12/27/2015 01:58    12/27/2015 01:58    12/27/2015 01:58
        K:\System Volume Information\SPP\OnlineMetadataCache\
        K:\System Volume Information\SPP\SppCbsHiveStore\
        K:\System Volume Information\SPP\SppCbsHiveStore\
        K:\System Volume Information\SPP\SppGroupCache\
        {0F020207-6730-4EEB-9D6C-8E36789DBC7F}_DriverPackageInfo    87,512    12/18/2015 12:43    12/18/2015 12:43    12/18/2015 12:43
        {0F020207-6730-4EEB-9D6C-8E36789DBC7F}_WindowsUpdateInfo    304    12/18/2015 12:43    12/18/2015 12:43    12/18/2015 12:43
        {1DEDC651-F0F0-48BC-8CFE-75EFD86F9E7C}_DriverPackageInfo    87,512    12/15/2015 19:28    12/15/2015 19:28    12/15/2015 19:28
        {1DEDC651-F0F0-48BC-8CFE-75EFD86F9E7C}_WindowsUpdateInfo    176    12/15/2015 19:29    12/15/2015 19:29    12/15/2015 19:29
        {C840A18F-5F36-497B-B321-390438AED0DB}_DriverPackageInfo    87,512    12/27/2015 01:59    12/27/2015 01:59    12/27/2015 01:59
        {C840A18F-5F36-497B-B321-390438AED0DB}_WindowsUpdateInfo    408    12/27/2015 01:59    12/27/2015 01:59    12/27/2015 01:59
        K:\System Volume Information\SPP\SppGroupCache\
        K:\System Volume Information\SPP\
        K:\System Volume Information\SystemRestore\
        K:\System Volume Information\SystemRestore\FRStaging\
        K:\System Volume Information\SystemRestore\FRStaging\
        K:\System Volume Information\SystemRestore\
        K:\System Volume Information\Windows Backup\
        K:\System Volume Information\Windows Backup\Catalogs\
        GlobalCatalogLock.dat    0    7/16/2015 09:36    7/16/2015 09:36    7/16/2015 09:36
        K:\System Volume Information\Windows Backup\Catalogs\
        K:\System Volume Information\Windows Backup\
        K:\System Volume Information
    after I mounted the VHD vssadmin gives me an error when I try to list the shadows:
    Code:
        C:\Windows\system32>vssadmin list shadows /for=k:\
        vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
        (C) Copyright 2001-2005 Microsoft Corp.
    
        No items found that satisfy the query.
    My question is, is there a way to recover the system state from the snap shot when the vss doesn't recognize it?

    I did extensive research online and nobody so far as I can tell even talks about recovering a snap shot that vss does not recognize so please dont vote this down because it was unclear or not properly researched. Thank you.
      My ComputerSystem Spec
  2.    08 Jan 2016 #2
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Hi.
    Not well-versed in this sort of thing, but have you tried this program?
    ShadowExplorer.com - About
    Not sure if it will help or not.
      My ComputerSystem Spec
  3.    08 Jan 2016 #3
    Join Date : Nov 2015
    Posts : 14
    Windows 10 X64
    Thread Starter

    Quote Originally Posted by simrick View Post
    Hi.
    Not well-versed in this sort of thing, but have you tried this program?
    ShadowExplorer.com - About
    Not sure if it will help or not.
    Thanks yes I have tried ShadowExplorer, and system restore explorer the both use vss to access snapshots. its not a problem with VSS i dont think its a problem with a corrupted snapshot or related file that prevents vss from reading the snapshot.
      My ComputerSystem Spec
  4.    08 Jan 2016 #4
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Quote Originally Posted by trinsic View Post
    Thanks yes I have tried ShadowExplorer, and system restore explorer the both use vss to access snapshots. its not a problem with VSS i dont think its a problem with a corrupted snapshot or related file that prevents vss from reading the snapshot.
    Afraid that's all I can offer. Hopefully someone else will chime in with some ideas. Sorry.
      My ComputerSystem Spec
  5.    13 Jan 2016 #5
    Join Date : Nov 2015
    Posts : 14
    Windows 10 X64
    Thread Starter

    Alright, thanks for the reply.
      My ComputerSystem Spec
  6.    13 Jan 2016 #6
    Join Date : Apr 2015
    Posts : 12,952
    W10Prox64

    Quote Originally Posted by trinsic View Post
    Alright, thanks for the reply.
    Does this help at all?

    Digital Forensics Today Blog: Examining Volume Shadow Copies The Easy Way!


    OSFMount - Mount CD and Disk images in Windows, ISO, DD
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Solved Recovery options gone ?
What I'm expecting: 55384 What I get: 55383 Hello! I just discover that my recovery options have disappeared, leaving me with the only option to Turn Off my PC instead of the usual "Reset your PC or see advanced options". I enclove two...
General Support
Setting up Recovery options
Hi everyone. I was wondering what would be the best way to set up a clean install windows 10 machine to allow for methods of repairing it in the case of being unable to login. I have had windows 7 computer not being able to boot in to windows due to...
General Support
Page not found error when attempting to check for updates
I am trying to check for updates or even change my windows update settings in Windows 10. However, anytime I attempt to navigate to the windows update area it says, Page not found, refresh the page. The error code is 0x00000005, in case you need...
Windows Updates and Activation
Error found in File explorer / .iso mounting
Hi there Seems I've got a hideous error here -- Mounting a DVD (bog standard - not Blu ray) as an ISO file Windows explorer shows file size as a whopping 95 GB !!!!!!!! Handbrake then won't encode to mkv / mp4 file for my media streamer. ...
General Support
usb boot from restart vs recovery options in control panel
when attempting to install win 10 from a usb drive is there a difference between restarting the pc with usb as first in boot order in bios vs in win8.1 control panel recovery options advanced options using it to restart and boot from usb devive....
Installation and Upgrade
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:16.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums