Important: This article is intended for the case when the computer is configured with standard backup in Windows 7.
Restoring Files from Windows Shadow Copies
Have you ever found that the file you need has been deleted? That some time has passed and the file has disappeared somewhere? Of course, there can be many reasons for this. But, usually at such moments, the first thing that worries more is another question than the reason - "How can I restore it now?". If you are a regular reader of the site, then you probably have backup programs installed and configured that will allow you to restore the missing file.
But what if you don't have such programs, or it's too late to restore, because the program synchronized the copy with the original and erased this file. What then? Of course, you still have the opportunity to use programs to recover deleted files, but usually this is a rather lengthy procedure, which you should turn to only when there are no other options left. So where should you start?
If you have set up standard Windows backup through the "Backup and Restore" interface (see link), or if you have created restore points, then you still have the opportunity to restore a deleted file relatively quickly. The fact is that Windows 7 creates so-called "shadow copies" of files that are available from the "previous versions" interface. These shadow copies do not store a single copy of a file, but several previous versions of it. It is this fact that allows us to use the following two methods.
Recovering a deleted file from a shadow copy of a parent directory in Windows
- Follow the procedure in the previous article (via this link) to open the list of previous versions for the folder that contained the deleted file
- Select a previous version of the directory so that you are sure that the file was definitely currently in the directory. Otherwise, you will have to iterate through the versions until the first successful one.
- You can click the "Copy" button to save the entire copy of the folder and restore the deleted file from it. If you clicked the button, a dialog box will appear asking you to specify a save location. But, you must understand, such an operation may take time if the directory takes up a lot of space.
- You can also click the "Restore" button to roll back all files in the folder to the selected version. But, keep in mind that this is fraught with changing other files.
- If you are not satisfied with both previous options, then you can click on the "Open" button, and you will see the entire list of files of the selected backup. You can drag or copy the remote file wherever you need
- After you restore the file using one of the methods, close the dialog box
Recovering a deleted file from a shadow copy by its name in Windows
- Create an empty file with the same name and extension as the deleted file and place it in the original directory. The content of the file does not matter
- Right click on an empty file
- In the context menu, select "Properties"
- Click the "Previous Versions" tab
- If you're lucky, you will see the entire list of backup copies of the deleted file. In this case, it all depends on the circumstances.
- Select the desired backup (probably the latest one) and click the "Restore" button
- Close the dialog
Both of these methods can be used. The only thing you should understand is that the restored file will not necessarily be the latest version, since the backup does not take place all the time, but at certain points in time.
- Windows updates (hotfixes) not installing? .Net framework cleanup and repair utility can help
Technical Tips
There are not many ways to recover files encrypted as a result of a ransomware attack without paying a ransom. If we're lucky, there may be some free tools to restore them, but the more realistic option is restoring your files from your backups. However, not everyone has a backup of their files, although Windows offers a very useful feature known as Shadow Copy, which, in short, is a backup of your files. Cyber criminals have known about it for a long time, and therefore, a few months after ransomware attacks became popular, the first thing they do when they infect your computer is delete a shadow copy of your files before they start encrypting your information.
There are a number of technologies that can be applied to stop ransomware attacks: some of them are almost useless, such as signatures or heuristics (these are the first things malware authors check before they are “released”), others can sometimes be more effective, but even a combination all these techniques does not guarantee that you will be protected from all such attacks.
More than 2 years ago, PandaLabs took a simple but effective approach: if a process tries to delete shadow copies, then most likely (but not always, by the way) we are dealing with malware, and most likely with cryptographer. These days, most ransomware families remove shadow copies, because if this is not done, then people will not pay the ransom, since they can restore their files for free. Consider how many infections have been stopped in our lab with this approach. It is logical to assume that this number should grow exponentially, because. the number of ransomware attacks using this technique is also growing rapidly. For example, here is the number of attacks we have blocked in the last 12 months with our approach:
But on the diagram we see the exact opposite of what we expected. How is this possible? In fact, there is a very simple explanation for this “phenomenon”: we use this approach as a “last resort” when no other security techniques could detect anything suspicious, and therefore this rule is triggered, which blocks the ransomware attack. We also use this approach for internal purposes, as a result of which we can analyze in more detail those attacks that were blocked at the “last frontier”, and then improve all previous security levels. We also use this approach to evaluate how well or poorly we stop ransomware: in other words, the lower the values, the better our core technologies work. So, as you can see, the efficiency of our work is improving.
Original article.
It is not always necessary to install additional third-party programs in Windows 7 in order to recover deleted or overwritten data. Seven allows you to do this by your own means. If you inadvertently deleted or overwritten files, say Microsoft Office documents or family photos and want to restore them or return them to their original state, then do not rush to install special software for this procedure.
Windows 7 data recovery is possible by means of the system itself, for this, Microsoft developers have added a convenient and easy-to-use tool to this version of the operating system - shadow copies (Volume Shadow Copy Service, abbreviated as VVS). With the help of shadow copies, you can quickly, with just a couple of mouse clicks, reanimate deleted or overwritten files stored on your computer's hard drive.
Do not confuse shadow copies with a full backup of Windows 7. This tool does not replace a full backup, but only keeps duplicates of those files that have been modified or deleted. In the "seven" this tool works on the principle of restore points. All of you probably know about these points, with which you can roll back the system to a certain point. So, the VVS function creates shadow copies of data, for example, before updating the OS. This is a very handy Windows 7 data recovery tool, but only if you accidentally deleted and overwritten files. Volume Shadow Copy Service can restore up to sixty-four previous copies of each deleted or modified file.
Restoring Files Using Windows 7 Shadow Copies
To start restoring files from shadow copies, follow these steps: Right-click on the desired file or directory containing the recovery data. Then, in the context menu that opens, select the “Properties” item, then go to the “Previous Versions” tab. If there are shadow copies for the file or folder in the system, you will see a list of them. Unfortunately, we could not find shadow copies of files in our system, since it is practically fresh, that is, a site installed specifically for the site.
To restore a file from the desired copy, simply double-click on it with the left mouse button, and it will be restored.
It is worth noting that the user can customize this tool. For example, you can define where shadow copies of files are stored on the hard disk. In addition, by pressing the “Win + Pause” key combination and going to the “System Protection” section, you can tell Windows 7 to protect disks or hard disk partitions and determine for each of them the amount of memory that the OS can use for this.
I hope you are creating shadow copies, of the entire disk, not on the same disk as the system, to view them?
Usually, these copies are impossible to view, as well as archived files, but it is clear that the space is taken up.
Shadow copy space managementThe storage space for shadow copies is allocated separately on the working volumes and on the backup disk for a full system backup. Used, allocated, and maximum shadow copy space can be checked by running the following command from an elevated command prompt:
VSSAdmin list ShadowStorage
Used space - the space currently occupied by shadow copies; allocated - space reserved for shadow copies (and not used for other tasks); maximum - the upper threshold beyond which the volume of shadow copies cannot grow.
Space allocation for shadow copies is automatic, which means it cannot be set by the user. The new space is allocated in fixed chunks as the previously allocated space is occupied. For this reason, the value reported for used space is always lower than allocated space.
For scratch volumes, the maximum allowable storage space for shadow copies is determined when the first shadow copy is created - usually the first time you enable System Restore and create a restore point during setup. The value is set to 30% free space or 15% of the total volume size, whichever is less. This maximum size is static. It does not change when you increase or decrease free space, or when you change the size of the volume.
However, the size can be adjusted manually by using the VSSAdmin tool from an elevated command prompt. For example, to increase the maximum storage space on the C:\ drive to 15 GB, run the following command:
VSSAdmin Resize ShadowStorage /For=C: /On=C: /MaxSize=15GB
This feature first appeared on Windows Server®, where shadow copies of a particular volume could be stored on another volume. In Windows Vista, volume shadow copies are stored on the same volume. Therefore, the volume being copied and the volume on which the copies are located must match.
On the other hand, the amount of shadow copy storage space on the computer's full backup destination drive is fixed at 30% of the full drive. This value is controlled by the computer backup program and cannot be changed manually. This shadow copy storage space is used to store incremental copies created by Full Computer Backup.
Up to 64 shadow copies can reside on a volume at one time, as long as there is enough space in the shadow copy storage area. After the maximum size limit is reached, older shadow copies are deleted to make room for newer ones. Therefore, old restore points for System Restore are deleted when the working volume storage limit is reached, and old backups created by CompletePC Backups are deleted when the backup drive reaches that limit. In addition, storing and editing other data on a backup drive can interfere with the normal "aging" process of backups, leading to their accelerated deletion.
Do not look for God, not in a stone, not in a temple - look for God within yourself. Seeker, let him find.
