Windows 7 - What's "Generic volume shadow copy"?

Asked By J. P. Gilliver (John) on 21-Nov-10 08:28 AM
I am doing a complete system scan at the moment (AVIRA is my AV). I am
doing it after a restart, because my email-and-news software (Turnpike,
quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found" popup has appeared, and when I let it proceed to the point where
it tells me what the new hardware actually is, it has said "Generic
volume shadow copy". (I cancel it at that point.)

I have not added any new hardware (it is a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but I am
fairly careful, and have never had any in decades of computing. (Avira
says it is done 41.3% - scanned 47215 objects - so far, and not found
anything.)

I will just go to Google it ...
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

... back in the olden days ... Britain was entirely made of wood and lit by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010




J. P. Gilliver (John) replied to J. P. Gilliver (John) on 21-Nov-10 09:35 AM
In message <UinRbZC05R6MFwrj@soft255.demon.co.uk>, "J. P. Gilliver
(John)" <G6JPG@soft255.demon.co.uk> writes:

Hmm. Done so; it seems to be something to do with System Restore, or
similar. And at least one other person encountered it while doing a
system scan - though no-one (that I have found so far) has explained
either (a) why it is popping up at random, or (b) why, if it is a
Microsoft thing anyway, it says it has not been checked.

(AVIRA finished a scan, and is now doing another one - or, is scanning a
different part of the system. It says it is found 2 "Detections", the
last being "HTML/Rce.Gen", which it says is not very dangerous. I cannot
ask it what the other one is - could be just the EICAR test virus which
I know I have on here somewhere and is by definition harmless. Avira
says 24.3% done on this pass.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

... back in the olden days ... Britain was entirely made of wood and lit by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010
Harden Thicke replied to J. P. Gilliver (John) on 22-Nov-10 08:43 AM
Avira forums, HoopleHead.
Tim Meddick replied to J. P. Gilliver (John) on 22-Nov-10 09:03 AM
The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return the
error : "Access Denied - File in use by another process" (or similar) when
a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have been
written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
backup for NT (google ERUNT for more on this)).

==

Cheers,    Tim Meddick,    Peckham, London.    :-)
J. P. Gilliver (John) replied to Tim Meddick on 23-Nov-10 03:09 AM
In message <icdt7b$fh2$1@speranza.aioe.org>, Tim Meddick
[]
Thanks for the more intelligent response than the other idiot.

What puzzles me are:

o Why did it (only) pop up when I was doing a scan? (I have - and use
occasionally - ERUNT, and it does not then.)

o Why does it see it as new hardware?

o I checked, and I already had restore points (going back to I think
November 7 - certainly from before I did the scan), so why had not it
popped up when it did those.

o I checked in Device Manager, and (once I'd turned on show hidden) I
already had the phantom drives (I forget the wording used) that are
involved.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
J. P. Gilliver (John) replied to Harden Thicke on 23-Nov-10 03:04 AM
In message <icds4q$d39$1@news.eternal-september.org>, Harden Thicke

1. I do not do "forums".

2. This is not just Avira.
[]
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
Tim Meddick replied to J. P. Gilliver (John) on 23-Nov-10 08:14 AM
I am afraid I just cannot answer that, it is a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware software
if such a genuine element of the Window's OS is being returned as in any
way bogus by it!

Such behaviour of "spotting" viruses / malware where there is not any is a
feature of Malware itself.....

(An example of this below...)
http://blogs.technet.com/b/mmpc/archive/2010/11/09/msrt-tackles-fake-microsoft-security-essentials.aspx

==

Cheers,    Tim Meddick,    Peckham, London.    :-)
Harden Thicke replied to J. P. Gilliver (John) on 23-Nov-10 05:44 PM
You're a lazy HoopleHead.
J. P. Gilliver (John) replied to Tim Meddick on 23-Nov-10 09:21 PM
In message <icgeog$603$1@speranza.aioe.org>, Tim Meddick

No, not at all: the AV did not object to it at all. it is just that, while
running an AV scan, (a) the "new hardware found" thing popped up twice,
(b) when I told it (the new hardware thing) to proceed to the next
stage, it (again, the normal Windows self-protecting thing) said that
what I was about to allow - i. e. the driver it had found for this
phantom new hardware - was not Microsoft signed. That latter is
particularly puzzling, this Shadow Copy thing being as you have
explained part of the system. (From what I found on line, others get the
same thing, though.)
[]
(No, that was not what was happening.)

(FWIW all AV found were two instances of some HTML code that matched
some Trojan.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

The fool doth think he is wise, but the wise man knows himself to be a fool.
Tim Meddick replied to J. P. Gilliver (John) on 24-Nov-10 10:06 AM
Ah, I understand you now.....  I also have experienced this and similar
sorts of behaviours.  I am afraid, again, I have no explanation at the
moment for it.

This is because it had not happened to me recently, and I have to be able to
reproduce the sequence of events that lead to getting a particular
errormessage in order for me to investigate it.

This is so I can then query the system to which processes are involved and
what software/hardware conflicts may be happening.  I can only do such
things while the error is "in progress".

But I will certainly keep it in mind so that if it ever happens on my
system again, I will attempt to identify it is cause for you.....

==

Cheers,    Tim Meddick,    Peckham, London.    :-)

P.S.  I must assure you, however, again, that the service "Volume Shadow
Copy" or VSS (Volume Snapshot Service) is definitely a normal part of every
version of Windows since WinXP Service Pack 2 and Server 2003.
Twayne replied to Harden Thicke on 26-Nov-10 11:13 AM
But none can beat YOU for being a hooplehead, thick. If you are this lonely,
you need help you will not find around here!


Harden Thicke <harden@hthicke.invalid> typed:
Twayne replied to J. P. Gilliver (John) on 26-Nov-10 11:26 AM
J. P. Gilliver (John) <G6JPG@soft255.demon.co.uk> typed:

Have you tried any of the many spyware and malware programs around? Search
back on this group for recommendations or simply ask the question for whiich
ones people use.
Avira, IMO is only mediocre in itis reliability and tends to false
positives IME, which are still repeatable in my last testing of it. It wants
to delete a legtimate setup.exe which lives in an unexpected folder and
that is the ONLY reason it wants to delete it. I notified them, they agreed
wtih me, promised to fix it, and never did.
AVG or AVAST are a couple decent freebies you can try out for AV work
that is better than Avira. There are other freebie AV programs too and a good
chance some will pipe in to offer their suggestions, same as with malware
detectors.

Having read all your reponses to date here, it sounds very much like you
have malware aboard. Regardless of how "safe" you think you are with
surfing, there are just too many ways to become infected; safe hex alone
just will not do it.  A good firewall (ZoneAlarm?), a good AV package (not
Avira) and good malware detectors are the "norm" for protection. Some will
claim that programs like Super AntiMalware & such are all that is needed;
do not beleive them. Many programs may catch many of them, but no single
program yet will catch all of them; there are just too many of them and
increasing every day.

HTH,

Twayne`
Twayne replied to J. P. Gilliver (John) on 26-Nov-10 11:41 AM
J. P. Gilliver (John) <G6JPG@soft255.demon.co.uk> typed:

Generic Volume Shadow Copy is a windows program that allows the backing
up/manipulation of files that are "in use" by taking a snapshot of them.
Most archiving, backup and imaging programs require it in order to work.
It is a service that should be started automatically every time you boot
up unless you are an expert at manipulating its use. Check to see if it is
set to "automatic" under Services.

Unless the file is a phony, no AV or malware program should find it. If
it is a phony, it was placed there by malware. Or the original file was
overwritten with the phony.

WinPatrol Says:
Manages and implements Volume Shadow Copies used for backup and other
purposes. If this service is stopped, shadow copies will be unavailable for
backup and the backup may fail. If this service is disabled, any services
that explicitly depend on it will fail to start.

and

the executable is at:
C:\WINDOWS\System32\vssvc.exe

... Administrative Tools; Services     will open a window in XP where you
can start/stop the service, and set whether it starts "automatic", "Manual"
or Never.
I do not give a path for the admin tools because the user can change it
after it is installed. Search your boot drive for vsssvc.exe if necessary.
Check to see that it is set to "automatc" and that the setting sticks
(stays after a Restart).

HTH,

Twayne`
J. P. Gilliver (John) replied to Tim Meddick on 28-Nov-10 03:58 AM
In message <icja5l$r2n$1@speranza.aioe.org>, Tim Meddick
[]
Thanks. Don't go out of your way - I was just curious as to:
1. what it was (I know more or less now)
2. why it suddenly popped p as "new hardware found", despite the fact
that I already had several restore points so it must have already been
present to make them;
3. why, when it does pop up, the OS itself (not my AV) says it is not
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

If vegetarians eat vegetables,..beware of humanitarians!
J. P. Gilliver (John) replied to Twayne on 28-Nov-10 04:09 AM
In message <icon34$ski$1@news.eternal-september.org>, Twayne
[]

Are you sure you have done so, because:
1. it is not my AV, but the OS's own trap, that is objecting. You know
how when you add new hardware, and the system asks for a driver, and you
load the driver that came with it, as often as not you get a popup
warning you that said driver is not "Microsoft signed" or something like
that. What was happening was that - despite not having added any new
hardware - the "new hardware found" thing was popping up (saying the new
hardware was this "... shadow copy"), and when I let it find drivers for
it, the "not signed" box popped up.
2. I already had several restore points present; presumably the shadow
copy thing must have already been there in order to make those. So why
is it popping up again?
[]

I have a firewall (plus what is in the routers of course).


Agreed. (How many of each [AV, firewall, detector] - and which ones - do
_you_ run?)
(Why the lines at the end?)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

If vegetarians eat vegetables,..beware of humanitarians!
Tim Meddick replied to J. P. Gilliver (John) on 28-Nov-10 09:25 PM
It is possible that some sort of malware is un-registering the Volume
Shadow Copy service, and, as a matter of course, I would run both MRT.exe
and MalwareBytes (both "full" scan - not the "quick").

This would explain the behaviour.

What service pack are you running - if you have not already done so, would
you consider upgrading to service pack 3 ??......

Windows XP Service Pack 3 Network Installation Package for IT Professionals
and Developers (316.4MB)
http://www.microsoft.com/downloadS/details.aspx?familyid=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

Windows XP Service Pack 3 - ISO-9660 CD Image File (544.9MB)
http://www.microsoft.com/downloads/details.aspx?FamilyID=2fcde6ce-b5fb-4488-8c50-fe22559d164e&displaylang=en

==

Cheers,    Tim Meddick,    Peckham, London.    :-)
Tim Meddick replied to J. P. Gilliver (John) on 28-Nov-10 10:44 PM
What I was saying was; that at times, when you A  the "New Hardware
wizard"  popping-up to re-install the service, could indicate that "Volume
Shadow Copy" had [at that point] been un-registered.
However, obviously, if you are using the System Restore or NT Backup
utilities normally, then the "Volume Shadow Copy" service is registered
properly.
Nonetheless, it could indicate some malware / virus on the system, even
if the I effect of having to re-install the service does not happen all the
time and is quite intermittent.  I still recommend that you do a [full]
scan with MRT.exe and Malwarebytes as soon as is practicable

==

Cheers,    Tim Meddick,    Peckham, London.    :-)
Twayne replied to J. P. Gilliver (John) on 29-Nov-10 11:43 AM
J. P. Gilliver (John) <G6JPG@soft255.demon.co.uk> typed:

Router Gateway: Westell 327W & comes with NAT - almost as good as a firewall

Firewall: Norton 2010

AV: Norton's AV (real time monitoring) and AVG (used separately, is NOT set
to real time monitor.

Backup: Norton Ghost 14: Full once/month, incrementals nightly.

Spyware/Malware: *WinPatrol;
SuperAnti Spyware; Spybot Search & Destroy; Norton Internet Security;
Adaware; Malware Bytes. Probably a couple others I have missed.
*WinPatrol is not per sae a scanner, but it WILL stop ANY application it
has not seen before from running, so it needs a short training course as you
use your machine. It does so many other things too that I will not go into
them; see their web site if interested.

I run the malware detectors in the approximate sequence as listed, first
one first run. Unless I have a really nasty problem I stop after usinig
Norton Internet Security. I have had both Adaware and MalwareBytes catch
something all the others miss, but not very often. Thus, I keep them around.
I keep AVG around likewise; just a tool for comparisons sometimes but
Norton's AV always catches, historycally, everything and more than AVAST and
AVG. Its heuristics are better than any other I have tried, and their new,
smaller memory footprint makes them faster and useful for the smaller
machines that always had speed complaints.

A not on AV programs: If they find something and fix it for you, run them
again. There is a possibbility the removal may have exposed something else
that was previously hidden. Always run them until they find nothing.

My only claim to "success" with these applications are that I have not had a
viral infection in almost three years now so I am doing something right. Ymmv
of course because different grographic areas get different knds of viruses
quite often. The last problem I had was a GAIN infection that I stupidly
downloaded myself in another application. I now check reputations for any
sites I have not visited before and I also use Google's attributes about
various web sites.

HTH,

Twayne`