Does anybody recall how Volume Shadow Copies Worked in XP?

In XP Volume Shadow Copies were - strangely enough - shadow copies of Volumes (and it's not like they changed - much - in Vista and later, the way they are used or accessed did).

Its "alternate" name was "Volume Snapshot Service".

It is a "backup" tool, rather than a "versioning" tool.

You need in XP an add-on, the "Previous Versions Client" application
http//windowsitpro.com/windows-server-2003/making-sense-volume-shadow-copy-service
to have the same kind of functionality that there is in Vista and later, but it has to be seen - cannot really recall - if it works with "local" shadow copies, you will probably need a third party tool *like*
http//www.z-dbackup.com/vss-shadow-copy-open-file-backup.html

Otherwise you need to "mount" the snapshot and copy from it the relevant file(s).

The news, besides the built-in "previous versions" were the "format" in which the Shadow Copy was stored (it is a .vhd since 7).

And, in 8/8.1, things changed again (for the worse, of course), JFYI
http//www.msfn.org/board/topic/170497-whats-it-going-to-take-to-restore-previous-versions-from-shadow-c/

jaclaz

Some sources say they were connected with the Restore points, others say they weren't connected to the restore points at all, but were just used to snapshot open OS files when you were about to do a backup.

They also say that on XP, the shadow copies were not kept after powering off the system. Which to me (not a very smart guy) doesn't makes sense. What exactly is the point of it in XP?

You just answered your question shadow copying was a way to ensure that backups had a consistent file system. It could be used for other purposes, as it allowed plug-ins, but that 'consistent view of file system' that wouldn't change during the time processing happened was the fundamental reason for it.

From a forensic point of view it makes lot of sense a live image should probably be done on a snapshotted file system, right?

Could you go to a "previous version tab" on a whole plethora of files like firefox history, like you can in the newer operating systems?

Yes, provided that the volume was on a Windows Server 2003 server, and that you were using XP SP2 or later (or installed the relevant client software by hand).

Some sources say they were connected with the Restore points, others say they weren't connected to the restore points at all, but were just used to snapshot open OS files when you were about to do a backup.

They also say that on XP, the shadow copies were not kept after powering off the system. Which to me (not a very smart guy) doesn't makes sense. What exactly is the point of it in XP?

You just answered your question shadow copying was a way to ensure that backups had a consistent file system. It could be used for other purposes, as it allowed plug-ins, but that 'consistent view of file system' that wouldn't change during the time processing happened was the fundamental reason for it.

From a forensic point of view it makes lot of sense a live image should probably be done on a snapshotted file system, right?

Could you go to a "previous version tab" on a whole plethora of files like firefox history, like you can in the newer operating systems?

Yes, provided that the volume was on a Windows Server 2003 server, and that you were using XP SP2 or later (or installed the relevant client software by hand).

Sorry, I misunderstood what you meant about that last part. You needed to have the volume on a Windows Server 2003 AND Windows XP SP2 and later? Do you mean just having the lone XP system without anything on a server, you couldn't utilize the shadow copy service, therefore not able to restore, for example, the firefox history from the Previous versions tab?

In XP Volume Shadow Copies were - strangely enough - shadow copies of Volumes (and it's not like they changed - much - in Vista and later, the way they are used or accessed did).

Its "alternate" name was "Volume Snapshot Service".

It is a "backup" tool, rather than a "versioning" tool.

You need in XP an add-on, the "Previous Versions Client" application
http//windowsitpro.com/windows-server-2003/making-sense-volume-shadow-copy-service
to have the same kind of functionality that there is in Vista and later, but it has to be seen - cannot really recall - if it works with "local" shadow copies, you will probably need a third party tool *like*
http//www.z-dbackup.com/vss-shadow-copy-open-file-backup.html

Otherwise you need to "mount" the snapshot and copy from it the relevant file(s).

The news, besides the built-in "previous versions" were the "format" in which the Shadow Copy was stored (it is a .vhd since 7).

And, in 8/8.1, things changed again (for the worse, of course), JFYI
http//www.msfn.org/board/topic/170497-whats-it-going-to-take-to-restore-previous-versions-from-shadow-c/

jaclaz

What I don't understand is what specifically in the volume XP was making shadow copies of. Was it just OS files, was it user data or stuff like that? The entire thing? Was it just things "shared" on a server?

I have been reading about these non-stop for a almost a day, and I still cannot connect the dots.

What I don't understand is what specifically in the volume XP was making shadow copies of. Was it just OS files, was it user data or stuff like that? The entire thing? Was it just things "shared" on a server?

I have been reading about these non-stop for a almost a day, and I still cannot connect the dots.

Well this depends (depended) on settings, the Volume Shadow Service by default (if enabled) was used by backup/system restore to make a periodical snapshot of the "C\" volume.

The missing dot connection maybe is that the VSS (the actual vssvc.exe) is more than anything else a "background running service" that is used by this or that "client" (actually requester), this is the "correct" definition
https://msdn.microsoft.com/en-us/library/windows/desktop/bb968832(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/windows/desktop/aa384625(v=vs.85).aspx

In "plain" XP the service was used by the "System Restore" feature
http//www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/
by default a system snapshot was created every 24 hours, only a number of files/path were comprised in what is/was snapshot, and some related settings are in the registry (if you want a headache make a table of different settings and policies/directives supported in various OS versions from the following wink )
https://msdn.microsoft.com/en-us/library/windows/desktop/bb891959(v=vs.85).aspx

The service was used also during a backup operation by the backup tool (but only to access a file in use).

But once you have a System Restore snapshot, you can mount them or use third party tools to explore them, as said "previous versions" in newer OS are more than anything else a different way/interface to access the data.

jaclaz

What I don't understand is what specifically in the volume XP was making shadow copies of. Was it just OS files, was it user data or stuff like that? The entire thing? Was it just things "shared" on a server?

I have been reading about these non-stop for a almost a day, and I still cannot connect the dots.

Well this depends (depended) on settings, the Volume Shadow Service by default (if enabled) was used by backup/system restore to make a periodical snapshot of the "C\" volume.

In "plain" XP the service was used by the "System Restore" feature
http//www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/
by default a system snapshot was created every 24 hours, only a number of files/path were comprised in what is/was snapshot, and some related settings are in the registry (if you want a headache make a table of different settings and policies/directives supported in various OS versions from the following wink )
https://msdn.microsoft.com/en-us/library/windows/desktop/bb891959(v=vs.85).aspx

The service was used also during a backup operation by the backup tool (but only to access a file in use).

jaclaz

Here is a quote from a blog I found, comparing VSS from XP to Vista and up

https://web.archive.org/web/20091214001030/http//blog.szynalski.com/

"How is this different from what is in Windows XP?

In Windows XP, System Restore does not use the Volume Shadow Copy service. Instead, it uses a much simpler mechanism the moment a program attempts to overwrite a system file, Windows XP makes a copy of it and saves it in a separate folder. In Windows XP, System Restore does not affect your documents – it only protects files with certain extensions (such as DLL or EXE), the registry, and a few other things (details). It specifically excludes all files in the user profile and the My Documents folder (regardless of file extension)"

Also, the bleeping computer article you linked doesn't specifically say anything about using the VSS for the restore feature in XP, just that it creates backups of files that are used in the restore process. This is most likely why I can't connect the dots. Why would XP be creating a shadow file for something that isn't even utilized in System Restore?

My bad ( , I checked, System Restore did not use VSS in Windows XP (it started using it in Vista) to create the snapshot, it uses it only to backup files in use.

You needed to use a third party tool or the vshadow.exe in the SDK 7.2 to create a shadow copy in XP, backup created a non-persistent one
https://blogs.msdn.microsoft.com/adioltean/2004/12/14/creating-shadow-copies-from-the-command-line/
https://blogs.msdn.microsoft.com/adioltean/2006/09/19/a-bit-of-black-magic-how-to-assign-drive-letters-to-vss-shadow-copies-on-windows-xp/
http//www.microsoft.com/en-us/download/details.aspx?id=23490
http//edgylogic.com/blog/vshadow-exe-versions/
http//sourceforge.net/projects/vscsc/

jaclaz

My bad ( , I checked, System Restore did not use VSS in Windows XP (it started using it in Vista) to create the snapshot, it uses it only to backup files in use.

You needed to use a third party tool or the vshadow.exe in the SDK 7.2 to create a shadow copy in XP, backup created a non-persistent one
https://blogs.msdn.microsoft.com/adioltean/2004/12/14/creating-shadow-copies-from-the-command-line/
https://blogs.msdn.microsoft.com/adioltean/2006/09/19/a-bit-of-black-magic-how-to-assign-drive-letters-to-vss-shadow-copies-on-windows-xp/
http//www.microsoft.com/en-us/download/details.aspx?id=23490
http//edgylogic.com/blog/vshadow-exe-versions/
http//sourceforge.net/projects/vscsc/

jaclaz

No worries )

So, jumping back to an earlier point, and now knowing that VSS wasn't used for restore points..

..lets say (I'll use the firefox history example again) that the history file is deleted on XP, I reboot the computer, find the new history file, go to Previous Versions tab and look for the previous one. Its not going to be there, is it? Because the snapshots in XP don't survive reboots? If I checked before I rebooted, it probably would have been there though.

That's my current (but changing every second) understanding of it, is that how you see it as well?

Sorry, I misunderstood what you meant about that last part. You needed to have the volume on a Windows Server 2003 AND Windows XP SP2 and later? Do you mean just having the lone XP system without anything on a server, you couldn't utilize the shadow copy service, therefore not able to restore, for example, the firefox history from the Previous versions tab?

The XP 'Shadow Copy' functionality was not so much of a shadow copy functionality as a file system snapshotting functionality. (I should probably have used the term 'snapshot' in my previous post to make that clear. By 'snapshot' I mean functionality to retain file in a stable state – if it's deleted or updated once the snapshot has been taken, the snapshot data does not reflect that. Sometime you see the term 'snapshot' used as a synonym to 'backop copy', but it needn't be the same.)

You snapshotted a file system, backed it up using the snapshot (or did something else with it), and then released the snapshot. There was no need to maintain a snapshot across a reboot, as the primary intended use (backup) didn't work across reboots.

Windows Server 2003 provided shadow copy/previous version as a service thst used non-persistent snapshotting (or perhaps they found a way to persist them). I know that when you did connect to WS2003, you got that 'Previous versions' dialog – and I am fairly confident that you didn't get it on a standard shared Windows XP volume. (Though I'm not 100% certain that it was true for all XP releases. XP Home didn't, but XP Professional just might have had it … digging up an old test VM with XP Pro 2002 SP 2 … no, no 'Previous Version' on C or My Documents in a default installation.)

However, it would probably have been possibly to install the necessary services etc. from WS2003 on XP, and get the shadow copy working locally. Technically, the operating systems are the same.

For pre-SP2 versions, the client needed to access 'Previous Versions' had to be installed manually.

I never was an XP admin, so I'm sure to miss some details.