使用“备份"创建卷影副本. PowerShell中的上下文 [英] Creating a shadow copy using the "Backup" context in a PowerShell
问题描述
我正在编写用于使用rsync备份Windows计算机的PowerShell脚本.为此,我正在尝试使用上述脚本中的WMI创建具有编写者参与的非持久卷影副本(显然推荐用于备份).
我从另一个问题中发现了(访问卷影副本(VSS )来自powershell的快照)通常是一种创建卷影副本的方法,但是此处给出的示例使用"ClientAccessible"作为上下文参数,这导致创建了持久的卷影副本,而没有编写者的参与.
在寻找解决方案时,我发现我可以使用以下命令来获取上下文列表,我认为WMI可以理解该上下文列表:
Get-WmiObject win32_shadowcontext | Out-GridView
它确实在列表中有一个名为"Backup"的上下文,这正是我想要的.我着手尝试使用该上下文创建一个非持久的卷影副本:
$shadow = (Get-WmiObject -list win32_shadowcopy).Create("C:\", "Backup")
但是,这似乎失败了,并且 $ shadow 变量的内容设置为
ReturnValue : 5
ShadowID : {00000000-0000-0000-0000-000000000000}
根据相关文档( Win32_ShadowCopy类的创建方法),返回值表示不受支持的卷影副本上下文".
我找不到有关此上下文不受支持的原因或是否可以使用的任何相关文档.我还尝试了"FileShareBackup"和"AppRollback"上下文,但没有成功.
我假设我或者缺少明显的东西,或者由于某种原因,WMI在创建卷影副本时确实不支持"clientAccessible"以外的任何东西,或者这与操作系统有关(我正在Windows 7上进行测试) ,64位)
如何使它正常工作?
您的$shadow的返回值为5,查看错误消息,您的影子ID为全零,您需要添加1或2使用 binary 或 dword 将其复制到注册表中卷影副本的末尾.
C:\Windows\System32\drivers目录中找到在名为 volsnap 的注册表中找到文件夹.文件大小为52,352字节. volsnap 文件包含Microsoft的数字签名,请确保其正确的字节.
这确认其真实性. volsnap.sys 似乎是由EXE-Packer压缩的文件.特洛伊木马经常使用此技术来保持文件较小并妨碍调试工作.
但是,这本身不足以推定恶意意图,因为即使是出于好意的专业软件生产商也可以利用压缩文件.因此,所有专家中有2%认为此文件可能是威胁.它可能造成伤害的可能性很高.请考虑其他用户的其他评论.
shadow id default
00000000-0000-0000-0000-000000000000
00000000-0000-0000-0000-000000000005
如果它已经有5个,可能不会更改为1
或创建新代码
Shadow id $shadow 00000000-0000-0000-0000-0000000000001
与显示的不完全相同.您可能需要尝试不同的措辞,我不确定$是否可以使用,否则,请尝试js独立版本.
I am in the process of writing a PowerShell script for backing up a Windows computer using rsync. To this end, I am attempting to use WMI from said script to create a non-persistent Shadow copy with writer participation (as is apparently recommended for backups).
I found out from another question (Accessing Volume Shadow Copy (VSS) Snapshots from powershell) a way to create a shadow copy in general, but the example given there uses "ClientAccessible" as the context parameter, which results in the creation of a persistent Shadow Copy, without writer participation.
While searching for a solution, I have found that I could use the following command to obtain a list of contexts, which I assume are understood by WMI:
Get-WmiObject win32_shadowcontext | Out-GridView
It does the list have a context named "Backup", which is conveniently what I want. I proceeded to attempt creating a non-persistent shadow copy using that context:
$shadow = (Get-WmiObject -list win32_shadowcopy).Create("C:\", "Backup")
However, this seems to fail and the content of the $shadow variable is set to
ReturnValue : 5
ShadowID : {00000000-0000-0000-0000-000000000000}
According to the relevant documentation (Create method of the Win32_ShadowCopy class), the return value means "Unsupported shadow copy context."
I couldn't find any relevant documentation as to why this context is unsupported or whether it is possible to use it at all. I have also tried the "FileShareBackup" and "AppRollback" contexts without success.
I assume I am either missing something obvious, or that for some reason, WMI really doesn't support anything else than "clientAccessible" when creating shadow copies, or that this is OS-dependent (I am testing this on Windows 7, 64-bit)
How can I get this to work?
Your $shadow has a 5 on return value looking at the error message, your shadow id has all zeros , you would need to add a 1 or a 2 to the end of the volume shadow copy in the registry using binary or dword.
find the folder in the registry named volsnap in your regedit search .volsnap.sys is found in the C:\Windows\System32\drivers directory. The file size is 52,352 bytes.The volsnap file contains Microsoft's digital signature make sure its the correct bytes.
This confirms its authenticity. volsnap.sys appears to be a file that was compressed by an EXE-Packer. This technique is often used by trojans to keep the file size small and also hamper debugging efforts.
However, this in itself is not sufficient reason to presume malicious intent, since even well-intentioned, professional software producers take advantage of compressed files. For this reason, 2% of all experts consider this file to be a possible threat. The probability that it can cause harm is high. Please consider the additional Comments from other users.
shadow id default
00000000-0000-0000-0000-000000000000
00000000-0000-0000-0000-000000000005
if it already has a 5 which it probably doesn't change it to 1
or create new code
Shadow id $shadow 00000000-0000-0000-0000-0000000000001
not exactly as shown.you may have to try different wording I'm not sure if $will work, if not, try the js standalone version.
这篇关于使用“备份"创建卷影副本. PowerShell中的上下文的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
