Wednesday, June 24, 2009
Exploring Shadow Copies with TimeTraveler
What is a Shadow Copy?
Windows 7, Windows Vista, Windows Server 2008, Windows Server 2003 and Windows XP all have the ability to make Shadow Copies of NTFS Volumes. This ability is used extensively in the System Restore and Backup solutions provided by Microsoft and other software vendors. Unless you tell your system not to, it will make a Shadow Copy of your System Volume every time you install, uninstall or upgrade the software on it. These copies are called restore points and by default, they will occupy at most 15% of the volume capacity.
Actually making a shadow copy uses very little storage space, but once the copy is created, every new write to the volume creates a copy of the old data, which the write is replacing. This is called copy-on-write and it means that the size of your volume is now growing. Even if a file is replaced by one that is smaller than its previous version, the total storage in use grows. Because the old version remains, the total storage must increase by the size of the new data. The work of making Shadow Copies is managed by the Windows Shadow Copy Service, which in turn invokes a process including a Provider for doing the copy-on-write work. The amount of extra work taking a Shadow Copy depends on the actual implementation of this Shadow Copy Provider. The default System Provider comes from Microsoft and works independently of the hardware. However, several storage array vendors supply their own provider so that it can take advantage of the increased performance of the array.
A Shadow Copy of a Windows Volume (e.g. C:) is hidden from you and your applications unless the application knows how to access it through the Volume Shadow Service (VSS) API. Windows Explorer can do this through the Previous Versions tab on the Properties Window for a file or folder. However, in Vista Starter, Basic or Premium, Previous Versions is missing because Microsoft left this feature out. The Previous Versions Tab shows a list of times next to the object.
Looking back with TimeTraveler™
Bears on the Loose has created a Shadow Copy tool you can use to browse through the shadow copies of your volumes. TimeTraveler™ displays all your shadow copies as “tic marks” on a timeline at the bottom of the Explorer Window. The green marks are system restore points and the blue ones are simple points. The dark marks are for the copies where the selected file or folder has changed and the light blue for the others. As you move the yellow pointer to the different times, the contents of a displayed folder may change to display the contents at the newly selected time.
TimeTraveler™ changes the Explorer address to point to the currently selected folder at the selected time. From there you can browse the files and folders at the time you have selected. All the Explorer functionality is available to you on the files and folders from the past. Note that the shadow copies are read-only. You can read from the past but you cannot rewrite it. You can restore files or folders simply by opening two Explorer windows and drag and drop from a window set in the past to a window set on 'Now'. You can also use copy and paste.
TimeTraveler™ works on all Editions of Windows Vista and Windows 7.
Bears on the Loose