TZWorks LLC
System Analysis and Programming
www.tzworks.com
(Version 0.39)
TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.
The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.
The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.
ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.
The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.
vssenum is a command line tool that only works on Windows and its purpose is to enumerate the Volume Shadows on the host machine.
The purpose of this tool was not to recreate the built-in vssadmin utility that is part of the Window OS, but to have something that could assist in testing out the other tools (via scripting) that were Volume Shadow aware.
To use this tool, an authentication file is required to be in the same directory as the binary for the tool to run.
There are 4 options for Volume Shadow Snapshot enumerator: (a) display volume shadow statistics, (b) display only volume shadow symbolic links, and (c) display volume shadow snapshot indexes. Below is the command line menu:
Usage
vssenum -stats = list all volume shadows stats
vssenum -statsvss <#> = give stats on just specified snapshot
vssenum -list = list volume shadows available
vssenum -indexes = list only volume shadows indexes
vssenum -dir %vss%<snap#>\<folder> [dir options]
vssenum -dir <folder> [dir options]
directory [-dir] options
-level <num levels> = number of levels to recurse
-filter <ext1 | filter2 |..> = specify which file types to return
-shortcut = use the vss# shortcut syntax
-copy <dest folder> = copy the files returned from -dir
dir examples
vssenum -dir %vss%1\Users -filter "ntuser.dat" -level 1
vssenum -dir %vss%2\Users -filter "*index.dat | *.lnk" -level 10
vssenum -dir c:\Users -filter "ntuser.dat | usrclass.dat" -level 10
To run vssenum successfully, two things must happen: (a) the version of vssenum needs to be the same version of the operating system architecture. Specifically, a 32 bit version of vssenum only works on a 32 bit version of Window. The same is true for 64 bit. The second (b), is that the tool must be run with administrative privileges.
Normally, the architecture constraint is not an issue with the 32 bit versions of other TZWorks® tools (eg. One can normally use a 32 bit version of a binary for a 64 bit machine), it is a constraint on vssenum due to the library dependency limitations that vssenum uses on some built-in Microsoft libraries to allow it to enumerate the volume shadows.
Presently, vssenum offers 4 types of output.
The first uses the -stats option and separates all the volume shadows statistics of each of the snapshots found on the system into fields. Each field is separated by the pipe character "|" to allow for easy parsing into another application. Below is a truncated sample output.
Snap date | time [utc] | Snapshot Device Object | ... | Name | # | OrigMach | ServMach
08/16/2014 | 12:38:59.399 | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 | ... | C:\ | 1 | loaner-PC | loaner-PC
08/20/2014 | 12:51:40.281 | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2 | ... | C:\ | 1 | loaner-PC | loaner-PC
08/21/2014 | 13:02:55.913 | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3 | ... | C:\ | 1 | loaner-PC | loaner-PC
08/23/2014 | 15:13:12.839 | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4 | ... | C:\ | 1 | loaner-PC | loaner-PC
08/23/2014 | 22:28:14.393 | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5 | ... | C:\ | 1 | loaner-PC | loaner-PC
08/24/2014 | 12:10:53.870 | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6 | ... | C:\ | 1 | loaner-PC | loaner-PC
08/28/2014 | 11:54:39.260 | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7 | ... | C:\ | 1 | loaner-PC | loaner-PC
08/28/2014 | 20:20:00.744 | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8 | ... | C:\ | 1 | loaner-PC | loaner-PC
The second uses the -list option and just lists the volume shadow device objects for each snapshot as shown below:
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8
The third uses the -indexes option and it will just list the snapshot number as shown below:
1
2
3
4
5
6
7
8
The forth uses the -dir <starting folder> option and will list the files in the folder and subfolders in such a way that they can be piped into another tool. There are a number of sub-options, to include: (a) -snap <index> to specify which snapshot to target, (b) -level <depth> to specify how many directories to recursively traverse, where the default is 1 folder, (c) -mask <filemask> to specify a type of file to return and (d) -shortcut to specify whether the volume shadow shortcut syntax should be used.
Below are 2 examples using different options to pull both the ntuser.dat and usrclass.dat hives from volume shadow snapshot #2. The -filter option allows one to add multiple filters to the directory enumeration, which in this case are the user hives. The first example uses the -shortcut option, while the second does not. If used in conjunction with another tool, one can easily script the output of vssenum to give one the control to process the desired file(s).
C:\dump\wintest>vssenum64 -dir %vss%2\Users -filter "ntuser.dat | usrclass.dat" -level 10 -shortcut
%vss%2\users\default\ntuser.dat
%vss%2\users\acct1\appdata\local\microsoft\windows\usrclass.dat
%vss%2\users\acct1\ntuser.dat
%vss%2\users\acct2\appdata\local\microsoft\windows\usrclass.dat
%vss%2\users\acct2\ntuser.dat
C:\dump\wintest>vssenum64 -dir %vss%2\Users -filter "ntuser.dat | usrclass.dat" -level 10
\\?\globalroot\device\harddiskvolumeshadowcopy2\users\default\ntuser.dat
\\?\globalroot\device\harddiskvolumeshadowcopy2\users\acct1\appdata\local\microsoft\windows\usrclass.dat
\\?\globalroot\device\harddiskvolumeshadowcopy2\users\acct1\ntuser.dat
\\?\globalroot\device\harddiskvolumeshadowcopy2\users\acct2\appdata\local\microsoft\windows\usrclass.dat
\\?\globalroot\device\harddiskvolumeshadowcopy2\users\acct2\ntuser.dat
The -dir option is also smart enough to enumerate mounted volumes that are not volume shadows; just substitute the %vss%<snap#> with the drive letter.
The latter three options -list, -indexes and -dir are useful in automation when applied to making a script to parse a certain artifact from all the snapshots on a system.
One problem with pulling artifacts from volume shadows is finding which shadow copies are available on the system in question. Once this is known, one can read the desired volume shadow using the device object name of the volume shadow. Encapsulating this enumeration within a script and pulling the requisite data can cause some convoluted scripting. vssenum makes scripting of the enumeration of shadow copies much easier.
For example, using the -indexes option, one can take the output of vssenum and feed it into another tool to parse some artifact. Below is a useful script that does this and is tailored to work for a number of TZWorks® tools that are volume shadow aware.
rem .....................................................
rem vsswrap64.bat for 64 bit Windows
rem Copyright TZWorks LLC, All Rights Reserved
rem .....................................................
rem
@echo off
set toolname=%1
if "NULL%toolname%"=="NULL" goto arg_error
for /f "delims=" %%i in ('vssenum64.exe -indexes') do (
@echo Processing %%i 1>&2
call %toolname% -vss %%i %2 %3 %4 %5 %6 %7
@echo result = %errorlevel% 1>&2
)
goto fin
:arg_error
@echo syntax: %0 ^<toolname^> ^<arg1^> ^<arg2^> ^<arg3^> ^<arg4^> ^<arg5^> ^<arg6^> 1>&2
:fin
Assume the above script is named vsswrap64.bat. Below are examples of using this script to parse a certain artifact from all the volume shadows on a system.
// for sbag
vsswrap64 sbag64 -csv >> sbag.results.csv
// for jp
vsswrap64 jp64 -csv >> jp.results.csv
// for lp
vsswrap64 lp64 -csv >> lp.results.csv
// for jmp
vsswrap64 jmp64 -csv >> jmp.results.csv
// for usp
vsswrap64 usp64 -csv >> usp.results.csv
...
Using the -dir option allows one to take the output of vssenum and pipe it into another tool that exports the -pipe option, such as cafae, id, and sbag. From a broader standpoint, essentially any tool that can take standard input as the mechanism to identify which file to parse, vssenum can be used. Furthermore, because of the flexibility of the -filter option, one can be very exact on a set of possible conditions to have the file of choice returned. Below are some examples:
For id, one can pipe in all the index.dat files from all the user accounts for a specified volume shadow:
vssenum -dir %vss%1\Users -level 99 -filter "index.dat" | id64 -pipe > out.csv
For cafae, one can pull the system, software and security hives with a one liner:
vssenum64 -dir %vss%1\Windows\System32\Config -filter "system|software|security" | cafae64 -pipe > out.txt
To pull all the user hives into cafae, one could do the following:
vssenum64 -dir %vss%1\Users -level 10 -filter "ntuser.dat|usrclass.dat" | cafae64 -pipe > out.txt
| Option | Description |
|---|---|
| -stats | Show the stats about the Volume Shadows |
| -statsvss | Show the stats about a specific Volume Shadow |
| -list | Show the symbolic names for the Volume Shadows |
| -indexes | Show the indexes of the Volume Shadows |
| -dir | Enumerate one or more directories given a starting folder. The available sub-options include: (a) %vss% <index> to specify which snapshot to target, (b) -level <depth> to specify how many directories to recursively traverse, where the default is 1 folder, (c) -filter <filemask> to specify a type of file to return, (d) -shortcut to specify whether the volume shadow shortcut syntax should be used, and (e) -copy <destination folder> to copy files from one location to another. There are 2 required options: -dir <starting folder> and %vss%<index>. The rest are optional. |
| -utf8_bom | All output is in Unicode UTF-8 format. If desired, one can prefix an UTF-8 byte order mark to the CSV output using this option. |
This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary.
The other mechanism is the runtime authentication, which ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.
The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.