Data Backup Digest

The Microsoft Windows Volume Shadow Copy Service has been in use for over 10 years now. Not only is it seen in consumer operating systems, but it also comes fully integrated into the latest releases of Windows Server, as well. But what exactly is the Microsoft Windows Volume Shadow Copy Service, and why is it so crucial to data backup and recovery?

To explain in its simplest terms, the Microsoft Windows Volume Shadow Copy Service facilitates the backup of point-in-time data copies, also known as shadow copies, on behalf of certain operating systems. Both 32-bit and 64-bit versions are available, and a list of compatible operating systems includes Windows Server 2008 / R2, Windows 7, Windows Vista / SP1 and Windows Server 2003 / SP1. Each different version includes some different features and functionality, so your Volume Shadow Copy Service may differ from that of your peers.

Creating a Volume Shadow Copy

Microsoft provides two different methods of creating a shadow copy. The first method allows users to create a complete copy, or clone, of the volume. Alternatively, users can opt to backup only the recent changes that have been made to the volume, also known as a differential copy or copy-on-write. Regardless of the method, the result is two separate image files: the shadow copy volume as well as the original data. The shadow copy volume, however, is marked as a read-only file. This ensures the file remains valid for its lifespan.

The Architecture of a Volume Shadow Copy

There are numerous elements involved in the creation of a volume shadow copy. For starters, there is the Volume Shadow Copy Service: a protocol that facilitates the creation of a shadow copy in the first place. Next is the requestor, or the application that is specifically requesting the creation of a shadow copy. This is typically some sort of backup software.

Next is the writer, which is the part of an application that is actually storing information within a volume. The writer also ensures consistency between shadow copies. Typical writers include database programs such as Exchange Server or SQL Server, as well as other system-oriented services such as Active Directory.

The component that actually creates the shadow copy is called the provider. Finally, we find the last two components of a volume shadow copy: the source volume, or that which is currently holding the data to be copied, and the storage volume, which is responsible for holding the shadow copy data.

Potential Threats and Hazards

Because it is such a vital component to data backup and recovery, the Microsoft Windows Volume Shadow Copy Service has been the target of hackers and malicious software. In fact, the service was recently singled out by a malware program known as Locker, which would effectively delete the shadow copies previously created through the Windows Shadow Copy Service. The malware only affected shadow copies that were stored on the system volume itself, however, which suggests that the original creator of the Locker malware application was specifically targeting crucial system files with their software.