Summary
This article explains how to list and remove Volume Shadow Copies from a Windows device and the potential impact of doing so. It also contains additional information on the various usages of Volume Shadow Copies in a typical Windows environment.
What are Volume Shadow Copies and where are they used? What are the potential impacts I may face if I delete Volume Shadow Copies from my device?
Volume Shadow Copy is used by restore points and other Microsoft or third-party applications creating snapshots to restore files within a device. It is also used by backup applications to read and backup locked or running files.
If you are using restore points or using an application that uses Volume Shadow Copy directly, you will lose access to the previous restore points if Volume Shadow Copies are deleted.
If you are using a backup application that creates a backup outside of Volume Shadow Copy, you should not be affected by deleting Volume Shadow Copies.
For more information see, Volume Shadow Copy Service.
How can I view the current Volume Shadow Copies of the drive containing my Windows installation?
To display any shadow copies of your system volume (in the examples below, we are using %systemdrive% as the Windows system volume but you can use the drive name as well, such as C:), start command prompt as Administrator, and run the following command:
-
vssadmin list shadows /for=%systemdrive%
A system with VSS shadow copies will report details of the shadow copies as follows:
-
Contents of shadow copy set ID: {b746358f-acf1-474d-9e1d-dcf15cf08b1d}
-
Contained 1 shadow copies at creation time: 7/17/2021 7:15:01 PM
-
Shadow Copy ID: {b4080b4c-a7b0-499d-91f0-783b12d4bf74}
-
Original Volume: (C:)\\?\Volume{67a32b23-68ff-4388-8e65-67aa24d7e244}\
-
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
-
Originating Machine: <>
-
Service Machine: <>
-
Provider: 'Microsoft Software Shadow Copy provider 1.0'
-
Type: ClientAccessibleWriters
-
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered
How can I delete Volume Shadow Copies?
To delete all shadow copies of the system drive, run the following command:
-
vssadmin delete shadows /for=%systemdrive% /Quiet
To confirm that all shadow copies were deleted, you may run this command again:
-
vssadmin list shadows /for=%systemdrive%
If there are no shadow copies on your system drive, you will receive output that says:
-
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
-
(C) Copyright 2001-2013 Microsoft Corp.
-
No items found that satisfy the query.
Why am I not able to delete all Volume Shadow Copies on my Windows Server device?
Some Volume Shadow Copies are managed by other backup solutions on Windows Server. For example, Volume Shadow Copies created by wbadmin must be managed within that application.
What is the process to create a new System Restore Point?
For instructions on how to create a system restore point on Windows 10, see Create a system restore point. To create a restore point from PowerShell, open Powershell as Administrator and run the following command: Checkpoint-Computer
There is no support for System Restore Points on Windows Server, you will need to use your preferred backup solution to create a new backup.
Note If you are deleting your Volume Shadow Copies as a mitigation to an issue or to address a vulnerability such as CVE-2021-36934, you will need to address the vulnerability or issue before creating a new System Restore Point or backup.
Under what circumstances would I want to delete the Volume Shadow Copies?
Deleting your Volume Shadow Copies might be part of a mitigation to an issue or to address a vulnerability such as CVE-2021-36934.