What is volume shadow copy?
Volume Shadow Copy is a service that creates and maintains snapshots (“shadow copies”) of disk volumes in Windows 7 and Vista. It is the back-end of the System Restore feature, which enables you to restore your system files to a previous state in case of a system failure (e.g. after a failed driver or software installation).
Does volume shadow copy protect only my system files?
No. Volume Shadow Copy maintains snapshots of entire volumes. By default, it is turned on for your system volume (C:) and protects all the data on that volume, including all the system files, program files, user settings, documents, etc.
How is this different from what’s in Windows XP?
In Windows XP, System Restore does not use the Volume Shadow Copy service. Instead, it uses a much simpler mechanism: the moment a program attempts to overwrite a system file, Windows XP makes a copy of it and saves it in a separate folder. In Windows XP, System Restore does not affect your documents – it only protects files with certain extensions (such as DLL or EXE), the registry, and a few other things (details). It specifically excludes all files in the user profile and the My Documents folder (regardless of file extension).
When are the shadow copies created?
Volume shadow copies (restore points) are created before the installation of device drivers, system components (e.g. DirectX), Windows updates, and some applications.
In addition, Windows automatically creates restore points at hard-to-predict intervals. The first thing to understand here is that the System Restore task on Vista and 7 will only execute if your computer is idle for at least 10 minutes and is running on AC power. Since the definition of “idle” is “0% CPU usage and 0% disk input for 90% of the last 15 minutes, plus no keyboard/mouse activity” (source), it could take days for your machine to be idle, especially if you have a lot of programs running in the background.
As you see, the frequency with which automatic restore points are created is hard to estimate, but if you use your machine every day on AC power and nothing prevents it from entering an idle state, you can expect automatic restore points to be created every 1-2 days on Windows Vista and every 7-8 days on Windows 7. Of course, the actual frequency will be higher if you count in the restore points created manually by you and those created before software installations.
Here’s a more precise description: By default, the System Restore task is scheduled to run every time you start your computer and every day at midnight, as long as your computer is idle and on AC power. The task will wait for the right conditions for up to 23 hours. These rules are specified in Scheduled Tasks and can be changed by the user. If the task is executed successfully, Windows will create a restore point, but only if enough time has passed since the last restore point (automatic or not) was created. On Windows Vista the minimum interval is 24 hours; on Windows 7 it is 7 days. As far as I know, this interval cannot be changed.
What cool things can I do with Volume Shadow Copy?
- If your system malfunctions after installing a new video card driver or firewall software, you can launch System Restore and roll back to a working system state from before the installation. If you can’t get your system to boot, you can also do this from the Windows Setup DVD. This process is reversible, i.e. your current state will be automatically saved as a restore point, to which you can later go back. (Note: System Restore will not roll back your documents and settings, just the system files.)
 If you accidentally delete 10 pages of your dissertation, you can right-click the document, choose Restore previous versions, and access a previous version of it. You can open it (in read-only mode) or copy it to a new location. If you accidentally delete 10 pages of your dissertation, you can right-click the document, choose Restore previous versions, and access a previous version of it. You can open it (in read-only mode) or copy it to a new location.
- If you accidentally delete a file or folder, you can right-click the containing folder, choose Restore previous versions, and open the folder as it appeared at the time a shadow copy was made (see screenshot below). All the files and folders that you deleted will be there!
Note: While the Volume Shadow Copy service and System Restore are included in all versions of Windows Vista, the Previous versions user interface is only available in Vista Business, Enterprise and Ultimate. On other Vista versions, the previous versions of your files are still there; you just cannot access them easily. The Previous versions UI is available in all versions of Windows 7. It is not available in any version of Windows 8.
Is Volume Shadow Copy a replacement for versioning?
No. A versioning system lets you access all versions of a document; every time you save a document, a new version is created. Volume Shadow Copy only allows you to go back to the moment when a restore point was made, which could be several days ago. So if you do screw up your dissertation, you might have to roll back to a very old version.
Is Volume Shadow Copy a replacement for backups?
No, for the following reasons:
- Shadow copies are not true snapshots. When you create a restore point, you’re not making a new copy of the drive in question — you’re just telling Windows: start tracking the changes to this drive; if something changes, back up the original version so I can go back to it. Unchanged data will not be backed up. If the data on your drive gets changed (corrupted) for some low-level reason like a hardware error, VSC will not know that these changes happened and will not back up your data. (see below for a more detailed description of how VSC works)
- The shadow copies are stored on the same volume as the original data, so when that volume dies, you lose everything.
- With the default settings, there is no guarantee that shadow copies will be created regularly. In particular, Windows 7 will only create an automatic restore point if the most recent restore point is more than 7 days old. On Windows Vista, the minimum interval is 24 hours, but remember that the System Restore task will only run if your computer is on AC power and idle for at least 10 minutes, so it could take days before the conditions are right, especially if you run a lot of background processes or do not use your computer frequently.
- There is no guarantee that a suitable shadow copy will be there when you need it. Windows deletes old shadow copies without a warning as soon as it runs out of shadow storage. With a lot of disk activity, it may even run out of space for a single shadow copy. In that case, you will wind up with no shadow copies at all; and again, there will be no message to warn you about it.
How much disk space do Volume Shadow Copies take up?
By default, the maximum amount of storage available for shadow copies is 5% (on Windows 7) or 15% (on Vista), though only some of this space may be actually allocated at a given moment.
You can change the maximum amount of space available for shadow copies in Control Panel | System | System protection | Configure.
How efficient is Volume Shadow Copy?
It’s quite efficient. The 5% of disk space that it gets by default is usually enough to store several snapshots of the disk in question. How is this possible?
The first thing to understand is that volume shadow copies are not true snapshots. When a restore point is created, Volume Shadow Copy does not create a full image of the volume. If it did, it would be impossible to store several shadow copies of a volume using only 5% of that volume’s capacity.
Here’s what really happens when a restore point is created: VSC starts tracking the changes made to all the blocks on the volume. Whenever anyone writes data to a block, VSC makes a copy of that block and saves it on a hidden volume. So blocks are “backed up” only when they are about to get overwritten. The benefit of this approach is that no backup space is wasted on blocks that haven’t changed at all since the last restore point was created.
Notice that VSC operates on the block level, that is below the file system level. It sees the disk as a long series of blocks. (Still, it has some awareness of files, as you can tell it to exclude certain files and folders.)
The second important fact is that shadow copies are incremental. Suppose it’s Wednesday and your system has two shadow copies, created on Monday and Tuesday. Now, when you overwrite a block, a backup copy of the block is saved in the Tuesday shadow copy, but not in the Monday shadow copy. The Monday copy only contains the differences between Monday and Tuesday. More recent changes are only tracked in the Tuesday copy.
In other words, if we were to roll back an entire volume to Monday, we would take the volume as it is now, “undo” the changes made since Tuesday (using the blocks saved in the Tuesday shadow copy), and finally “undo” the changes made between Monday and Tuesday. So the oldest shadow copy is dependent on all the more recent shadow copies.
When I delete a 700 MB file, does VSC add 700 MB of data to the shadow copy?
No. When you delete a file, all that Windows does is remove the corresponding entry (file name, path, properties) from the Master File Table. The blocks (units of disk space) that contained the file’s contents are marked as unused, but they are not actually deleted. So all the data that was in the file is still there in the same blocks, until the blocks get overwritten (e.g. when you copy another file to the same volume).
Therefore, if you delete a 700 MB movie file, Volume Shadow Copy does not have to back up 700 MB of data. Because it operates on the block level, it does not have to back up anything, as the blocks occupied by the file are unchanged! The only thing it has to back up is the blocks occupied by the Master File Table, which has changed.
If you then start copying other files to the same disk, some of the blocks formerly occupied by the 700 MB file will get overwritten. VSC will make backups of these blocks as they get overwritten.
If VSS is constantly backing up blocks of data that get overwritten, what actually happens when a restore point is created if data is automatically being backed up anyway?
Not much — VSS simply starts backing up the data to a new place, while leaving the “old place” there (at least until it runs out of space). Now you have two places to which you can restore your system, each representing a different point in time. When you create a restore point, you’re simply telling VSS: “I want to be able to go back to this point in time”.
Note that it’s a mistake to think that VSS is backing up every change you make! It only backs up enough to enable you to go to a specific point in time. Here’s an example scenario to clear things up:
- You create a file (version #1)
- You create a restore point
- You change the file (resulting in version #2) — VSS backs up version #1
- A week later, you change the file again (resulting in version #3) — VSS doesn’t back anything up, because it already has version #1 backed up. As a result, you can no longer go back to version #2. You can only go back to version #1 — the one that existed when the restore point was created.
(Note that actually VSS doesn’t operate on files but on blocks, but the principle is the same.)
What are the security implications of Volume Shadow Copy?
Suppose you decide to protect one of your documents from prying eyes. First, you create an encrypted copy using an encryption application. Then, you “wipe” (or “secure-delete”) the original document, which consists of overwriting it several times and deleting it. (This is necessary, because if you just deleted the document without overwriting it, all the data that was in the file would physically remain on the disk until it got overwritten by other data. See question above for an explanation of how file deletion works.)
Ordinarily, this would render the original, unencrypted document irretrievable. However, if the original file was stored on a volume protected by the Volume Shadow Copy service and it was there when a restore point was created, the original file will be retrievable using Previous versions. All you need to do is right-click the containing folder, click Restore previous versions, open a snapshot, and, lo and behold, you’ll see the original file that you tried so hard to delete!
The reason wiping the file doesn’t help, of course, is that before the file’s blocks get overwritten, VSC will save them to the shadow copy. It doesn’t matter how many times you overwrite the file, the shadow copy will still be there, safely stored on a hidden volume.
Is there a way to securely delete a file on a volume protected by VSC?
No. Shadow copies are read-only, so there is no way to delete a file from all the shadow copies.
A partial solution is to delete all the shadow copies (by choosing Control Panel | System | System protection | Configure | Delete) before you wipe the file. This prevents VSC from making a copy of the file right before you overwrite it. However, it is quite possible that one of the shadow copies you just deleted already contained a copy of the file (for example, because it had recently been modified). Since deleting the shadow copies does not wipe the disk space that was occupied by them, the contents of the shadowed file will still be there on the disk.
So, if you really wanted to be secure, you would also have to wipe the blocks that used to contain the shadow copies. This would be very hard to do, as there is no direct access to that area of the disk.
Some other solutions to consider:
- You could make sure you never save any sensitive data on a volume that’s protected by VSC. Of course, you would need a separate VSC-free volume for such data.
 You could disable VSC altogether. (After disabling VSC, you may want to wipe the free space on your drive to overwrite the blocks previously occupied by VSC, which could contain shadow copies of your sensitive data.) However, if you disable VSC, you also lose System Restore functionality.  Curiously, Windows offers no option to enable VSC only for system files. If you want to protect your system, you also have to enable Previous versions (see screenshot to the right). You could disable VSC altogether. (After disabling VSC, you may want to wipe the free space on your drive to overwrite the blocks previously occupied by VSC, which could contain shadow copies of your sensitive data.) However, if you disable VSC, you also lose System Restore functionality.  Curiously, Windows offers no option to enable VSC only for system files. If you want to protect your system, you also have to enable Previous versions (see screenshot to the right).
- The most secure approach is to use an encrypted system volume. That way, no matter what temporary files, shadow copies, etc. Windows creates, it will all be encrypted.
Notice that VSC only VSC only lets you recover files that existed when a restore point was created. So if the sequence of events is as follows:
create file → create restore point → make encrypted copy → overwrite original file
the original file will be recoverable. But if the sequence is:
create restore point → create file → make encrypted copy → overwrite original file
you are safe. If you make sure to encrypt and wipe files as soon as you create them, so that no restore point gets created after they are saved on disk in unencrypted form, there will be no way to recover them with VSC. However, it is not easy to control when Windows creates a restore point; for example, it can do it at any time, just because your computer happens to be idle.
Can I prevent VSC from keeping snapshots of certain files and folders?
Yes, but you have to edit the registry to do that. Here are detailed instructions from MSDN.
What happens when VSC runs out of space?
Most of the time, most of the data on your disk stays unchanged. However, suppose you uninstall a 5 GB game and then install another 5 GB game in its place. This means that 5 GB worth of blocks got overwritten and had to be backed up by VSC.
In such “high-churn” scenarios, VSC can run out of space pretty quickly. What happens then? VSC deletes as many previous shadow copies as necessary, starting from the oldest, until it has enough space for the latest copy. In the rare event that there isn’t enough space even for the one most recent copy, all the shadow copies will be deleted. There are no partial copies.
Thanks to Adi Oltean, who was one of the engineers of Volume Shadow Copy at Microsoft, for answering my questions on the subject.
 
	
This helpful information. Thank you for posting !
So am I right in thinking I cannot completely delete a file now I’m using Win7?
What is still not clear for me is the following…
Let’s say I disable VSC functionality… Can deleted files still be there if they were copied by VSC in the past?
Am I right to say that because you can’t wipe the “VSC partition” that the remnants of data will stay there until a full disk wipe?
If so, it seems like a serious security problem to me.
If you disable VSC completely, the disk space occupied by VSC will be deallocated (it will become free space). If you then wipe the free space on your drive, the VSC data should be gone.
Thanks. This was a very helpful post.
If you’ve enough free disc space have a look at the example to uninstall a 5 GB game and install another 5 GB game. This 5 GB of data will not be exact same file sizes and file order. So only some of these new files will overwrite blocks including old game files.
But if you think it’s good often using defragmentation tools you might loose some of your VSC functionally cause you exactly work against it’s idea keeping VSC volume small. Using defragmentation you force using same data blocks for the new files.
Anyway thanks for the nice information about the VSC file wipe desaster.
Great information and great tip advising people to use full disk encryption. Thanks for the post.
sorry if I missed this above. Is what you are describing also what happens when you manually create a System Restore Point when you are about to install a new program? And, if you have System Restore Protection enabled, is creating a manual restore point still necessary? I would think it is, since an automatic restore point creation is not guaranteed.
Excellent post, btw.
There is no functional difference between automatic and manual restore points.
To answer your second question, it may be advisable to create a manual restore point occasionally. You might want to do it before installing new software if you’re worried it might screw up your system drive.
First, thanks for the nice expose on VSS. Second, I’m a fellow Pole and – strangely enough – share your curiuosity and perfectionistic tendencies (national trait, perhaps). Now to the point, I also have been reading and experimenting with VSS lately, but I still find a couple of questions unanswered. How exactly does each Shadow Copy store information about the original location of each copied block? Are blocks stored on a virtual (i.e. location within file) or logical (i.e. location on the volume) basis? What happens if the original volume gets defragmented? If you happen to have figured these things out, I’d love to hear.
Cheers!
Andrew
Hi Andrew,
Always nice to hear from a fellow Pole. Your written English is pretty good, BTW.
Let me try to answer your questions in order:
“How exactly does each Shadow Copy store information about the original location of each copied block?”
I don’t know the details, but blocks are numbered, so I imagine it should be pretty simple to store some sort of table to map the shadow blocks to actual block numbers on the original disk.
“Are blocks stored on a virtual (i.e. location within file) or logical (i.e. location on the volume) basis?”
Logical. Though the block size used by VSS is always 16 KB, which does not always match the block size used by NTFS.
“What happens if the original volume gets defragmented?”
Good question. Defragmentation moves blocks around, which could cause the Volume Shadow Copy service to detect a lot of block changes, quickly filling the shadow space with previous versions of blocks. Supposedly, the defrag utility in Vista/7 has been optimized to minimize this. How exactly? No details have been published.
One possibility that I can think of would be to write data into blocks which are considered free not only now, but also in all the shadow copies. That way, a backup copy of the free block will not have to be made before the write, as no shadow copies will need the data in that free block. But I’m basically pulling this out of thin air.
It is also worth noting that defrag in Vista/7 moves files around less than in XP. A 640 MB file that consists of ten 64 MB chunks in different places on the drive is considered defragmented in Vista. (The rationale is that it’s not worth it to defrag it into a single contiguous 640 MB chunk, as the only difference when reading the file is 9 additional seek operations, each taking a few milliseconds.)
The angle about defragmentation causing excessive VSS copy-on-write is interesting and merits its own investigation. I find it curious that VSS chooses a fixed (not configurable) block size of 16K, while NTFS defaults to only 4K for most consumer hard drives.
I was actually more interested in how a block from a shadow copy can be restored to its proper original location, when that location has been changed during the defrag operation. In other words, if there is some map of shadow copy blocks to logical cluster numbers on disk, wouldn’t the defrag utility have to update this map when it moved some clusters around?
On the other hand, if virtual block numbers were used in the map, then defragmentation wouldn’t have an impact.
As far as I’ve been able to tell, the defrag utility does not change anything in the shadow copies. It just moves things around while VSS tracks the changes and updates the shadow copies. Remember that VSS uses 16k blocks while defrag uses 4k blocks (usually). So it would only be possible to update the mapping of shadow blocks to logical blocks if defrag happened to move a whole 16k block — but not if it moved 4k, 8k or 12k.
BTW, if shadow blocks mapped to locations within files, wouldn’t there be a bit of a problem if you had two or more files in the same block?
thanks for the post, but it raises more questions than it answers. I’m here becasue I have XP that badly needs defragmenting but the “shadow volume copy service” s blocking it–I keep turning off the restore but it automatically goes back on. You say it does even work in XP–but unfortunately it is. I keep reading that other people have the same problem and can’t defrag after 3%–Is there no answer but to toss this junk and buy and new computer?
Great post! I have one lingering question about how shadow copy accesses/tracks blocks on the disk. Does it, or can it, ever reference a block that is marked free in the filesystem?
In other words, let’s say you have a security program that writes zero to all “unused” blocks according to the filesystem.
Will that break shadow copies that reference those blocks, or are shadow copies completely self-contained?
Hello, I have a problem, i have windows 7 64 bit on a new pc..
I did a reinstall( because of a boot problem),now, i have a unletter named volume of 100 mb, and my shadow copy service doesnt work, sustem restore is on, but when i try to access a restore point, it say saccess denied, also, its not using that 100 mb volume( on the same disk) for restores anymore. Its putting them on volume C.
I read some, listed my providers, for vss and all i have vss microsoft 1.0. I checked services and vss is on, set to manual, as the instructions said to do. But, this 100 mb volume isnt being used anymore, and i cant get a usable restore point. How do i ( word for word, reactivate vss, and set it up. Why isnt windows 7 doing it automatically. Its every aggravating. I cant delete this 100 mb volume, wont let me. Cant reformat it, so. please help me, and if u can, be very specific in instructions. click for click.Thanks.
“A partial solution is to delete all the shadow copies (by choosing Control Panel | System | System protection | Configure | Delete) before you wipe the file. ”
This tab is NOT on my computer. (Vista64 sp2.) Is it therefor available from the command line, and if so, what is the command?
You know, it is very misleading for you to write something like this that is not true! This assumption by you that all other computers are just like yours is a continuing problem with the apparent “technical arrogance” of “experts” like yourself. At first sight, I want to commend you for this article, but on the other hand, if one thing you write is not correct, then I cannot tell what other parts of your essay are truth, and what other parts are crap.
Wondering what happen when a shutdown occur when VSS is running?
Is VSC recoverable from HD using different computer? When I re-installed win7, I realized that I did not backup some of my important files. I recovered gigs of data including system restore files. Some of the files are corrupted. I was wondering if it is possible to open VSC files on different computer?
Just installed Win 7 SP1 Professional.
At boot VSC is set at Manual (not set as Automatic) in Services and has not Started. I have not yet used VSC to create a System Restore point.
Is this normal? Or should VSC be at Automatic at boot?
I think this is normal. The Volume Shadow Copy service is set to Manual on my machine as well. The service appears to be working.
I have a question, and I hope this thread is still being monitored. I have been assigned a task to provide a solution to have multiple previous versions of files available to users. I understand that the default config will not provide a solution (a daily task that only runs once a week? 😐 ). So I wrote a vbs that calls Systemrestore.createrestorepoint and set it to run every hour which worked great (I had previous versions of modified files every hour for a day (thats when I stopped it). I thought my task was over, but the taskmaster said that he does not want system state turned on in system protection, just files and folders. But the script fails when I run it under these settings “The service cannot be started, either because it is disabled or because it has no enabled devices associated with it”. Now from what I understand now about vss works at the block level I would be perfectly content with doing full restore points every hour. But he does not want system state changes tracked, only files and folders (grrr). Does anyone have any suggestions on how to do this? (“%windir%system32rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation” is completely useless because it only runs once a week, and the Systemrestore.createrestorepoint method only works if system state is enabled). Also, I think I can understand why this shouldn’t work without full system state (how does a block level change tracker distinguish between system state and files) but if there is no solution for systemrestore point creation with just files and folders selected (how come the manual restore point (pressing the button) works then?) can someone offer me a link to an official MS site that says that this is impossible (been researching this for a month and I came to this conclusion a month ago)?
Thanks
It really sounds like you’re looking for more of a real-time versioning/version control/change tracking system, which VSS isn’t exactly meant to do. That said, I guess if you have to kludge it…
Your current method seems to be a bit overkill – you’re creating a full system restore point when you really want to just create a volume snapshot.
Restore Previous Versions would give you the view for just the files. However, that still doesn’t address your need to have snapshots at predictable intervals.
For that, try these two links for more info:
http://technet.microsoft.com/en-us/library/cc787108%28WS.10%29.aspx
http://social.technet.microsoft.com/Forums/en-ZA/winservercore/thread/c951f442-13a6-4bd6-aa83-dcc282b24e78
Since this is just a blog comment thread, not a tech forum, you might find it helpful to ask your question at either the Windows SevenForums (www.sevenforums.com) or the Windows Secrets Lounge (lounge.windowssecrets.com). They’re both very active, helpful forums for tech questions.
One question I’d have for your boss is whether he wants access to periodic versions of work files or to every version. If it’s really the latter, then VSC isn’t going to get you there–what’s really needed is a file synchronization app that can watch specific folders and trigger a one-way sync (i.e., a backup) whenever a file in one of those folders changes. I use GoodSync for exactly that purpose on my workstation to back up local work files to an external HDD. Whether GS would work on a server or not is another matter, but it’s somewhere to start.
Otherwise, have you thought about segregating all data on a separate volume/partition? In that case, you’d be able to turn off system protection for your system volume, and turn on only files and folders on the data volume (in the System Protection tab of the System Properties control panel). Whether triggering “create a restore point” would then work is a good question, but if the problem was not having system state enabled on the system volume, then this might get around that.
That said, this seems like an awful lot of work just to get an outcome that a file sync app would do better.
Thanks for the informative article–this is a more useful explanation than what’s on Wikipedia!
I seem to understand about VSC and what it implies.
However can i switch the service off if i,
A)primary drive c: is an SSD
B) Use windows home server 2011 to make daily ,weekly backups.
surley ther is no need to run VSC if these two criteria are met.
curious.:)
One useful thing that VSC provides is the ability to snapshot files that are in use. Some backup programs use this to take a backup of ever-changing files (like databases and system files).
Not sure if the WHS 2011 backup function uses this facility or not… If you can turn it off without breaking WHS 2011 (or it nagging), then you’re probably fine.
I have tried to find out why – contrary to numerous identical statements in Microsoft help files and documentation – my Win7 machine did NOT create daily snapshots automatically. Only after searching the net for quite a while I found this excellent blog and found out that number crunching for SETI and reliable automatic shadow copies are mutually (quite) exclusive 😉
Thanks for sharing your insights about VSC.
Hello Tomasz,
I came across your blog because I wanted to delete some old shadow restore points that never seem to get deleted. Your article was very well done and it got me to look at the rest of your blog.
I normally don’t make comments on blogs but I noticed something while reading yours, so I thought I’d let you know about it. I’m just as obsessive about my Hard Drive use and I noticed that every 30 sec your site would write to the disc. Below are 2 of those writes as an example:
16:47:00 Change: C:UsersJackAppDataRoamingMozillaFirefoxProfilesfbok4wn5.Firefox 4cookies.sqlite
16:47:30 Change: C:UsersJackAppDataRoamingMozillaFirefoxProfilesfbok4wn5.Firefox 4cookies.sqlite
The security aspect of cookies or anything else about them doesn’t concern me, only the constant unnecessary HD use. Just while writing this note there were over 200 writes to that file. What are you actually accomplishing?
In spite of this I’ll revisit your blog because it was a great read.
canoetoday
Greetings:
Am I correct in assuming every time a change is about to be made to a 16 kb block, a copy of the block is made to the shadow file? If so, that means I should be able to use VSS to step back to the condition before every change. But I noted the comment above “Volume Shadow Copy only allows you to go back to the moment when a restore point was made, which could be several days ago. So if you do screw up your dissertation, you might have to roll back to a very old version.” Under what circumstance would I not be able to recover a file to the condition before a specific change?
Dziękuję bardzo
This is a very good and helpful post. Sharp and simple. Thanks.
Great article. Thanks.
Hi – I wonder if you can help me. I am trying to back up as usual and I am getting a message that says a component of the Volume Shadow Copy/System encountered a problem. I have tried going through my hard drive etc but it stil won’t let me back up. Oh I am on Windows 7. Thanks
Did you ever find a solution? I am having a problem that sounds similar.
SELECTIVE DELETION OF SYSTEM RESTORE POINTS
Looking at one of the tutorials: on Windows Seven Forums about deleting system restore points: System Protection Restore Points – Delete > http://www.sevenforums.com/tutorials/336-system-protection-restore-points-delete.html
Options 3 and 4 of the tutorial cover deleting system restore points SELECTIVELY with CCleaner or System Restore Explorer.
My questions about doing such selective deletions of restore points with these utilities are:
1. Is there any risk in deleting restore points at various arbitrary points. Are they interdependent? Will deleting some cause a risk of others not working? Tomasz, in the article above says: “The second important fact is that shadow copies are incremental”. I asked this question on the Windows 7 forum and Brink (Shawn), the tech expert on this replied: “restore points are not interdependent on other restore points. Each restore point is a full and separate restore point” – and so selective deletion is possible.
2. Does selective deletion of restore points with CCleaner etc.,actually save any disk space; or is it simply cleaning up a list so that after the deletion of unneeded ones only the restore points considered useful are presented in the list – whereas system restore disk usage and the physical restore points are left unaffected. I asked this on the same forum and the response was: Deleting the points [selectively, with CCleaner or System Restore Explorer] does recover disk space.
I am hoping someone can clarify these issues for me. Can I selectively delete restore points without affecting the use of the ones I allow to remain. Will it recover disk space used by system restore?
Thank you.
SYSTEM RESTORE vs SYSTEM IMAGE RESTORE
Would I be right to conclude that a system restore is AS clean a restore to a previous time (for system settings and critical files) AS a restore from a system image (although this is fuller).
I am aware that a system image is of ALL the C drive – whereas a system restore is only for certain file extensions and locations (Actually, on my Windows 7 x64 system all user folders, Downloads, My Documents, Pictures etc. are on a separate partition – except for App Data).
More specifically for the registry: does a system restore replace the registry to exactly as it was at the restore point – or are there overlaps, redundant entries and duplication introduced by the restore.
I am asking because I believe in Windows XP a system restore simply overlay the newer (now dated) registry with the older system restore dated one – so expanding and complicating the registry; at least this is what the developer of ERUNT said.
So given a situation where all I want to restore is an EXACT image of critical system settings and programs at a given time in the past am I making the right choice in doing a system restore – which is very fast.
Will doing multiple system restores (over time) to different periods complicate or confuse the system as time goes on?
I need to decide whether to normally and frequently rely on system restores (I test a lot of programs) without this frequent use complicating my system over time. If system restores are clean and exact restores to a previous time then I would only use my Macrium Reflect full system images when absolutely needed (say, in the case of a virus, or a disk defrag gone wrong, or other situations when system restore may not work).
I would greatly appreciate some feedback on this. Thank you.
GREAT BLOG! It might be interesting to note that VSC does not play nice with some other defragging programs. When I used defraggler by Piriform, I went from having 48% free space to 3% free space. After an abundance of research, I figured out it was from VCS. Defraggler does a great job of defragging, but VCS thinks every change needs to be copied. After I used the disk cleanup utility option to delete the VSC, I got all my free space back. Thanks for all the info.
Wow, I have been looking all over the web and your post is by far the most complete explanation that I have found.
I too am very curious how VSS relates the “dirty” blocks to filenames. I suspect that it includes a backup of the Master File table too, in which each file record contains a list of allocated clusters.
Finally there is just one point in your long post which must be wrong or at least confusing. In one place you said each restore point is a snapshot of files as they were at that particular time. In another you say that changed blocks are written to the last Restore Point file before they are overwritten. If this latter statement is correct, then a Restore Point for a particular date will contain changes since that time. Furthermore, since this will be an incremental process, all versions of a file will be saved (though maybe overwritten later) even when Restore points are far apart, and the last Restore Point will always include the latest change to your dissertation!
Any chance of a follow up article (or private email to me as I am trying to research these topics).
Thanks Paul
Could you point me to the place where I write that “each restore point is a snapshot of files as they were at that particular time” and that “changed blocks are written to the last Restore Point file before they are overwritten”? I skimmed the post, but couldn’t find those places.
Hi, Thank you for this article; yes it is the best I found on the web.
It would be valuable to have the confusing point highlighted by Paul Mullen cleared up. I quote Paul:
“Finally there is just one point in your long post which must be wrong or at least confusing. In one place you said each restore point is a snapshot of files as they were at that particular time. In another you say that changed blocks are written to the last Restore Point file before they are overwritten. If this latter statement is correct, then a Restore Point for a particular date will [only] contain changes since that time. Furthermore, since this will be an incremental process…”
A clarification will also decide whether a restore point is independent of others (a complete snapshot in itself) – or dependent on previous restore points.
With thanks, Andrew.
To answer my own question, I have now realized that the problem is that we need to distinguish the logical concept of a “Snapshot”, and the Shadow Copy file in System Volume Information which implements it.
Logically a Shadow Copy or Snapshot is everything on the disk (except free space and swap file) as it existed at that point in time. However it is not a backup – obviously there is no way you can store a duplicate copy of a 500 Gb hard drive in a 2 Gb Shadow Copy file. Instead (to simplify a little) the logical “snapshot” when first created simply points to the contents of the actual drive. Then, only when a block on the drive is written to, it copies the original version of that block to the shadow copy file (sometimes called a “diffs” file).
The Volsnap service (VSS) allows you to mount a shadow copy (almost) as if it were a real disk drive. You can create a drive letter, mount point or symbolic link. Google “Dosdev” for information. Unfortunately Windows Explorer won’t read this “pseudo-drive” but the shareware program Total Commander will. When you read a shadow copy VSS reads the block from the real drive if it hasn’t changed, or from the diffs file if it has. So what you see are the blocks on disk as they existed at the time of the “snapshot”.
Shadow copy works purely in terms of 16k physical drive blocks. It knows nothing about the file system. However those drive blocks include the NTFS file system (Master File Table etc.) and since reading the shadow copy returns the blocks in the MFT as they were at the “snapshot” time, the system will see the files and folder structure as they were at that time and each of these recreated MFT entries will point to the content of the clusters it occupied as they were at that time.
When system protection creates a new shadow copy, the diffs file is frozen and subsequent changes are written to a new diffs file. So to see the drive as it was at the time of an earlier restore point, you need to use the diffs for the snapshot you want and for all later snapshots. So a snapshot is dependent on later restore points but not on earlier ones.
Very good explanation. Thanks for the contribution. I have added some text to make it clearer that shadow copies are not true snapshots.