Skip to content

Instantly share code, notes, and snippets.

@Spartan-196

Spartan-196/shadowcopy.md

Created February 11, 2019 17:25
Show Gist options
  • Save Spartan-196/022021d8b070f9da5754eae716c9cac9 to your computer and use it in GitHub Desktop.
Save Spartan-196/022021d8b070f9da5754eae716c9cac9 to your computer and use it in GitHub Desktop.
Download ZIP
ShadowCopyUserProfile
Raw
shadowcopy.md

Write up for doing this remotely through pssession, can be adapted to doing locally on a pc as well

Enter remote session: enter-pssession [computer]

Create system restore snapshot: cmd /C 'Wmic.exe /Namespace:\\root\default Path SystemRestoreCall CreateRestorePoint "%DATE%", 100, 1'

List shadow copies: vssadmin list shadows

Sample output:

   Contained 1 shadow copies at creation time: 8/23/2018 5:10:53 PM
      Shadow Copy ID: {shadow copy uid}
         Original Volume: (C:)\\?\Volume{volume uid}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy28
         Originating Machine: computer.domain.com
         Service Machine: computer.domain.com
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

Make symbolic link to shadow copy volume shown above: cmd /c mklink /d [directory name] \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy28

Sample output: symbolic link created for C:\Backup <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy28\*

Move into that directory or sub directory: cd C:\Backup\Users\[userid]\

Map network drive: net use z: "\\[Network\Location\UNC\Path]" /user:[Domain]\[userid] [password]

Net use is used here to avoid issues with double hop authentication when using psremote

Robocopy Data from the shadow copy to the network drive: robocopy . Z:\[FolderName] /e /z /sl /log:Z:\[FolderName]\copylog.log /ETA /tee /XJD /XD AppData

Command syntax explained:
Robocopy – utility used
. – Source directory of current directory can by specific path like C:\Backup\User\ and so on 
Z:\[Foldername] – Target Directory  new or existing folder name
/e - copies subdirectories (including empty directories) in addition to files
/z – restartable mode
/sl – copy symbolic link instead of target (use here only gets links to files not directories)
/log – write log file requires at least logfile name
/ETA – Show estimated time of arrival of copied files
/tee – output to console as well as log file
/xjd – exclude junction points and symbolic links for directories (skips user folders folders like “my music” which is a junction link for “music”, music is still copied as it is an actual folder)
/XD – exclude directories matching given names/paths.

Exit Directory: cd \

Remove symbolic link: cmd /c rmdir [directory name]

rmlink is not a command so symbolic links to directories must be removed with rmdir. Use of the del command here would delete the directory and all its contents Del can only be used for removal os symbolic links to files. Alternatively, you can delete the link through windows explorer and not effect target files as well.

Exit remote session: exit-pssession

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment