Listing Shadow Copies

2018/02/07 --This should be simple

A Windows share can present to remote users "previous versions". These are also known as shadow copies, volume snapshot service (VSS) or volume shadow copy service. Y'know, just to make googling it require that many more keyword variations. Most will experience it through an interface like this:

It is also possible to access them via a "previous versions token" in a path:


There is no way to discover these "tokens" for a remote system natively except via Explorer. CMD and Powershell are surprisingly deficient here.

You will Google around and most commonly find the ancient volrest.exe tool as the recommended solution. This is a tool from a 2003 Windows Resource pack. I found it to give incomplete results.

The best solution I have discovered is the excellent Python library pysmb.

You can use this very simply to gather all of the tokens:

from smb.SMBConnection import SMBConnection

conn = SMBConnection("some.username", "some.password", "LOCALMACHINENAME", 
               "somefileserver", domain="some.domain", use_ntlm_v2 = True)
assert conn.connect("somefileserver", 139)

filelist = conn.listPath("share", "/")

for file in filelist:

shadows = conn.listSnapshots("share", "/")

for shadow in shadows:

It seems a grand oversight that this functionality is not at all present in Powershell. I believe the API to get this information is fully documented so it is surprising a simple native Windows utility has not been built.

2017 in review2013 Xmas Cipher Challenge