从 powershell 访问卷影复制 (VSS) 快照 [英] Accessing Volume Shadow Copy (VSS) Snapshots from powershell

问题描述

我正在尝试使用 Windows 7 中的 Windows Power Shell 创建和访问卷影复制快照.我发现我可以通过以前的 超级用户问题:

I am attempting to create and access a Volume Shadow Copy snapshot using the Windows Power Shell in Windows 7. I found that I can create snapshots using the following via a previous superuser question:

(Get-WmiObject -list win32_shadowcopy).create("C:\","ClientAccessible")

我找不到任何文档表明可以将卷影副本设置为公开"，以便可以使用 WMI 将其映射到驱动器号.文章 显示了使用联结访问快照的黑客攻击.

I am unable to find any documentation indicating that it is possible to set a shadow copy to "Exposed" so that it can be mapped to a drive letter using WMI. An article linked in the same question shows a hack using a junction to access the snapshot.

当我尝试访问符号链接时，我得到以下信息:

When I try to access the symlink, I get the following:

PS C:\Windows\system32> ls C:\shadowcopy
Get-ChildItem : The parameter is incorrect.

At line:1 char:3
+ ls <<<<  C:\shadowcopy
    + CategoryInfo          : ReadError: (C:\shadowcopy:String) [Get-ChildItem], IOException
    + FullyQualifiedErrorId : DirIOError,Microsoft.PowerShell.Commands.GetChildItemCommand

尝试直接访问快照会给出以下结果:

Attempting to access the snapshot directly gives the following:

PS C:\Windows\system32> ls '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy14'
Get-ChildItem : Paths that begin with \\?\GlobalRoot are internal to the kernel and should not be opened by managed applications.
At line:1 char:3
+ ls <<<<  '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy14'
    + CategoryInfo          : NotSpecified: (:) [Get-ChildItem], ArgumentException
    + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.GetChildItemCommand

如何从 powershell 脚本访问 VSS 快照?

How can I access a VSS snapshot from a powershell script?

推荐答案

您是如何创建符号链接的?如该文章所述，您必须使用尾部反斜杠指定设备路径:

How did you create the symlink? As outlined in that article, you have to specify the device path with a trailing backslash:

$s1 = (Get-WmiObject -List Win32_ShadowCopy).Create("C:\\", "ClientAccessible")
$s2 = Get-WmiObject Win32_ShadowCopy | Where-Object { $_.ID -eq $s1.ShadowID }
$d  = $s2.DeviceObject + "\\"

然后 $d 是您的音量字母说明符:

Then $d is your volume letter specifier:

cmd /c mklink /d C:\shadowcopy "$d"

在此之后，我能够访问安装到 C:\shadowcopy 的卷影副本就好了.

After this, I was able to access the shadow copy mounted to C:\shadowcopy just fine.

卸载卷影副本调用 $s2.Delete()，正如@KeyszerS 在评论中指出的那样.

To unmount the shadow copy call $s2.Delete(), as @KeyszerS pointed out in the comments.

这篇关于从 powershell 访问卷影复制 (VSS) 快照的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！