Forensics Wiki
Register
Advertisement

Windows Vista includes a feature called "Previous Versions" whereby users can go back to previous snapshots of files easily through the Windows Vista GUI. This technology is based on the Volume Shadow Copy Service available in Windows XP and Windows Server 2003. Snapshots are taken periodically, typically once a day, so you don't have access to all saved versions of a file.

File Locations[]

The files for Previous Versions are located in the "System Volume Information" directory which is also the place used to store Restore Points.

Enabling/Disabling[]

A user can enable or disable Previous Versions at any time by going to Control Panel -> System -> System Protection and checking or unchecking the check box for Automatic Restore Points for each available disk. Disabling the feature will remove all existing Restore Points. It is unclear whether this will also remove manual Restore Points created by the user.

File Formats[]

As of November 27th 2006 it is unclear how this information is stored without further investigation.

Tools and Utilities[]

  • vssadmin.exe is included with Windows Vista and is the administrative command line tool for the Volume Shadow Copy Service

External Links[]

Advertisement