Just a small project
Sun Jul 30, 2017 · 532 words

Today was one of those days where I had an idea of something I’d like to do with my afternoon and then was met with minor frustration after minor frustration. Yes, I could have just loaded up Overwatch, but to paraphrase JFK, I do this shit not because it is easy, but because it is hard.

After watching an older talk about diving through the amcache hive for threat hunting, I had an idea about an automation script would assist with that. First things first, I wanted to dive into the amcache.hve and get more comfortable with it. That’s when I discovered a number of things….

  1. Amcache file is locked. This isn’t very surprising, it’s in use all the time so that’s not a big deal.
  2. I remember that I can use vssadmin to create a shadow of C:\ and then pull the file that way. Makes sense right?
  3. Firing up vssadmin on my win10 box shows that it doesn’t have the ability to create shadows.
  4. Dig a little bit and find out that Microsoft removed this except from server OS. Amazing corporate bullshit strikes again.
  5. Do some more digging and find out that the function is actually still available from the wmi, which means that you can access it with powershell.

That’s insane. The functionality is there but they crippled the tool to use it because, well I have no idea why. Apparently, this was done around the Windows 8.1 time frame. Good to know that even if I”m late to a rage party, I can still rage. So below you can find my steps (do not copy paste) to handle this kind of bullshit.

C:\>powershell.exe -Command (gwmi -list win32_shadowcopy).Create('C:\','ClientAccessible')

C:\>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Contents of shadow copy set ID: {cccdb828-b4af-43e2-9ad2-f2cda6bef720}
   Contained 1 shadow copies at creation time: 7/30/2017 10:43:29 AM
      Shadow Copy ID: {2d378f34-07e1-2e14-951a-6b94efba0fac}
         Original Volume: (C:)\\?\Volume{e3e67b31-8bed-11e4-824e-806e6f6e6963}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: 
         Service Machine: 
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessible
         Attributes: Persistent, Client-accessible, No auto release, No writers, Differential

C:\>mklink /d C:\vssdrive \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
symbolic link created for C:\vssdrive <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

C:\>xcopy "C:\vssdrive\Windows\appcompat\Programs\Amcache.hve" C:\temp
1 File(s) copied

C:\>rmdir C:\vssvolume

C:\>vssadmin delete shadows /shadow={2d378f34-07e1-4e14-951a-6b94efba0fac}
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Do you really want to delete 1 shadow copies (Y/N): [N]? y

Successfully deleted 1 shadow copies.

What does all of this do? Well let’s break it down:

Line 1: When using an administrative command prompt, we can call a powershell instance and pipe the command to create a shadow of C:
Line 3: Confirm that we’ve made a shadow. You’ll notice the shadow copy ID and volume path.
Line 18: Make a link to the shadow volume, you can use whatever you’d like here. I chose vssdrive cause it makes sense to me.
Line 21: Use your copy of choice to copy the file from your shadow drive to another folder, in this case I chose to use C:\temp
Line 25: Remove the volume link
Line 27: Delete the shadow

And that my friends is how you can copy a locked system file.

back · writing · who is me? · main