Monday, February 24, 2014

How to Restore Files from a Restore Point

In my last post, I mentioned how I had used Windows System Restore, only to find out that JavaScript (*.js) files are considered to be "system files" and are restored back to the state they existed when the restore point was created. I tried restoring back to the previous state, but no-go. System Restore failed with every other restore point.

I thought all was lost, until I found this article by the How-to Geek that has a batch file letting you mount the latest VSS (Volume Shadow Copy) volume and view the files contained there-in (when you create a Restore Point, Windows creates a VSS volume containing your files at that point in time). I didn't want the most recent volume, but I looked at the batch file and figured out how to list the available volumes and mount the one I wanted. I figured I'd document the steps in case this helps anyone else.

  1. First off, you need to open a command prompt as an administrator (Right-click the "Command Prompt" and choose "Run as Administrator").
  2. At the prompt, type
    VSSAdmin List Shadows
    This will list the available VSS volumes on your system. This can be confusing, but each one displays a creation time. What you're looking for is the the "Shadow Copy Volume" (e.g. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1).
  3. Once you find out the name of the shadow copy volumne, you can mount the volume using MKLINK just as you would any other folder (if you haven't used MKLINK, I'd recommend you check it out - it's a pretty useful tool). For example:
    MKLINK /D C:\ShadowBackup \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
    In this example, you'll see a new folder named ShadowBackup on your C: drive, containing the contents of the VSS volume.

Now you can view the contents of the VSS volume and view/copy any of the files within. This can also be useful if you accidentally delete a file or want to see what changes you've made.

To "unmount" the volume, you can simply delete the folder in Windows Explorer. This won't delete the volume, just the link to view the files.