Windows Deleted File Recovery - Part 1.5, plus whinging :: 9/02/10 ~02:25 :: Comments: 0
category: tech stuff/random
Not the full update as promised, since I've not got round to that yet, that's for another day. This is just a quick note on a tool for users of Vista or Win7 called ShadowExplorer. We had a guest lecturer in one of our classes last week who brought up this tool. To be brief, there's an in-built function in Win7 and Vista (all versions of both, apparently), called Volume Shadow Copy Service. Basically, this service is enabled by default on systems, and what it does is to periodically take snapshots of the hard drive. It takes up roughly 10% of the disk space available on the system, and it keeps the snapshots until it runs out of space; it works on a first-in-first-out basis, so it deletes the oldest to make room for the newest. There's no default tool in Windows to actually use this service, unless you're using one of the high end versions of the OS. However, ShadowExplorer is free, and an excellent little program.
I'm not 100% sure on what each snapshot actually shows. The guy who talked to us kind of implied that all they stored was the changed filed from the previous snapshot, which would make sense as there are about 35/40 snapshots there, and a full image of the OS each time is going to be a spectacular waste of disk space. However, each snapshot does appear to contain the complete directory structure for the drive. I have no idea where these snapshots are actually saved, I don't have the slightest clue how the whole thing works either. The closest I can come to a guess would be that it works in the same way as mounting a logical drive, and that these snapshots are each a file held in a directory somewhere buried deep in System32. If anyone knows any more info about it, let me know! You can have a poke about in the command prompt, although it has to be run as an admin.
That's the output from running vssadmin list shadows. Clearly the location is there, but I have no idea what that actually translates to in the Windows directory heirarchy. Could be anywhere as far as I'm concerned.
A little bit of further poking about with vssadmin gives a fairly scary bit of info:
I have a 1 terrabyte hard drive as my primary drive in this box. So 10%, give or take, should be ~100gb. My system has actually allocated a total of almost 140gb of available disk space to this service. Pretty terrifying waste of space, when you consider that if you don't have a high end version of Windows, there's actually very little you can do with these snapshots, at least not without third part software. In fact, the fact that this service is so hidden away it a bit ridiculous when it's using such a formidable chunk of disk space.
Either way though, it's a bloody powerful tool, and if you want to recover old files, well, then it's absolutely perfect. I've just used it for that specific purpose. I'm not sure what precisely causes it to create a new snapshot; the oldest one on my system is from January 14th, but I have a good 7 or 8 different snapshots from January 16th. I do have several created from January 31st, which is the day I ran Memtest on my system as well as installing new graphics drivers, so I assume hardware and driver changes must trigger something. The constant stream dated January 16th are all from late at night, which coincides with the first post I made on this topic; perhaps the hardware change of inserting a USB device caused the system to create a snapshot. Can't say for sure, because I can't be bothered to test that right now (it's late), but I'd reckon that's a fair guess.
But yes. Deleted file recovery on Vista or Win7? Download ShadowExplorer.
I shall end this on a note of irritable complaining. I plugged my iPod touch into my PC this evening (I don't think I bothered to mention that I got it fixed a while back now, at the start of January), and iTunes kindly informed me that there's a new software update for the iPod available, v 3.1.3. I hadn't updated iTunes to the latest version of that which came out I think last week, but ignoring that, I spent an hour (rubbish internet connection, the file is barely over 250mb) downloading the update and then about 25 minutes installing, only for it to bail out right at the last minute with an error. Thankfully I backed up my iPod before installing the update, so I still have all my email and network settings on there, but I have lost all my apps and all my music from it. What a gigantic pain in the arse. Up yours, Steve Jobs.
Lostprophets - For He's A Jolly Good Felon