问题
I am in the process of writing a PowerShell script for backing up a windows computer using rsync. To this end, I am attempting to use WMI from said script to create a non-persistent Shadow copy with writer participation (as is apparently recommended for backups).
I found out from another question (Accessing Volume Shadow Copy (VSS) Snapshots from powershell) a way to create a shadow copy in general, but the example given there uses "ClientAccessible" as the context parameter, which result in the creation of a persistent Shadow Copy, without writer participation.
While searching for a solution, I have found that I could use the following command to obtain a list of contexts, which I assume are understood by WMI:
Get-WmiObject win32_shadowcontext | Out-GridView
It does list have a context named "Backup", which is conveniently what I want. I proceeded to attempt creating a non-persistent shadow copy using that context:
$shadow = (Get-WmiObject -list win32_shadowcopy).Create("C:\", "Backup")
However, this seem to fail and the content of the $shadow variable is set to
ReturnValue : 5
ShadowID : {00000000-0000-0000-0000-000000000000}
According to the relevant documentation (Create method of the Win32_ShadowCopy class), the return value means "Unsupported shadow copy context."
I couldn't find any relevant documentation as to why this context is unsupported or whether it is possible to use it at all. I have also tried the "FileShareBackup" and "AppRollback" contexts without success.
I assume I am either missing something obvious, or that for some reason, WMI really doesn't support anything else than "clientAccessible" when creating shadow copies, or that this is OS dependent (I am testing this on Windows 7, 64-bit)
How can I get this to work?
回答1:
Your $shadow has a 5 on return value looking at the error message, your shadow id has all zeros , you would need to add a 1 or a 2 to the end of the volume shadow copy in the registry using binary or dword.
find the folder in the registry named volsnap in your regedit search .volsnap.sys is found in the C:\Windows\System32\drivers directory. The file size is 52,352 bytes.The volsnap file contains Microsoft's digital signature make sure its the correct bytes.
This confirms its authenticity. volsnap.sys appears to be a file that was compressed by an EXE-Packer. This technique is often used by trojans to keep the file size small and also hamper debugging efforts.
However, this in itself is not sufficient reason to presume malicious intent, since even well-intentioned, professional software producers take advantage of compressed files. For this reason, 2% of all experts consider this file to be a possible threat. The probability that it can cause harm is high. Please consider the additional Comments from other users.
shadow id default
00000000-0000-0000-0000-000000000000
00000000-0000-0000-0000-000000000005
if it already has a 5 which it probably doesn't change it to 1
or create new code
Shadow id $shadow 00000000-0000-0000-0000-0000000000001
not exactly as shown.you may have to try different wording I'm not sure if $will work, if not, try the js standalone version.
来源:https://stackoverflow.com/questions/17601354/creating-a-shadow-copy-using-the-backup-context-in-a-powershell