Enabling Shadow Copies

Enabling Shadow Copies: Server 2012 R2 Core

Server Core is a version of Windows Server that has no GUI. When you log in, administrators are only presented with a command prompt. This can make initial setup more difficult, is it requires administrators to have a vast knowledge of the command line and PowerShell. Today’s article will go over how to enable shadow copies on your volumes from the command line. Our main tool will be a program called vssadmin.exe. We will enable shadow copies and configure them using this tool. I also recommend enabling the “File Server VSS Agent Service” role on your file server. This gives you some more options when enabling shadow copies.

For those that don’t know, shadow copies creates a snapshot of your volume, enabling users and administrators to restore old versions of files, or restore them totally if they are deleted. The easiest way to access them is to right-click on a folder or file, select Properties, and then take a look at the “Previous Versions” tab. These copies will be shown here, and you can access them by clicking “Open”.

Administrators can set a few different things when enabling shadow copies. The most common is the size that shadow copies can take on the drive. There are three possibilities for this: unlimited, a set amount (i.e. 100GB), or a percentage of the drive. I would recommend settling on which one to use before enabling shadow copies. This setting can be adjusted after they are enabled.

Enabling Shadow Copies

To enable shadow copy on a drive, run this command:

vssadmin.exe add shadowstorage /for=<volume> /on=<volume> /maxsize=<max size>

Replace the volumes with the correct drive letter. The /for parameter specifies the drive that you want protected by shadow copies. The /on parameter specifies the drive where you want the shadow copies contained. You can have these be different drives.

The /maxsize parameter can be a specific number, such as 100GB, a percentage, such as 10%, or unlimited. Here is an example command:

vssadmin.exe add shadowstorage /for=d: /on=d: /maxsize=15%

Scheduled Task

Now we have to set up a scheduled task to actually take the shadow copies. For Server 2012 R2 Core, you can use Task Scheduler from your client machine and connect to the remote server. From here, we can create our task.

Start by running this command on your file server:

vssadmin.exe list shadowstorage

You need to copy the shadow copy volume ID from the output. This value is the GUID listed in this output:

Untitled-1

Copy the long GUID contained within the brackets. Create a new task called “ShadowCopyVolume<volume ID>”.

Untitled-2

Set the triggers to your schedule. I would recommend three times a day for a normal 8-5 ogranization, once mid-morning, mid-afternoon, and mid-evening. My schedule, for reference, is 11am, 3pm, and 9pm.

Untitled-3

Next, for actions, set the action to “Start a Program”. In the “Program/Script” box, type:

C:\Windows\system32\vssadmin.exe

For the agurments box, type (be sure to replace the volume ID with yours including the brackets):

create Shadow /AutoRetry=15 /For=\\?\Volume<volume ID>\

Untitled-4

That’s the task. Now you have shadow copies enabled and functioning on your Server Core file server.

Share:

Facebook
Twitter
LinkedIn

Contact Us

=
On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=