Undeleted Shadow Copies

hhtech

New member
Hello guys,

I'm not sure I posted this in the correct section. If not I'm sorry.

My Windows is telling me that for a specific volume I have exactly one shadow copy. It can be found in the folder System Volume Information of the volume, in this form:

{dac4924d-3ca1-11e7-9be0-cc88a4ca0b0c}{3808876b-c176-4e48-b7ae-04046e6cc752}

But what I need desperately are the shadow copies from before. And I need them so desperately thet I restored them with an undelete program, from the folder System Volume Information. No clusters had been overwritten yet. I recovered the last 10 or so, just in case, you know. :mrgreen:

But I have absolutely no clue though if that was useful at all. :? I did some reading on mounting shadow copies, but it's always about mounting via \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#\". I found something about mounting a .raw file in linux though.

Of course my files aren't adressable like that, since they're in the format described above in some random folder and not "in the system". And also after recovering the program said that they had only been partly recovered.

Is there any possibility somehow to still access the content of those files? Would that even get me anywhere, or is there just something in them that points to something else that maybe isn't even there anymore? I don't know anything about this!

It would be awesome if you guys could help me! :D

Many kind regards,
hhtech
 

Jared

Administrator
Staff member
I would bet anything that all you recovered is junk data. Most likely the maximum size allowed for your VSS was too small so it would delete and create new ones as soon as it was full. In all likelihood, it just overwrote the data. That's been my experience with VSS anyway.
 
Top