Strange problem with System Volume Information folder

  • Thread starter Thread starter SergioQ
  • Start date Start date
S

SergioQ

So NAV, all of a sudden, keeps detecting (and fixing) a trojan in
there. And everytime I try to access that folder to look in it I get
the old: "access denied" message.

Even though I have said SHOW hidden files, DO NOT Hide protected
operating system files (Recommended) ... still the system won't let me
in.

Anyone have any clues what's up?

THanks
 
SergioQ said:
So NAV, all of a sudden, keeps detecting (and fixing) a trojan in
there. And everytime I try to access that folder to look in it I
get the old: "access denied" message.

Even though I have said SHOW hidden files, DO NOT Hide protected
operating system files (Recommended) ... still the system won't let
me in.

Anyone have any clues what's up?
Click to expand...

Turn off System Restore.
Reboot.
Turn on System Restore.

Scan with MalwareBytes (Full Scan.)
 
Turn off System Restore.
Reboot.
Turn on System Restore.

Scan with MalwareBytes (Full Scan.)
Click to expand...

As we speak MalwareBytes is running, will take awhile. But after
turning off Sys Rest, rebooting (and confirming that the File View
options are set correctly) windows still won't let me look in that
folder.

That can't be right.

Also as a side note, I use Nortan Ghost...should I even bother turning
back on Windows Sys Rest? Anything it covers that Ghost doesn't?

THanks for your help so far.
 
SergioQ said:
As we speak MalwareBytes is running, will take awhile. But after
turning off Sys Rest, rebooting (and confirming that the File View
options are set correctly) windows still won't let me look in that
folder.

That can't be right.
Click to expand...

Yes, that is right, by default only the System account has access to
this folder. Use the CACLS command to grant yourself access to the folder:

cacls "c:\System Volume Information" /E /G "User Name":F

http://support.microsoft.com/kb/309531
How to gain access to the System Volume Information folder

John
 
As we speak MalwareBytes is running, will take awhile.  But after
turning off Sys Rest, rebooting (and confirming that the File View
options are set correctly) windows still won't let me look in that
folder.

That can't be right.

Also as a side note, I use Nortan Ghost...should I even bother turning
back on Windows Sys Rest?   Anything it covers that Ghost doesn't?

THanks for your help so far.
Click to expand...

If you don't already know, turning off/on SR will delete all your RPs,
and you will still not be able to access the SVI folder when you are
done with that (as you can see) and running MBAM will not grant you
access either.

If you have had a malicious software attach, it may be best to delete
all your RPs anyway since they may contain the affliction.

You are not "supposed" to access the SVI folder so there is nothing
wrong and it is right.

That is the way is is supposed to work. You will not access it using
the conventional methods in Explorer unless you circumvent recommended
settings, so it would be prudent to put things back when are done.
The settings are the way they are for a reason.

You can access the folder with cacls if you are compelled to do so (as
indicated) but once you get there, what will you do? You would
probably want to be sure to uncacls your system when you are done so
some mistake doesn't happen later.

Since you have NAV installed, trying to use SR to restore to a
previous point is likely to fail anyway (try it), so you might also
want to read this:

http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/2005113009323013

If you think you might ever want to use SR, make yourself a RP, reboot
and then restore to that last RP just to make sure the mechanism works
and you understand the process (aka practice).
 
If you think you might ever want to use SR, make yourself a RP, reboot
and then restore to that last RP just to make sure the mechanism works
and you understand the process (aka practice).- Hide quoted text -

- Show quoted text -
Click to expand...

Sorry if am confused, but using Norton GHOST, does it matter if I turn
off SR? I mean they're independent of each other, yes or no?

Thanks
 
Sorry if am confused, but using Norton GHOST, does it matter if I turn
off SR?  I mean they're independent of each other, yes or no?

Thanks
Click to expand...

They are independent but do two different things.

You also said you have NAV which to me means Norton Anti Virus. A
typical installation of NAV will usually (by design) thwart attempts
to restore your system to an earlier date using the Windows System
Restore function. None of your RPs will work - infected or not.

NAV will not let you restore your system to an earlier date using even
a clean RP until you follow their directions in the provided link.

Folks will sometimes report "Help! SR is broken!", so the next
question (sometimes much later) is "Do you have NAV installed?" If
yes, the read this link:

http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/2005113009323013

That will probably not give relief to their probably infected system
though but it is something they can try, and SR might work now.

If NAV (or any other malicious software tool) says even one of your
RPs is infected, I would consider them all compromised, clean up your
system, whack all the old RPs, make a new (clean one), then attempt to
restore your system using the new RP just for the fun of it to test
the entire System Restore function from end to end and fix it if it
doesn't work.

If you want to use Ghost, that is fine. I would use both. However,
if you are going to put some faith in Ghost (or SR), you should really
test it to restore your system at least once to see if it really
works. It may appear to be Ghosting just fine, but have you ever
tried to use it? Could be surprising.

If SR or Ghost doesn't work the way you expect, it would be better to
find out before you really need it.
 
Sorry if am confused, but using Norton GHOST, does it matter if I turn
off SR?  I mean they're independent of each other, yes or no?

Thanks
Click to expand...

....the day you need it is not the day to find out it doesn't work :)
 
...the day you need it is not the day to find out it doesn't work :)
Click to expand...

The day I bought Ghost, I also bought an identical HD and made sure
that it worked.

But this infected SRP is still buggin me. Came out of the blue, I ran
the MalwareBytes advice above, it found no threat, etc.

If I have SR OFF...why can't I get into that volume?
 
Yes, that is right, by default only the System account has access to
this folder.  Use the CACLS command to grant yourself access to the folder:

cacls "c:\System Volume Information" /E /G "User Name":F
Click to expand...

I tried it and got:

No mapping between account names and security IDs was done.

And yes, used the right drive letter and the current user name.. tried
with the username in quotes and without.

Any thoughts?
 
SergioQ said:
I tried it and got:

No mapping between account names and security IDs was done.

And yes, used the right drive letter and the current user name.. tried
with the username in quotes and without.

Any thoughts?
Click to expand...

Try the other methods here:

http://support.microsoft.com/kb/309531
How to gain access to the System Volume Information folder

John
 
John said:
Try the other methods here:

http://support.microsoft.com/kb/309531
How to gain access to the System Volume Information folder

John
Click to expand...

And he still can't resolve the trojan issue by gaing access, another
solution is to simply to turn OFF (and then later back on) System Restore,
to start afresh. THAT will, of course, delete the prior System Restore
points, and start clean from there.
 
SergioQ said:
So NAV, all of a sudden, keeps detecting (and fixing) a trojan in
there. And everytime I try to access that folder to look in it I
get the old: "access denied" message.

Even though I have said SHOW hidden files, DO NOT Hide protected
operating system files (Recommended) ... still the system won't let
me in.

Anyone have any clues what's up?
Click to expand...

Shenan said:
Turn off System Restore.
Reboot.
Turn on System Restore.

Scan with MalwareBytes (Full Scan.)
Click to expand...
As we speak MalwareBytes is running, will take awhile. But after
turning off Sys Rest, rebooting (and confirming that the File View
options are set correctly) windows still won't let me look in that
folder.

That can't be right.

Also as a side note, I use Nortan Ghost...should I even bother
turning back on Windows Sys Rest? Anything it covers that Ghost
doesn't?

THanks for your help so far.
Click to expand...

That *is* right. The System Volume folder is for holding system restore
points. You have no need to gain access to these files and even if you had
full access (which is possible just by taking ownership/changing
permissions) - your AV software will be unable to actually clean the files
inside the system restore points.

By having you turn off System Restore and reboot - you lost all the restore
points and thus the corrupted/infested/infected files you were finding
inside the images. The bad side effect is that you cannot use those to
restore the system files to an earlier point - but since some of the earlier
points were infested/infected - my contention is you would not have wanted
to use those anyway. ;-)

The MalwareBytes scan I suggested was to better ensure you were clean of
malware infestations.
 
I believe John John has already given you this information.

How to gain access to the System Volume Information folderhttp://support.microsoft.com/kb/309531/en-us
Click to expand...

I could be wrong but thought I mentioned that this did not work for
me. it's the simplest method, and went no where
 
SergioQ said:
I could be wrong but thought I mentioned that this did not work for
me. it's the simplest method, and went no where
Click to expand...

No, the simplest method is to turn OFF system restore, and then turn it back
on again, to get clean restore points.
 
SergioQ said:
I could be wrong but thought I mentioned that this did not work for
me. it's the simplest method, and went no where
Click to expand...

Try the other methods, CACLS sometimes fails with the message that you
reported, this means that the CACLS utility could not resolve the SID.
The other methods will have you using the Explorer GUI to set the
permissions on the folder, this will get you around the problem with the
CACLS utility.

Cacls can fail with the noted error message for different reasons, some
of them:

- You renamed your user account but did not reboot
- Orphaned SIDS
- Your User account and computer name have the same name

and of course there is no saying what kind of damage the virus might
have done to your system. That being said, the others have already told
you that disabling and re-enabling System Restore will purge the folder
so there is no real need to access the folder, although I do understand
that you may be curious about the contents of the folder and that you
may want to have a look for yourself to satisfy your curiosity. That is
perfectly fine, for better or worse following our curiosity allows us to
learn things!

John
 
I could be wrong but thought I mentioned that this did not work for
me.  it's the simplest method, and went no where
Click to expand...

The calcs is not working because you need a proper example of how to
use it.

The cacls command does not "sometimes fail" - it fails when you don't
type it in right. It works when you do type it in right. There is
nothing to try. There is no problem to get around. There is no KB to
read. There is no might be, could be...

You are typing in "User Name" instead of your login name because that
is what the example you were given says.

Here is what I would type in on my computer for user Jose to expose
the SVI folder:

cacls "C:\System Volume Information" /E /P Jose:F

What will you do when the command works and your can get into the SVI
folder? It will not help with your isse at all, but if it is
curiosity, go for it. Put things back properly when you are done
looking around.

Why don't you follow the best advice, turn off SR, turn SR back on,
make a new RP, test it. Done.

Do you know how to put the proper permissions back on the SVI folder
when you are done? Of course not.

Here is what I would type in on my computer for user Jose when I was
done messing around with the SVI folder:

cacls "C:\System Volume Information" /E /R Jose
 
Jose said:
The calcs is not working because you need a proper example of how to
use it.

The cacls command does not "sometimes fail" -
Click to expand...

It *does* sometimes fail! It may be infrequent but this is a known to
happen at times. I have personally seen this before and believe me I
know how to type in the command! At that time I couldn't resolve the
cacls problem, I couldn't figure out why it was failing, it wasn't on my
machine so I didn't know the history of the machine.

As for the use of the /P or /G switch it doesn't make much of any
difference, /P replaces permissions and /G appends them, for all intents
and purposes it practically does the same thing except that when
replacing permissions with the /P switch you will be asked to confirm if
the permission is already in place.

John
 
It *does* sometimes fail!  It may be infrequent but this is a known to
happen at times.  I have personally seen this before and believe me I
know how to type in the command!  At that time I couldn't resolve the
cacls problem, I couldn't figure out why it was failing, it wasn't on my
machine so I didn't know the history of the machine.

As for the use of the /P or /G switch it doesn't make much of any
difference, /P replaces permissions and /G appends them, for all intents
and purposes it practically does the same thing except that when
replacing permissions with the /P switch you will be asked to confirm if
the permission is already in place.

John
Click to expand...

I'll take your word for it! If there is such a situation, it would be
something that happened prior to cause it.

I think the OP is following the instructions for cacls literally by
typing in "User Name" which will generate the reported error.

I created my copy/paste cacls instructions to apply to general
audiences under normal circumstance where folks are compelled to
access SVI, and reduce the chances of any misinterpretation, mistakes
or subsequent messaging, which seems to have happened.

I also include/suggest instructions on how to undo the change when
they are done.
 
Back
Top