Shadow Copy snapshot file contents silently corrupted on Windows 10

Shadow Copy Service is a backup tool provided by Microsoft in Windows systems. This tool is mainly used in the system restore function to create shadow copies.

The shadow copy is actually a snapshot function. By taking a snapshot of a disk or volume at a specific point in time, it is convenient to restore through the snapshot when necessary.

Twitter user @vsterkin found that the shadow copy function seems to have been broken, and it can’t be used normally on Windows 10 v1903.

The analysis found that the shadow copy lacks key data in hexadecimal, so the data is filled with 00, which is not only meaningless but also takes up a lot of disk space.

The affected shadow copies are created by the system protection function, namely, system restore. The created shadow copies can be unpacked with the command line to view the files in it.

Vadim Sterkin found that personal files such as documents, photos, videos, etc. were abnormal, and some files could not be opened normally or suggested that they were damaged.

Checking the damaged file in hexadecimal, you can find that all or part of it is filled with 00, which naturally causes the file to be damaged or even not the backup file.

In addition, the use of meaningless data filling also causes a large amount of disk space to be occupied, which not only causes users to be unable to restore files normally but also wastes valuable space.

In the discussion, some users also claimed that the shadow snapshot was destroyed in Windows 8.1. The situation is similar. When trying to restore the file, it fails and found a large amount of 00 data.

This post was published in 2015. The post should be the corporate IT administrator. In order to restore the data, the administrator had to retrieve the data by other means.