Memorise

Unable to access or take ownership of file users shadow copy files

I was trying to access the shadow copies of one of these folders after the user has been deleted, I was trying to take ownership of the shadow copies folder so we can restore some data that was in there but every time I try take ownership of the folder I get a “Media is Write Protected” message and everything we have tried to do involving taking over the shadow copy has failed.

download dosdev if you don’t have it from http://vscsc.sourceforge.net/ then mount the shadow copy as V drive then use robocopy to copy the file to different location on current time, then take ownership of files.

C:\resources\dosdev\dosdev\x86>vssadmin list shadows

Contents of shadow copy set ID: {85e1a1e5-e6dd-4479-ab11-769930317777} Contained 1 shadow copies at creation time: 1/28/2014 7:00:06 AM Shadow Copy ID: {c152023d-6a53-46a5-ae90-eac06d7b1f0d} Original Volume: (S:)\\?\Volume{1d09abf5-50bb-4619-ae1a-582285e37e1f}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy260 Originating Machine: MACSRVR.mac.macltd.com Service Machine: MACSRVR.mac.macltd.com Provider: ‘Microsoft Software Shadow Copy provider 1.0’ Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential Contents of shadow copy set ID: {b1ceef12-fa9a-4aae-961a-1212df929c27} Contained 1 shadow copies at creation time: 1/28/2014 12:01:05 PM Shadow Copy ID: {eb169c0f-373d-4431-9ea3-e97d22f8fe7d} Original Volume: (S:)\\?\Volume{1d09abf5-50bb-4619-ae1a-582285e37e1f}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy263 Originating Machine: MACSRVR.mac.mactd.com Service Machine: MACSRVR.mac.macltd.com Provider: ‘Microsoft Software Shadow Copy provider 1.0’ Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential C:\resources\dosdev\dosdev\x86>

C:\resources\dosdev\dosdev\x86>dosdev v: \\?\GLOBALROOT\Device\HarddiskVolumeSha dowCopy260

v:: The operation completed successfully.

C:\resources\dosdev\dosdev\x86>dir v:
Volume in drive V is Studio1
Volume Serial Number is 18FA-38CD
Directory of V:\

V:\Studio 1\JOBS\STUDIO\SKYIT\Skyit Rainforest\05_SRR Ede Project\CREATIVE\3D\SK ETCHUP>robocopy “SKETCHUP VERSION 8″ S:\new /S /E /COPYALL /ZB /NP /MT:20 /R:3 / W:30 /LOG:”c:\resources\HR.log”

Log File : c:\resources\HR.log

V:\Studio 1\JOBS\STUDIO\SKYIT\Skyit Rainforest\05_SRR Ede Project\CREATIVE\3D>ro bocopy “SKETCHUP” S:\new /S /E /COPYALL /ZB /NP /MT:20 /R:3 /W:30 /LOG:”c:\resou rces\HR.log”

Log File : c:\resources\HR.log

 

There is bit more you can do with robocopy the files from your shadow copy.

One of my client had Crypto Locker virus with extension .zepto and encrypted all the files in shared drive. This is what I have done to recover, first logged on to the server did a search for *.zepto on the top level drive, in my case it was D:\ then I copied the search result to text file, it sound simple to copy search result to text file, if you haven’t done this before then how do you do it. You select the first line of search scroll to last line then ->hold shift and right click -> you get drop down menu select “Copy as Path” then you can open a notepad and paste.

now you have all the path in text file. using the dosdev process as above, I mounted the shadow copy that I want to copy from then run the robocopy command as below,

robocopy /e “V:\dfs\Data\SHARED\PROJECTS” “D:\dfs\Data\SHARED\PROJECTS” /log:c:\project.txt /tee

use this if you have access denied error

robocopy /e /ZB “V:\DFS\WaysOfWorking” “D:\DFS\WaysOfWorking” /log:c:\wayofworking.txt /tee

What this does is check all files and folder copy anything missing or different. I tried going to previous version in windows and browsing the copy then copy the file I needed but for this huge amount of data 10TB, didn’t wanted to do folder by folder also when it hit long file name or path then it stop copying, robocopy is the only way I found to be accurate.

Then I gone back to my search and deleted all the files that ware highlighted.

or you can use command prompt
c:\>del *.zepto /a /s

c:\>del *HELP_instructions.html /a /s


Categorised as: Hardware/Software, Microsoft, Networking, Recovery, Server OS, Windows Upgrade


One Comment

Leave a Reply