Volume Shadow Copy Service

Resources

Shadow copy creation tools

a. VShadow

VShadow Tool and Sample - Win32 appsMicrosoftLearn

b. Win32_ShadowCopy Create method

Create method of the Win32\_ShadowCopy classMicrosoftLearn

c. vssadmin create shadow

Vssadmin create shadowMicrosoftLearn

Create shadow copy

Refer to the resources links above for more client tools for shadow copy creation (**not tested)

C:\Users\Administrator> wmic shadowcopy call create Volume='C:\'

List shadow copy

C:\Users\Administrator> vssadmin list shadows

The output of the shadow copy volume (of C:\ ) will be shown. We can now access the SAM and system registry files from the windows\system32\config\sam and windows\system32\config\system respectively.

Now that we have the extracted credentials from the SAM and system registry hives, we can use Impacket's secretsdump.py script to decrypt it. Refer to the example from Registry Hives section for more information.

PreviousRegistry Hives NextLocal Security Authority Subsystem Service (LSASS)

Last updated 5 days ago