vshadow.exe
- File Path:
C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\vshadow.exe
- Description: VShadow, Volume Shadow Copy Service (VSS) Sample Requestor
Hashes
| Type |
Hash |
| MD5 |
91170F962E63A7065E39564DC5428EE3 |
| SHA1 |
27AAB9E8FE9D0547794FA86B808563BA22FB4F86 |
| SHA256 |
436EFB1D6574FA0DAB562C938C074BA38FF0FF938884690CFD0293182BC395B5 |
| SHA384 |
73B1AF32FD059754E7B1F92DFFBE8D09B6B19BF9402166C421839FC3A7D8263A1F74AB3D872F0BA5516AE5244F02A4F8 |
| SHA512 |
7151D7D9CE1988DF0236B70702E7699FC035F46E853C444F8F841970244E979946351E89496C5ED87FFA26689589259D8603BE5E3086AEFC638110F497E9A99F |
| SSDEEP |
6144:cMwdaYBYgBsKv5DzqELJ2J55ULdqSPovikkvzd/+:0a8YPW1+EsVULdq9Mvp+ |
| IMP |
702A07FF266ECFBCEEAC19B4BDB17820 |
| PESHA1 |
764ECEF5AB2E6B435100868D6B503CFE60B0B23F |
| PE256 |
BE6165E991C4F791C60A28E1CEEE77522CA944AFCD2C4C6911AE7F92E7E20DAF |
Runtime Data
Usage (stdout):
VSHADOW.EXE 3.0 - Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.
ERROR: invalid parameter '--help'
Usage:
VSHADOW [optional flags] [commands]
List of optional flags:
-? - Displays the usage screen
-p - Manages persistent shadow copies
-nw - Manages no-writer shadow copies
-nar - Creates shadow copies with no auto-recovery
-tr - Creates TxF-recovered shadow copies
-ad - Creates differential HW shadow copies
-ap - Creates plex HW shadow copies
-scsf - Creates Shadow Copies for Shared Folders (Client Accessible)
-t={file.xml} - Transportable shadow set. Generates also the backup components doc.
-bc={file.xml} - Generates the backup components doc for non-transportable shadow set.
-wi={Writer Name} - Verify that a writer/component is included
-wx={Writer Name} - Exclude a writer/component from set creation or restore
-mask - BreakSnapshotSetEx flag: Mask shadow copy luns from system on break.
-rw - BreakSnapshotSetEx flag: Make shadow copy luns read-write on break.
-forcerevert - BreakSnapshotSetEx flag: Complete operation only if all disk signatures revertable.
-norevert - BreakSnapshotSetEx flag: Do not revert disk signatures.
-revertsig - Revert to the original disk's signature during resync.
-novolcheck - Ignore volume check during resync. Unselected volumes will be overwritten.
-script={file.cmd} - SETVAR script creation
-exec={command} - Custom command executed after shadow creation, import or between break and make-it-write
-wait - Wait before program termination or between shadow set break and make-it-write
-tracing - Runs VSHADOW.EXE with enhanced diagnostics
List of commands:
{volume list} - Creates a shadow set on these volumes
-ws - List writer status
-wm - List writer summary metadata
-wm2 - List writer detailed metadata
-wm3 - List writer detailed metadata in raw XML format
-q - List all shadow copies in the system
-qx={SnapSetID} - List all shadow copies in this set
-s={SnapID} - List the shadow copy with the given ID
-da - Deletes all shadow copies in the system
-do={volume} - Deletes the oldest shadow of the specified volume
-dx={SnapSetID} - Deletes all shadow copies in this set
-ds={SnapID} - Deletes this shadow copy
-i={file.xml} - Transportable shadow copy import
-b={SnapSetID} - Break the given shadow set into read-only volumes
-bw={SnapSetID} - Break the shadow set into writable volumes
-bex={SnapSetID} - Break using BreakSnapshotSetEx and flags, see options for available flags
-el={SnapID},dir - Expose the shadow copy as a mount point
-el={SnapID},drive - Expose the shadow copy as a drive letter
-er={SnapID},share - Expose the shadow copy as a network share
-er={SnapID},share,path - Expose a child directory from the shadow copy as a share
-r={file.xml} - Restore based on a previously-generated Backup Components document
-rs={file.xml} - Simulated restore based on a previously-generated Backup Components doc
-revert={SnapID} - Revert a volume to the specified shadow copy
-addresync={SnapID},drive - Resync the given shadow copy to the specified volume
-addresync={SnapID} - Resync the given shadow copy to it's original volume
-resync=bcd.xml - Perform Resync using the specified BCD
Examples:
- Non-persistent shadow copy creation on C: and E:
VSHADOW C: E:
- Non-persistent shadow copy creation on a CSV named Volume1
VSHADOW C:\ClusterStorage\Volume1
- Persistent shadow copy creation on C: (with no writers)
VSHADOW -p -nw C:
- Transportable shadow copy creation on X:
VSHADOW -t=file1.xml X:
- Transportable shadow copy import
VSHADOW -i=file1.xml
- List all shadow copies in the system:
VSHADOW -q
Please see the README.DOC file for more details.
Loaded Modules:
| Path |
| C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\vshadow.exe |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
33000002CF6D2CC57CAA65A6D80000000002CF
- Thumbprint:
1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
- Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Original Filename: vshadow.exe
- Product Name: VShadow
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: Unknown
MIT License. Copyright (c) 2020-2021 Strontic.