Creating a shadow copy using the "Backup" context in a PowerShell
Okay, Technoob1984 here with the scoop. See my attached screen shot.
This one is tricky, because you have to use x64 version of Powershell (located under system32 not wow64)
The Shadow Copy Context are the .properties of the object.
Also I used the static method in my screenshots below.
# get existing shadow copies$shadow = get-wmiobject win32_shadowcopy"There are {0} shadow copies on this sytem" -f $shadow.count""# get static method$class=[WMICLASS]"root\cimv2:win32_shadowcopy"# create a new shadow copy"Creating a new shadow copy"$class.create("C:\", "ClientAccessible")# Count again$shadow = get-wmiobject win32_shadowcopyso in the example there, you would want to use $class.Properties to see what you can use as a Shadow Context.
See my screen shot:
So Shadow Context is 'Caption, Count, Description' and anything else under the 'Name:' value of .Properties. I do not see 'Backup' as one of the options.
- Enjoy
Your $shadow has a 5 on return value looking at the error message, your shadow id has all zeros , you would need to add a 1 or a 2 to the end of the volume shadow copy in the registry using binary or dword.
find the folder in the registry named volsnap in your regedit search .volsnap.sys is found in the C:\Windows\System32\drivers directory. The file size is 52,352 bytes.The volsnap file contains Microsoft's digital signature make sure its the correct bytes.
This confirms its authenticity. volsnap.sys appears to be a file that was compressed by an EXE-Packer. This technique is often used by trojans to keep the file size small and also hamper debugging efforts.
However, this in itself is not sufficient reason to presume malicious intent, since even well-intentioned, professional software producers take advantage of compressed files. For this reason, 2% of all experts consider this file to be a possible threat. The probability that it can cause harm is high. Please consider the additional Comments from other users.
shadow id default 00000000-0000-0000-0000-000000000000 00000000-0000-0000-0000-000000000005if it already has a 5 which it probably doesn't change it to 1
or create new code
Shadow id $shadow 00000000-0000-0000-0000-0000000000001not exactly as shown.you may have to try different wording I'm not sure if $will work, if not, try the js standalone version.