So you have managed to delete some files/folders. Or perhaps even the wrong profile by scripting.
- First rule of recovery: Don’t write the hard drive from where you want to recover data. If possible shut of the computer until you have a plan.
- Second rule of recovery: Don’t forget to take backups.
- Third rule or recovery: Backups are only as good as the last restore test.
There are a couple of ways to recover data that has been deleted but not yet overwritten, but this blog post is about one method. This method requires the System Restore to be enabled. A little list of options:
- Restore using your backup. There is no replacement for a good backup.
- Restore using this method (Shadow Copy).
- Restore using data recovery software.
- Restore using restore company, for example IBAS.
So how do we restore delete files from a workstation using the Windows Shadow Copy Service?
Lets start a command line windows with administrative privileges.
First just verify that we do have a snapshot to take if from
There are a few ways of finding the same info, I prefer the wmic method, but using vssadmin works too, I’ll just list both.
wmic path Win32_ShadowCopy get DeviceObject, InstallDate
vssadmin list shadows
So if you get an empty response then you are out of luck. But lets hope that you got some responses. So find the one that is since before the deleted file. Make a note of the DeviceObject/Shadow Copy Volume. Then mount it as part of the filesystem so we can access it. The backslash in the end is super important.
mklink /D \Shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
When the mount is complete, just access the files. Just don’t copy to the same volume, you don’t want Windows to remove the snapshot while you are copying the files. When you are done just remove the symbolic link.
rmdir \Shadow