Magic of VSS... How does this work?

Joined
Dec 5, 2003
Messages
517
I put this question before Microsoft today, however I didn't receive an answer that made sense... imagine that. Here is the scenario:

**You have enabled Volume Shadow Copy Service

1. What happens when you first enable this service? Does it start tracking changes to the file system immediately?
2. How does this service know what has changed? Baseline snapshot or the entire system or reference a transaction log file?


**Now, you have a volume with 500GB of data. Somewhere along the lines someone accidently deleted 100GB of data. You now need to restore this data, first (easiest) process is to leverage a shadow copy.

1. If the original data no-longer exists... how can you recover the 100GB of data from a volume shadow copy? My best guess is a baseline snapshot (original data) that future snapshots are built upon using copy-on-write (differential). However, that would mean your baseline snap would be 500GB as well.
2. If you don't have a base snap (an unknown in this scenario) how do you pull back 100GB of data if the volume shadow copies only represent the deltas? What happens if another 100-200GB of data were written to the disk before discovering the missing 100GB of data?
3. How does this work???? I understand the functions of VSS and its function in ensuring consistent backups and that it uses a copy-on-write to create snapshots. How can you restore data if you don't have an original?


Please share your thoughts on this topic. I have looked at the TechNet articles from Microsoft regarding VSS, no information explaining the above scenario and how this data can be recovered.
 
Joined
Dec 5, 2003
Messages
517
I read that article... however, it still didn't answer my questions. Perhaps I missed something?
 

xenios

Gawd
Joined
Aug 8, 2008
Messages
992
Good question, this interested me enough to take a look into it. It is easy to miss the details. Pay attention to this section:

Copy-on-Write (Differential Copy)

The copy-on-write method creates shadow copies that are differential rather than full copies of the original data. Like the clone method of creating shadow copies, the copy-on-write method can produce shadow copies using either software or hardware solutions. This method makes a copy of the original data before it is overwritten with new changes, as shown in the following table. When a change to the original volume occurs, but before it is written to disk, the block about to be modified is read and then written to a “differences area”, which preserves a copy of the data block before it is overwritten with the change. Using the blocks in the differences area and unchanged blocks in the original volume, a shadow copy can be logically constructed that represents the shadow copy at the point in time in which it was created.

....

The advantage of the copy-on-write method is that it creates shadow copies very rapidly because it is only writing the changes to disk. The disadvantage is that in order to fully restore the data, the original data must still be available. Without the original data, the shadow copy is incomplete and cannot be used. Another disadvantage is that the performance of copy-on-write implementations can affect the performance of the original volume.

Copy-On-Write still has the disadvantage that you are questioning, how does it restore files if the original is deleted? As the second paragraph states, it does not. Now before you say thats wrong, remember that this is done at the block level. When you delete a file in windows the data is not actually deleted, just the indices that reference that file are deleted. Part of what the shadow copy contains are the indices, so even though the file has no reference in the main table, the shadow copy still has reference to that file. To prove their statement that you cannot restore deleted files, delete the file and then fill the harddrive with actual data, this will eventually overwrite the blocks in which the original file was located, thus making it unrecoverable. This is why VSS is generally only used to create a consistent and safe backup environment and provide a means to access an old version of a file.
 
Last edited:
Top