How to open a system shadow copy file. People did not understand the principle of storing and displaying previous versions

The previous article talked about the possibilities Reserve copy Windows 7 - creating file archives and disk images. This article is devoted to restoring files from an archive and system from a disk image, as well as restoring previous versions files.

On this page:

Recovering files from an archive

In Windows 7, you can restore files from an archive using the Control Panel item.

In the main window of the Control Panel item, there are three file recovery options:

• Recover my files- allows you to select individual files and folders for recovery.
• Recover files of all users- also allows you to select individual files and folders, but for all computer users.
• Choose another backup copy to recover files- allows you to restore files of all users, as well as select an archive located on a network drive.

Below we discuss the recovery of “my” files. The first window of the File Recovery Wizard is full of options, so let's go in order.

Selecting the archive date. The default is the most latest archive, which the system reports in the window. You can choose an earlier date - for example, if you require more old copy file.

The interface seems to be designed for very frequent archiving - by default, archives for the last week are displayed (in my opinion, it makes more sense to immediately display archives for the month), but you can select older ones, of course.

Search files. This is very convenient tool, allowing you to instantly find necessary files in the archive.

Please note that the window uses an Explorer interface, i.e. in the search results you can select required columns file properties and sort by them (however, there is no grouping).

Adding files and folders. Along with searching, it is possible to add individual files and folders - each action has its own button.

List of recoverable files. The names of the added folders and separate files.

Removing files and folders from the list. Files and folders are deleted only from the list of recoverable ones, but not from the archive.

Proceed to selecting the destination for the restored files. You can recover files:

• to the original location. In this case, if a file with the same name exists, the system will display a standard dialog asking you to overwrite the file, save both copies in a folder, or refuse copying.
• to the location you specified. In this case, it is possible to restore files while maintaining the folder structure, starting from the archive root (highlighted in the figure).

Having decided on the final location of the files to be restored, click the button Restore.

Restoring previous versions of files and folders

Imagine that while working with a document, you deleted part of it, saved the file and closed the application. And then they suddenly remembered that they had deleted something very important. Or imagine that you deleted a file past the trash can, and a month later you really needed it. In both cases, you have a good chance to restore previous versions of files that can be saved in Windows 7 in two ways:

• file archives created using Windows Backup
• shadow copies, created by the function Protect your system using Volume Shadow Copy Service

Restore previous versions is accessed from the file or folder properties on the tab Previous versions.

Restoring previous versions of files from archives

If the file is included in the archive using Windows backup tools, in its properties on the tab Previous versions Archiving.

If, when restoring a file, the system detects that a file with the same name already exists, you will be prompted to overwrite the existing file, save it with a different name, or refuse recovery.

Of course, the same file can be restored from the control panel, but doing this from the file properties may be more convenient and faster.

Recovering previous versions of files and folders from shadow copies

In order to be able to recover files and folders from shadow copies, system protection must work, which is turned on for each disk separately. It may not be too obvious, but system protection settings control the operation and amount of disk space for the Volume Copy Shadow Copy service, which provides storage for system restore points and shadow copies of files and folders.

Shadow copies are not stored indefinitely. They are allocated a certain percentage of disk space, and when the specified limit is reached, old copies are replaced with new ones. Since it talks about system protection and recovery, here I will only consider restoring previous versions.

From shadow copies you can restore previous versions:

• separate files
• file folders

Restoring an individual file from a shadow copy is almost the same as restoring a file from an archive. In the file properties tab Previous versions you will see a list of versions, and the location will be indicated Restore point.

Unlike a file saved in an archive, in this case you will have options to open and copy the file to a folder of your choice.

In addition to individual files, you can restore folders from shadow copies. The list of versions can be seen in properties folders on the tab Previous versions.

You can open the folder, copy it to another location, or restore it to the old location. When restoring, as in the case of files from archives, the system will warn you if there is a file with the same name in the folder.

Recovering deleted files from shadow copies

If you need to restore a previous copy existing file, just go to the file properties tab Previous versions. What to do if the file is deleted? You have two ways:

• folder recovery
• file search

From the shadow copy, you can restore the folder where the file was located, as described above. If you don't remember the exact location of a file, but have a rough idea of ​​where it was in the folder tree, you can restore the parent folder.

However, before restoring the folder, you can try to find the deleted file using Windows search. Let's look at the sequence of actions using an example. I deleted the file support_center01.png, and now I need it. I know which folder it was in, and I look for the file in it (and if I didn’t know the exact location, I would look in the nearest parent one).

Shadow copies are not indexed, and the deleted file is immediately excluded from the index, so the search does not find it. Therefore, you need to search in non-indexed places by clicking Computer. Searching for non-indexed files takes longer, but your patience will be rewarded.

In the shadow copies I found not only the PNG file I needed, but also a long-deleted BMP file with the same name, which I had forgotten about.

Why shadow copies may be missing

After reading about previous versions of files, you might want to check if they are being created on your system. If you didn't find any previous versions, it could mean that:

• system protection is disabled, i.e. there are no restore points where previous versions of system files are stored
• A small amount has been allocated to protect the system. disk space, so for shadow copies user files not enough space
• the file or folder contents have not changed - in this case, shadow copies are not created

To summarize the story about file recovery, I want to emphasize that Windows technologies connected to each other. You'll have the best chance of recovering your files if you use Windows Backup along with System Protection. You can increase these chances by creating backup system images, the restoration of which will be discussed below.

Restoring the system from a previously created image

During Windows installations 7 a service partition containing the environment is automatically created on the hard disk Windows recovery RE (Recovery Environment). Using this section you can:

• boot into recovery environment from hard drive
• create a system repair disk and boot from it

By booting into the recovery environment, you can restore the system from a pre-created image.

Attention! For a detailed description of creating a system repair disc, the recovery environment, and options for booting into it, see the article Using the Windows RE Recovery Environment in Windows 7. Below we discuss only booting into Windows RE from a hard drive.

Booting to Recovery Environment from Hard Drive

To enter the menu Additional options downloads, press F8 after turning on the computer, but before loading the operating system.

Select the first menu item - Troubleshooting your computer and press Enter. The Windows Recovery Environment will launch, where the first thing you will be asked to do is select your keyboard layout.

Select the language in which your administrative password is set account, since you will need to enter it in the next step.

After entering your password, you will see a menu with recovery options, one of which is Restoring a system image.

Restoring a system image from Windows RE

IN Windows environment There are various system recovery tools available.

You can also choose a different recovery image. After selecting an image, click the button Further to begin the recovery process.

You can format disks and create partitions, and you have the option to exclude disks from the formatting operation (the disk containing the archive image is automatically excluded). Also, you can simply restore the image to an existing one system partition. Behind the button Additionally There are two more options hidden.

Once you have decided on your recovery options, click Further, and then, in the last window of the wizard, click the button Ready. Windows 7 will warn you that all data will be deleted from the partition and begin the recovery process.

If you don't have the installation Windows disk 7, be sure to create a system repair disk. This disk will allow you to restore a backup system image even if the service disk on the hard disk is damaged. Windows partition RE.

There are not many ways to recover files encrypted by a ransomware attack without paying a ransom for them. If we are lucky, there may be some free tools to restore them, but more real option– this is the restoration of your files from your backup copies. However, not everyone has backup copies of their files, although Windows offers very useful function, known as Shadow Copy, which, in a nutshell, is a backup of your files. Cybercriminals have known about it for a long time, and therefore, a few months after ransomware attacks became popular, the first thing they do when they infect your computer is delete the shadow copy of your files before starting to encrypt your information.

There are a number of technologies that can be used to stop ransomware attacks: some are almost useless, such as signatures or heuristics (these are the first things malware authors check before releasing them), others can sometimes be more effective, but even a combination All of these techniques do not guarantee that you will be protected from all such attacks.

More than 2 years ago in antivirus laboratory PandaLabs took a simple but quite effective approach: if some process is trying to delete shadow copies, then most likely (but not always, by the way), we are dealing with malware, and most likely – with a ransomware. These days, most ransomware families remove shadow copies, because if you don't, people won't pay the ransom when they can recover their files for free. Let's look at how many infections were stopped in our laboratory thanks to this approach. It is logical to assume that this number should grow exponentially, because The number of ransomware attacks using this technique is also growing rapidly. For example, here's the number of attacks we've blocked over the past 12 months using our approach:

But in the diagram we see exactly the opposite of what we expected. How is this possible? In fact, there is a very simple explanation for this “phenomenon”: we use this approach as a “last resort” when no other security techniques have been able to detect anything suspicious, and therefore it works this rule, which blocks the ransomware attack. We also use this approach for internal purposes, as a result of which we can analyze in more detail those attacks that were blocked at the “last line”, and then improve all previous security levels. We also use this approach to evaluate how well or poorly we are stopping ransomware: in other words, the lower the values, the better our core technologies perform. So, as you can see, the efficiency of our work is increasing.

Original article.

Hello, friends! So I once again got to pencil and paper. More precisely, to a laptop and virtual machine. Today I want to talk about such an absolutely interesting and useful phenomenon as previous versions of files or shadow copies of Windows .

Let's demonstrate in practice how to work with shadow copies.

How to recover deleted files from Windows shadow copies

Here we have a worker Windows table. There are two folders on it: screen and zip, which we will delete and restore. The third folder is ShadowExplorer - the program with which I will work with shadow copies. I am the program, take it and use it! So, since previous versions of files (shadow copies) use recovery checkpoints, we will need to create at least one point. To do this, go to the system properties, to the “System Protection” tab. It is important for us that the protection settings have the “Enabled” mode, in the settings you can also set the reserved disk space as a percentage for these checkpoints, and also instantly create a recovery point (the “Create” button)

Click “Create” and enter a name control point:

The process of creating a checkpoint ( further – CT) takes some time.

Of course, you can resort to data recovery programs, especially since the object was deleted very recently and there is a possibility of restoring it. But what if this is not the case? What if data recovery programs don't give the desired results?

Data from “ shadow copies“. Let's launch the ShadowExplorer program. We will see drop-down lists in the main window - in the first - the disk on which shadow copies are created, in the second - the date of creation of the system snapshot.

Since we have a single copy of the system snapshot, like the logical partition, the data we need will open. In the directory tree, expand the desired directory and see that our now deleted directories are still there! Let's click right click on the desired directory and click “Export”.
And now, the object has been restored! Of course it's not universal method, but nevertheless quite viable and useful.

Where are Windows Shadow Copies stored?

Shadow copies of Windows are stored in the “ System Volume Information“, in files with names that look like (GUID)(GUID2), Where (GUID)– copy identifier, (GUID2)– section identifier.

Working with shadow copies using shadowcopyview

Nirsoft has an excellent tool that allows you to work with shadow copies quite conveniently. The name of this program is ShadowCopyView. I also attach it to the article, you can download it if you wish. current version from the developers' website - it's free.

The main window displays shadow copies (at the top), and their contents below. There is also a context menu item “ Copy Selected Files To…“, which allows you to extract content from the shadow copy.

Working with shadow copies from the command line

But what to do if you don’t have any tools at hand? No problem, you can mount the shadow copy volume using command line and open the shadow copy as a directory in Explorer.

First of all, we need to get a list of shadow copies:

All shadow copies will be displayed in a similar form. Here we are interested in the creation date and the “Shadow copy volume” field. Let's copy this line and create a symbolic link to this directory:

> mklink /D C:\old \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

Attention! The slash at the end is required; I took the screenshot without the slash and was unable to enter the directory. The mklink command creates a link C:\old to the directory (key /D) of the backup.

Let's see what it looks like in Explorer:

But this does not mean at all that we now have 2 times recorded on the disk. more information. This information is marked as free, but it will not be overwritten until it is exhausted free place, separated during configuration of the backup service. Remember, we indicated there what percentage of the disk to allocate for backups. Only after all the remaining space is exhausted will the shadow copies of the changed files be overwritten.

Friends! Join our

Important: This article is intended for the case when standard backup is configured on the computer in Windows 7.

Recovering files from Windows shadow copies

Have you ever discovered that a file you needed has been deleted? That some time has passed and the file has disappeared somewhere? Of course, there can be many reasons for this. But, usually at such moments, the first thing that worries us is another question than the reason - “How to restore it now?” If you are a regular reader of the site, then you probably have backup programs installed and configured that will allow you to restore the missing file.

But what to do if you don’t have such programs, or it’s too late to restore, since the program synchronized the copy with the original and erased this file. What then? Of course, you still have the option to use recovery programs deleted files, but, usually, this is a rather lengthy procedure, which should be resorted to only when there are no other options left. So where should you start?

If you have a standard backup configured Windows copy through the "Backup and Restore" interface (see link), or you created restore points, then you still have the opportunity to relatively quickly restore a deleted file. The fact is that Windows 7 creates so-called “shadow copies” of files that are accessible from the “previous versions” interface. These shadow copies store not just one copy of a file, but several previous versions of it. It is this fact that allows you to use the following two methods.

Recovering a deleted file from a shadow copy of the parent directory in Windows

1. Follow the procedure described in the previous article (at this link) to open a list of previous versions for the folder that contained the deleted file
2. Select the previous version of the directory so that you are sure that the file is exactly in this moment in the catalogue. Otherwise you will have to iterate through versions until the first successful one
3. You can click the "Copy" button to save an entire copy of the folder and restore the deleted file from it. If you click the button, a dialog box will appear in which you need to specify a location to save. But, you must understand, such an operation may take time if the directory takes up a lot of space
4. You can also click the "Restore" button so that all files in the folder are rolled back to the selected version. But keep in mind that this may change other files
5. If you are not satisfied with both of the previous options, then you can click on the “Open” button, and the entire list of files of the selected backup will open to you. You can drag or copy the remote file wherever you need it
6. After you restore the file using one of the methods, close the dialog box

Recovering a deleted file from a shadow copy by its name in Windows

1. Create empty file with the same name and extension as the remote file and place it in the original directory. File contents don't matter
2. Right click on an empty file
3. IN context menu, select "Properties"
4. Go to the "Previous Versions" tab
5. If you're lucky, the entire list of backup copies of the deleted file will appear in front of you. IN in this case, it all depends on the circumstances
6. Select the backup you want (probably the most recent one) and click the "Restore" button
7. Close the dialog box

Both of these methods can be used. The only thing you must understand is that the recovered file will not necessarily be the same latest version, since backups do not occur constantly, but at certain points in time.

• Windows updates (hotfixes) are not installed? The .Net framework cleanup and repair utility can help

Technical Tips