Wednesday, September 26, 2012

Latest ShadowCopy Research - Part 2


The latest Volume Shadow Copy Code Samples from Microsoft


So i just posted Part 1 discussing diskshadow. Now I'm excited to discuss some new code samples from Microsoft. We all hate the upgrade cycle. Microsoft is going to drag us down the update cycle kicking and screaming, but perhaps there are some good reasons for us to look at upgrading in the near future.


While seaching in vain for code examples of VSC API code for exposing Shadows that actually work I found MSDN code samples for VSC's. The code samples are in C++ and only work in Windows 8 (unfortunately). The code is a rare glimmer of hope... Too bad they aren't in C# or VB.NET. I'm not much of a C++ guy.

A few examples below have me really excited. Keep reading and you'll see why. The examples speak for themselves so I won't regurgitate here. I can't wait to play around with these more once I have a better Win 8 environment.

I compiled and tested the code on my Windows 7 box (in VS 2012) and the samples really do only run on Windows 8. The code checks the OS version. I tried removing the check, re-compiled but then got COM+ exceptions; so it's clear the COM in Windows 8 has changed. The code samples have mostly the same features as diskshadow but of course you get to see how they invoke the COM which could be useful. Hopefully some C# or VB samples are released soon.

  
That's all for now. If you find more send me a link. I am starting to think about ShadowKit v2 and I'm in the research phase right now.  If i end up having to go Windows 8 + dot net 4.5 to get what I want then that is where I'll go.

Enjoy!


Some exciting Windows 8 Examples:

 

VShadow Tool Examples

http://msdn.microsoft.com/en-us/library/windows/desktop/Bb530726




Volume Shadow Copy Service hardware provider sample

http://code.msdn.microsoft.com/VSS-Sample-Provider-3096be2a


Latest ShadowCopy Research - Part 1

Latest ShadowCopy Research - Part 1


It's been a while since I posted anything new regarding shadow copies. Microsoft never fails to drive me to despondent frustration because of poorly documented api's, broken examples and circular links. Putting that aside I have a few new discoveries that I really wanted to get down in writing before they went poof due to work priorities. I broke the posts up in to two parts to keep it simple.


So diskshadow looks very promising. According to this Technet article it is in Windows Server 2008 and now in Windows 8. The article was publish in April however it looks like diskshadow was introduced with Windows Server 2008 so it's not new (it's new to me though).  I was not able to find it in my Win8 Enterprise RTM virtual machine (what's up with that?) but verified it exists on Server 2008. It's possible it ships with a different Win 8 package than RTM.

diskshadow
Write up #1
Write up #2

Why you should care...
 
According to the link diskshadow will allow you to expose a shadow as a drive letter*. Diskshadow also supports some basic scripting which will should get you all gitty with excitement. For recovering shadows this app could make a lot of Digital Forensics and Incident Response peoples days a little easier.






*Let me say that I have not had a chance to do testing yet. It's possible Microsoft stiffed us and only made diskshadow work with Win8 ShadowCopies. I'm looking forward to finding out if i can mount a vhd from Win7 in Windows 8 and Expose the shadow's as drive letter using diskshadow.