Re: What's "Generic volume shadow copy"?

[Tim Meddick]

The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return the
error : "Access Denied - File in use by another process" (or similar) when
a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have been
written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
backup for NT (google ERUNT for more on this)).

==

Cheers, Tim Meddick, Peckham, London.

 

[Tim Meddick]

I'm afraid I just can't answer that, it's a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware software
if such a genuine element of the Window's OS is being returned as in any
way bogus by it!

Such behaviour of "spotting" viruses / malware where there isn't any is a
feature of Malware itself.....

(An example of this below...)
http://blogs.technet.com/b/mmpc/arc...ckles-fake-microsoft-security-essentials.aspx

==

Cheers, Tim Meddick, Peckham, London.

The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return
the error : "Access Denied - File in use by another process" (or similar)
when a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have been
written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
backup for NT (google ERUNT for more on this)).

[]
Thanks for the more intelligent response than the other idiot.

What puzzles me are:

o Why did it (only) pop up when I was doing a scan? (I have - and use
occasionally - ERUNT, and it doesn't then.)

o Why does it see it as new hardware?

o I checked, and I already had restore points (going back to I think
November 7 - certainly from before I did the scan), so why hadn't it
popped up when it did those.

o I checked in Device Manager, and (once I'd turned on show hidden) I
already had the phantom drives (I forget the wording used) that are
involved.
--
J. P. Gilliver. UMRA: 1960/<1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

<Squawk> Pieces of eight!
<Squawk> Pieces of eight!
<Squawk> Pieces of nine!
<SYSTEM HALTED: parroty error!>

 

[Tim Meddick]

Ah, I understand you now..... I also have experienced this and similar
sorts of behaviours. I'm afraid, again, I have no explanation at the
moment for it.

This is because it hadn't happened to me recently, and I have to be able to
reproduce the sequence of events that lead to getting a particular
errormessage in order for me to investigate it.

This is so I can then query the system to which processes are involved and
what software/hardware conflicts may be happening. I can only do such
things while the error is "in progress".

But I will certainly keep it in mind so that if it ever happens on my
system again, I will attempt to identify it's cause for you.....

==

Cheers, Tim Meddick, Peckham, London.

P.S. I must assure you, however, again, that the service "Volume Shadow
Copy" or VSS (Volume Snapshot Service) is definitely a normal part of every
version of Windows since WinXP Service Pack 2 and Server 2003.

I'm afraid I just can't answer that, it's a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware
software if such a genuine element of the Window's OS is being returned
as in any way bogus by it!

No, not at all: the AV didn't object to it at all. It's just that, while
running an AV scan, (a) the "new hardware found" thing popped up twice,
(b) when I told it (the new hardware thing) to proceed to the next stage,
it (again, the normal Windows self-protecting thing) said that what I was
about to allow - i. e. the driver it had found for this phantom new
hardware - wasn't Microsoft signed. That latter is particularly puzzling,
this Shadow Copy thing being as you have explained part of the system.
(From what I found on line, others get the same thing, though.)

Such behaviour of "spotting" viruses / malware where there isn't any is a
feature of Malware itself.....

[]
(No, that wasn't what was happening.)

(FWIW all AV found were two instances of some HTML code that matched some
Trojan.)
--
J. P. Gilliver. UMRA: 1960/<1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

The fool doth think he is wise, but the wise man knows himself to be a
fool.

 

[J. P. Gilliver (John)]

Ah, I understand you now..... I also have experienced this and similar
sorts of behaviours. I'm afraid, again, I have no explanation at the
moment for it.

This is because it hadn't happened to me recently, and I have to be
able to reproduce the sequence of events that lead to getting a
particular errormessage in order for me to investigate it.

This is so I can then query the system to which processes are involved
and what software/hardware conflicts may be happening. I can only do
such things while the error is "in progress".

But I will certainly keep it in mind so that if it ever happens on my
system again, I will attempt to identify it's cause for you.....

[]
Thanks. Don't go out of your way - I was just curious as to:
1. what it was (I know more or less now)
2. why it suddenly popped p as "new hardware found", despite the fact
that I already had several restore points so it must have already been
present to make them;
3. why, when it does pop up, the OS itself (not my AV) says it's not
"Microsoft signed" or whatever.