How to restore folders using ShadowExplorer

05/15/2020 1 3751

DESCRIPTION:

This Article explains about restoring folders and files using ShadowExplorer. 

RESOLUTION:

To restore shadow copies:

You can restore folders and files affected in the threat group with granular control, using third-party tools. This procedure uses the ShadowExplorer. We cannot be responsible for the results. We offer these steps as extra information. See the ShadowExplorer documentation.

1. Download ShadowExplorer.
2. Install and run it. See ShadowExplorer.com for instructions.
3. In the main window, select the drive and backup time of the restore point.
4. Select the folders and files to restore.
5. Right-click and select Export.
6. In the window that opens, create or select a folder.
7. Click OK.

To disable VSS protection completely:

These steps turn off VSS and Rollback completely. If you want to stop taking new snapshots temporarily, use the Interval Change steps.

1. Turn off the Agent self-protection. With the passphrase that you copied, run:

sentinelctl.exe unprotect -k "<passphrase>"

1. Turn off VSS protection:

sentinelctl config -p agent.vssConfig.vssProtection -v false

sentinelctl config -p agent.vssSnapshots -v false

1. Turn on the Agent self-protection:

sentinelctl.exe protect

1. Reboot the endpoint.

To delete snapshots:

Important:  This procedure uses vssadmin, which is a Microsoft tool. For help with vssadmin specific issues, please contact Microsoft.

1. Turn off the Agent self-protection. With the passphrase that you copied, run:

sentinelctl.exe unprotect -k "<passphrase>"

1. Disable deletion-protection for shadow copies. Run: 
   sentinelctl config -p vssConfig.vssProtection -v false
   
   
2. Open cmd or powershell as administrator and run the relevant command:
   • To delete all shadow copies:  vssadmin delete shadows /all
   • To delete the oldest:  vssadmin delete shadows /For=C:/Oldest
   • To select shadow copies to delete, get a list of the shadow copy IDs and then delete by ID:

vssadmin list shadows

vssadmin delete shadows /shadow=<ShadowID>

• If you see this error:

Error: Snapshots were found, but they were outside of your allowed context.  Try removing them with the backup application which created them.

1. Log i as an administrator. Membership in the local Administrators group, or equivalent, is required to run DiskShadow.
2. Start DiskShadow:  Diskshadow
3. Run:  delete shadows all

1. Turn on the Agent self-protection:

sentinelctl.exe protect