Hey!
I want to prevent deletion of shadow copies , I have read that basically windows has a service named VSS that exposes the ability to perform operations on shadow copies, under the hood it uses the volsnap.sys filter driver(specifically it sends an IOCTL named IOCTL_VOLSNAP_DELETE_SNAPSHOT) , and volsnap is not performing ANY access checks, so Im afarid if anyone figures this and just sends an IOCTL shadow copies may be gone.
I also know the volsnap exposes a device per volume shadow copy in which applications can perform operations on the copy through it (somethiing like \Device\HarddiskVolume2\ShadowCopyX)
But in the windows internals book they describe it as “Virtual Volume” - I’m not sure what that means , anyways
In addition I know the actual data volsnap stores is COW data (not the whole volume’s data ) and it is stored in the system volume information directory which is hidden and protected.
SO , i have the following questions :
- When they say \Device\HarddiskVolume2\ShadowCopyX is a virtual volume , what does it mean ? is it filtered by the filter manager ?
- Given the volsnap driver is in the file system device stack will an IRP_MJ_DEVICE_CONTROL to it be filtered by a minifilter ? or does it go directly to the volsnap’s dispatch routine ?
- What do you guys think is the best approach for monitoring those IOCTLs?
- Any sources that of filters that do stuff with shadow copies will be appriciated