Robocopy from Shadowcopies (Previous Versions)

by John C. Wray III Friday, May 6, 2016 1:46 PM

We got hit with locky at work. It is ransom ware that encrypts office products, powerpoint, spreadsheets etc. The upside is we are running shadow copies and taking snapshots every four hours. We took the offending users offline and deleted the files locky created. The file system was ok at 11:00am that day so we used that to restore the missing files. We had 30,000 plus files infected. We initially tried to copy them out of previous versions. After a day it was still running with no end in site. I cancelled that and decided to restore using robocopy. Here is the process to mount the shadow copy and run robocopy.

On the fileserver open a command prompt. I put my stuff in temp directory on the d drive. 

You want to list all of the shadow copies available. Run this command to create a text file.

vssadmin list shadows > d:\temp\shadows.txt

 We are looking for the copy at 11:00am. Open the shadows.txt file you created.


I search for the date. Then look for the one with the time stamp you needed.

We are looking for the shadow copy volume name.

This is what you are going to create a symbolic link on the server to.

In an elevated command prompt you will run this command. Make sure the mount point you want to use doesn't exist or you will get an error. Also make sure there is a trailing slash on the path or you will see the mount point but not be able to access it.

mklink /d D:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy416\

 Now you should see a folder on the d drive you can access.

Next we share it out so we can access this from another server. I shared this out as shadow$

On another server not the fileserver we access the hidden share$.

Navigate to the path of the original data in that directory and copy the path to a text editor.

Next navigate to the share of the path you want to restore to, not the mapped drive, but the full unc path. You will need to open an elevated command prompt on this server and run robocopy with these switches.

robocopy /MT:16 "\\<server>\shadow$\OTC-IT\D_Drive\IT-Dept\Common" "\\<server>\IT-Dept\Common" /E /XC /XN /XO /W:0 /R:0

  • /MT:16 is MultiThread running 16 copies
  • /E makes Robocopy recursively copy subdirectories, including empty ones.
  • /XC excludes existing files with the same timestamp, but different file sizes. Robocopy normally overwrites those.
  • /XN excludes existing files newer than the copy in the source directory. Robocopy normally overwrites those.
  • /XO excludes existing files older than the copy in the source directory. Robocopy normally overwrites those.

This will basically copy back over only missing files, which will be the locky files you originally deleted.

Once that finishes you will need to go back to the fileserver and cleanup.

First unshare the shadows directory.

Open an elevated command prompt and remove the symbolic link with this command.

rmdir d:\shadow





Comments are closed