Windows 10: Recovery Options for vssadmin “No items found” error

  1.    08 Jan 2016 #1

    Recovery Options for vssadmin “No items found” error


    Hi i'm doing a forensics analysis on a drive containing a Windows 10 System. I have a situation where I need to compare a list of applications that were removed by analyzing the system state before and after the applications were deleted. System Restore does not show any restore points for me to recover from to compare the differences.

    I made a image of the disk and examined the file system. The "system volume information" folder exists with various snap shots:

    Code:
     K:\System Volume Information\
        {3808876b-c176-4e48-b7ae-04046e6cc752}    65,536    12/14/2015 12:08    12/14/2015 12:08    12/14/2015 12:08
        {7a074314-a711-11e5-8d73-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752}    469,762,048    12/27/2015 01:58    12/28/2015 14:27    12/27/2015 01:58
        {c84c39a0-a42b-11e5-85ed-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752}    4,447,035,392    12/18/2015 12:33    12/27/2015 01:59    12/18/2015 12:33
        {d90c1d4c-a0c9-11e5-85ed-00256488153c}{3808876b-c176-4e48-b7ae-04046e6cc752}    382,533,632    12/14/2015 12:08    12/18/2015 12:33    12/14/2015 12:08
        IndexerVolumeGuid    76    10/31/2015 14:18    10/31/2015 14:18    10/31/2015 14:18
        MountPointManagerRemoteDatabase    0    1/9/2013 17:03    1/9/2013 17:03    1/9/2013 17:03
        Syscache.hve    19,398,656    1/9/2013 17:04    10/31/2015 13:29    10/31/2015 13:29
        Syscache.hve.LOG1    262,144    1/9/2013 17:04    10/31/2015 13:28    1/9/2013 17:04
        Syscache.hve.LOG2    0    1/9/2013 17:04    1/9/2013 17:04    1/9/2013 17:04
        tracking.log    20,480    1/9/2013 17:04    6/4/2013 02:28    1/9/2013 17:04
        WPSettings.dat    12    12/14/2015 09:49    12/14/2015 09:49    12/14/2015 09:49
        K:\System Volume Information\Chkdsk\
        Chkdsk20141031191126.log    5,120    10/31/2014 11:11    10/31/2014 11:11    10/31/2014 11:11
        Chkdsk20150330154511.log    5,120    3/30/2015 07:45    3/30/2015 07:45    3/30/2015 07:45
        Chkdsk20150604212154.log    29,696    6/4/2015 13:21    6/4/2015 13:21    6/4/2015 13:21
        K:\System Volume Information\Chkdsk\
        K:\System Volume Information\SPP\
        K:\System Volume Information\SPP\OnlineMetadataCache\
        {0f020207-6730-4eeb-9d6c-8e36789dbc7f}_OnDiskSnapshotProp    15,696    12/18/2015 12:33    12/18/2015 12:33    12/18/2015 12:33
        {1dedc651-f0f0-48bc-8cfe-75efd86f9e7c}_OnDiskSnapshotProp    15,696    12/14/2015 12:08    12/14/2015 12:08    12/14/2015 12:08
        {c840a18f-5f36-497b-b321-390438aed0db}_OnDiskSnapshotProp    15,736    12/27/2015 01:58    12/27/2015 01:58    12/27/2015 01:58
        K:\System Volume Information\SPP\OnlineMetadataCache\
        K:\System Volume Information\SPP\SppCbsHiveStore\
        K:\System Volume Information\SPP\SppCbsHiveStore\
        K:\System Volume Information\SPP\SppGroupCache\
        {0F020207-6730-4EEB-9D6C-8E36789DBC7F}_DriverPackageInfo    87,512    12/18/2015 12:43    12/18/2015 12:43    12/18/2015 12:43
        {0F020207-6730-4EEB-9D6C-8E36789DBC7F}_WindowsUpdateInfo    304    12/18/2015 12:43    12/18/2015 12:43    12/18/2015 12:43
        {1DEDC651-F0F0-48BC-8CFE-75EFD86F9E7C}_DriverPackageInfo    87,512    12/15/2015 19:28    12/15/2015 19:28    12/15/2015 19:28
        {1DEDC651-F0F0-48BC-8CFE-75EFD86F9E7C}_WindowsUpdateInfo    176    12/15/2015 19:29    12/15/2015 19:29    12/15/2015 19:29
        {C840A18F-5F36-497B-B321-390438AED0DB}_DriverPackageInfo    87,512    12/27/2015 01:59    12/27/2015 01:59    12/27/2015 01:59
        {C840A18F-5F36-497B-B321-390438AED0DB}_WindowsUpdateInfo    408    12/27/2015 01:59    12/27/2015 01:59    12/27/2015 01:59
        K:\System Volume Information\SPP\SppGroupCache\
        K:\System Volume Information\SPP\
        K:\System Volume Information\SystemRestore\
        K:\System Volume Information\SystemRestore\FRStaging\
        K:\System Volume Information\SystemRestore\FRStaging\
        K:\System Volume Information\SystemRestore\
        K:\System Volume Information\Windows Backup\
        K:\System Volume Information\Windows Backup\Catalogs\
        GlobalCatalogLock.dat    0    7/16/2015 09:36    7/16/2015 09:36    7/16/2015 09:36
        K:\System Volume Information\Windows Backup\Catalogs\
        K:\System Volume Information\Windows Backup\
        K:\System Volume Information
    after I mounted the VHD vssadmin gives me an error when I try to list the shadows:
    Code:
        C:\Windows\system32>vssadmin list shadows /for=k:\
        vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
        (C) Copyright 2001-2005 Microsoft Corp.
    
        No items found that satisfy the query.
    My question is, is there a way to recover the system state from the snap shot when the vss doesn't recognize it?

    I did extensive research online and nobody so far as I can tell even talks about recovering a snap shot that vss does not recognize so please dont vote this down because it was unclear or not properly researched. Thank you.
      My ComputerSystem Spec


  2. Posts : 11,234
    W10Prox64
       08 Jan 2016 #2

    Hi.
    Not well-versed in this sort of thing, but have you tried this program?
    ShadowExplorer.com - About
    Not sure if it will help or not.
      My ComputerSystem Spec

  3.    08 Jan 2016 #3

    simrick said: View Post
    Hi.
    Not well-versed in this sort of thing, but have you tried this program?
    ShadowExplorer.com - About
    Not sure if it will help or not.
    Thanks yes I have tried ShadowExplorer, and system restore explorer the both use vss to access snapshots. its not a problem with VSS i dont think its a problem with a corrupted snapshot or related file that prevents vss from reading the snapshot.
      My ComputerSystem Spec


  4. Posts : 11,234
    W10Prox64
       08 Jan 2016 #4

    trinsic said: View Post
    Thanks yes I have tried ShadowExplorer, and system restore explorer the both use vss to access snapshots. its not a problem with VSS i dont think its a problem with a corrupted snapshot or related file that prevents vss from reading the snapshot.
    Afraid that's all I can offer. Hopefully someone else will chime in with some ideas. Sorry.
      My ComputerSystem Spec

  5.    13 Jan 2016 #5

    Alright, thanks for the reply.
      My ComputerSystem Spec


  6. Posts : 11,234
    W10Prox64
       13 Jan 2016 #6
      My ComputerSystem Spec


 

Related Threads
Solved Recovery options gone ? in General Support
What I'm expecting: 55384 What I get: 55383 Hello! I just discover that my recovery options have disappeared, leaving me with the only option to Turn Off my PC instead of the usual "Reset your PC or see advanced options". I enclove two...
Setting up Recovery options in General Support
Hi everyone. I was wondering what would be the best way to set up a clean install windows 10 machine to allow for methods of repairing it in the case of being unable to login. I have had windows 7 computer not being able to boot in to windows due to...
I am trying to check for updates or even change my windows update settings in Windows 10. However, anytime I attempt to navigate to the windows update area it says, Page not found, refresh the page. The error code is 0x00000005, in case you need...
Hi there Seems I've got a hideous error here -- Mounting a DVD (bog standard - not Blu ray) as an ISO file Windows explorer shows file size as a whopping 95 GB !!!!!!!! Handbrake then won't encode to mkv / mp4 file for my media streamer. ...
when attempting to install win 10 from a usb drive is there a difference between restarting the pc with usb as first in boot order in bios vs in win8.1 control panel recovery options advanced options using it to restart and boot from usb devive....
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 19:18.
Find Us