使用 PowerShell 中的“ Backup”上下文创建影子副本

我正在编写 PowerShell 脚本，用于使用 rsync 备份 Windows 计算机。为此，我试图使用来自上述脚本的 WMI 来创建一个有作者参与的非持久性 Shadow 副本(显然是建议备份的)。

我从另一个问题(从 powershell 访问卷阴影拷贝(VSS)快照)中发现了一种通常创建影子副本的方法，但是这里给出的例子使用“ ClientAccess”作为上下文参数，这导致创建一个持久的影子副本，而没有作者的参与。

在寻找解决方案时，我发现可以使用以下命令获取上下文列表，我假设 WMI 能够理解这些上下文:

Get-WmiObject win32_shadowcontext | Out-GridView

这个列表确实有一个名为“ Backup”的上下文，这正是我想要的。我继续尝试使用上下文创建一个非持久的影子副本:

$shadow = (Get-WmiObject -list win32_shadowcopy).Create("C:\", "Backup")

但是，这似乎失败了，而且 $影子变量的内容被设置为

ReturnValue      : 5
ShadowID         : {00000000-0000-0000-0000-000000000000}

根据相关文档(创建 Win32 _ ShadowCopy 类的方法) ，返回值表示“不支持影子副本上下文”

我找不到任何相关的文档说明为什么这个上下文不受支持，或者是否可以使用它。我还尝试了“ FileShareBackup”和“ AppRollback”上下文，但没有成功。

我想我要么是遗漏了什么显而易见的东西，要么是出于某种原因，在创建影子副本时，WMI 实际上除了“ clientAccess”之外不支持其他任何东西，要么就是它是依赖于操作系统的(我正在 Windows 7上测试这个，64位)

我怎么才能让这个起作用？

5658

小开

Your $shadow has a 5 on return value looking at the error message, your shadow id has all zeros , you would need to add a 1 or a 2 to the end of the volume shadow copy in the registry using binary or dword.

find the folder in the registry named volsnap in your regedit search .volsnap.sys is found in the C:\Windows\System32\drivers directory. The file size is 52,352 bytes.The volsnap file contains Microsoft's digital signature make sure its the correct bytes.

This confirms its authenticity. volsnap.sys appears to be a file that was compressed by an EXE-Packer. This technique is often used by trojans to keep the file size small and also hamper debugging efforts.

However, this in itself is not sufficient reason to presume malicious intent, since even well-intentioned, professional software producers take advantage of compressed files. For this reason, 2% of all experts consider this file to be a possible threat. The probability that it can cause harm is high. Please consider the additional Comments from other users.

  shadow id          default
00000000-0000-0000-0000-000000000000
00000000-0000-0000-0000-000000000005

if it already has a 5 which it probably doesn't change it to 1

or create new code

Shadow id           $shadow 00000000-0000-0000-0000-0000000000001

not exactly as shown.you may have to try different wording I'm not sure if $will work, if not, try the js standalone version.

# get existing shadow copies $shadow = get-wmiobject win32_shadowcopy "There are {0} shadow copies on this sytem" -f $shadow.count "" # get static method $class=[WMICLASS]"root\cimv2:win32_shadowcopy" # create a new shadow copy "Creating a new shadow copy" $class.create("C:\", "ClientAccessible") # Count again $shadow = get-wmiobject win32_shadowcopy

Okay, Technoob1984 here with the scoop. See my attached screen shot.

This one is tricky, because you have to use x64 version of Powershell (located under system32 not wow64)

The Shadow Copy Context are the .properties of the object.

Also I used the static method in my screenshots below.

https://learn.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/create-method-in-class-win32-shadowcopy

so in the example there, you would want to use $class.Properties to see what you can use as a Shadow Context.

See my screen shot:

So Shadow Context is 'Caption, Count, Description' and anything else under the 'Name:' value of .Properties. I do not see 'Backup' as one of the options.

Enjoy