I originally posted this issue at Microsoft Community ( http://answers.microsoft.com/en-us/windows/forum/windows8_1-files/shadow-copy-snapshot-file-contents-silently/06a5e25b-6607-45eb-81a1-71cfc2b0cce3 ) but I think it might get more attention here.
Historic overview:
One user had problems with Folder Redirection sync resulting in data loss (details are irrelevant) and we had to recover missing data from PC's VSS snapshot of CSC cache (regular VSS snapshot by System Restore).
In short steps:
- Elevate to SYSTEM with PsExec (CSC folder is heavily protected by ACL so we have to use SYSTEM to access it)
psexec -i -s -d CMD - Get relevant shadow copy with
vssadmin list shadows - Mount shadow copy with
mklink /d C:\ShadowMount \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ - Recover data with
robocopy C:\ShadowMount\Windows\CSC\...\data D:\Backup /E
No errors were seen and a few test files were consistent. About a month goes by and user reported that most of the data was corrupted. We determined that data had been corrupted already during recovery from Shadow Copy.
We have been able to reproduce this on 3 Windows 8.1 systems so far (not tested on 7 yet).
We also tried to over Network provider just in case, but we still see corruption
- net use vss$=\\?\Globalroot...
- popd \\localhost\vss$
- Access data
Symptoms:
Snapshot age seems to be largely irrelevant (corruption in both snapshots taken a month ago and yesterday).
Parts of the file or whole files are filled with NULLs. It seems that NULLs occur at cluster borders (4kB clusters).
It does not matter if file exists on live volume or has been deleted/moved since snapshot.
File is OK on live volume.
For example one text log file (for easy content analysis), size ~244kB analyzed in Hex Editor
- Beginning of file has 12kB of data (last data char is position 2FFF)
- After that, only 00 characters (NULL)
- Data continues at position 3B000 until end of file
ChkDsk /scan shows no errors. The system has been patched up-to-date with WU patches. No LDR hotfixes deployed to my knowledge.
Systems are running regular HDD (so TRIM hasn't cleared up clusters).
Background defragment is enabled.
No VSS errors in Event Log.
The files were very unlikely to be in use (old documents, images, beforementioned old log file) during snapshot.
We're aware that Previous Versions has been dropped in Windows 8, but underlying Shadow Copy technology still exists and should continue to work.
We are considering that this might be a bug in VSS. Shadow copy is not consistent and parts of it are either dropped, overwritten or... something.
Might it be a bug or am I missing something? Should we get a MS support case?
We didn't find any relevant KB articles for Windows 8.1 but found one similar case:
http://superuser.com/questions/888383/shadow-copy-recovered-files-contain-lots-of-null-blocks
Windows 7 and previous seem to have had a similar case in the past:
https://support.microsoft.com/en-us/kb/2748349