vssadmin is the Windows Volume Shadow Copy Service (VSS) administrative CLI (v1.1) used to create, list, and delete point-in-time volume snapshots for backup, system restore, and forensic data extraction.
vssadmin Create Shadow /for=C:
vssadmin List Shadows /for=C:
vssadmin Delete Shadows /for=C: /Quiet
vssadmin List Writers
vssadmin List Providers
vssadmin List ShadowStorage
vssadmin Resize ShadowStorage /on=C: /For=C: /MaxSize=10GBvssadmin Syntax Reference
Tested on Windows Server 2019 with VSS 1.1.
All commands require an elevated command prompt (Run as Administrator). The core subcommands are shown above.
vssadmin Rapid Reference Cheat Sheet
| Action | CLI Command | Provider/Context | Key Flag | Impact/Result |
|---|---|---|---|---|
| Create a shadow copy | vssadmin Create Shadow /for=C: |
Windows VSS | /for specifies volume |
Creates one snapshot; returns ShadowCopyID |
| List all shadows on a volume | vssadmin List Shadows /for=C: |
Windows VSS | /for optional; lists all if omitted |
Displays ShadowCopyID, volume, creation time |
| Delete all shadows on a volume | vssadmin Delete Shadows /for=C: /Quiet |
Windows VSS | /Quiet suppresses confirmation |
Removes all shadow copies; irreversible |
| List VSS writers | vssadmin List Writers |
Windows VSS | None | Shows writer state (stable/failed); aids backup debugging |
| List storage providers | vssadmin List Providers |
Windows VSS | None | Lists registered providers (system, software) |
| Resize shadow storage area | vssadmin Resize ShadowStorage /on=D: /For=C: /MaxSize=20GB |
Windows VSS | /MaxSize limits storage |
Prevents disk full; set per volume association |
Advanced Implementation & Parameters
Shadow Copy Access via Device Path
Once a shadow copy is created, you can access it via the symbolic link: \?GLOBALROOTDeviceHarddiskVolumeShadowCopy{ID}. This bypasses the file system’s open-file locks and enables extraction of locked system files such as NTDS.dit and registry hives. Example:
rem List shadows to get the correct shadow ID
vssadmin List Shadows
rem Mount visible path (alternatively use drive letter via `mklink`)
rem Copy NTDS.dit from shadow copy
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsNTDSNTDS.dit C:temp
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WindowsSystem32configSYSTEM C:tempNote: For files open exclusively (e.g., by Active Directory), the native copy command may fail with “access denied”. Use raw volume reads via Invoke-VolumeShadowCopy (PowerShell) to extract the data.
Shadow Copy Storage and Retention
The /MaxSize parameter in Resize ShadowStorage controls how much disk space can be used for shadow copies. The default is unlimited (up to 10% of the source volume on some editions). To restrict:
vssadmin Resize ShadowStorage /on=D: /for=C: /MaxSize=5GBThis sets a hard cap; once exceeded, oldest shadows are deleted. For automation, combine with schtasks to call Create Shadow at intervals.
Error Resolution & Troubleshooting
| Error Code / Message | Root Cause | Remediation Command |
|---|---|---|
| Error: You don’t have the correct permissions to run this command. | Command prompt not running as Administrator; missing SeBackupPrivilege. |
runas /user:Administrator cmd then re-run vssadmin. |
| Error: Invalid command. | Typo or unsupported subcommand (e.g., Creat Shadow). |
Check syntax: vssadmin /? | more or refer to List Commands. |
| 0x1000, 0x100000, 0x1273D5, 0x1FFFFF (JPCERT documented codes) | Low-level VSS provider errors; often related to I/O or file system corruption. | Check system event log (Event ID 8222, 8224); run chkdsk C: /f; verify storage driver integrity. |
| Access denied when copying from shadow | File is exclusively locked by another process (e.g., NTDS.dit). | Use raw volume reads via PowerShell or reboot into Safe Mode and copy before VSS snapshot is removed. |
| Shadow copy list empty | No shadows created or storage area deleted. | Create a new shadow: vssadmin Create Shadow /for=C: |
Production-Grade Implementation
Security Hardening & Least Privilege
- Restrict
vssadmin.exeexecution to authorized backup service accounts via AppLocker or Windows Defender Application Control. Do not grant interactive users ability to runvssadmin Create Shadow. - Monitor Event ID 8222 (Shadow Copy Created) and 8224 (Shadow Copy Deleted) to detect unauthorized snapshot creation—a common precursor to credential theft (e.g., HiveNightmare, CVE-2021-36934).
- For domain controllers, enable backup: only access to the NTDS.dit file via VSS instead of granting interactive SeBackupPrivilege to all admins.
- After forensic extraction, immediately delete shadow copies:
vssadmin Delete Shadows /for=C: /Quietto reduce attack surface.
Automation & Integration
- Schedule
vssadmin Create Shadowviaschtaskswith/Quietfor consistent point-in-time backups. Combine withrobocopyto back up the shadow drive. - Set storage limits to avoid disk exhaustion:
vssadmin Resize ShadowStorage /on=C: /for=C: /MaxSize=10%. - Use PowerShell Get: WmiObject Win32_ShadowCopy for programmatic control (create/delete/mount) instead of parsing vssadmin output.
Performance Considerations
Shadow copy creation on write-heavy volumes (e.g., SQL Server data) can cause brief I/O pauses. Schedule during low-activity windows. Use vssadmin List Providers to confirm the hardware provider (if available) for faster snapshots. Default system provider uses copy-on-write; avoid over-fragmentation by reserving dedicated storage area on a separate volume.
Frequently Asked Questions
What is the difference between “vssadmin delete shadows /all” and “vssadmin delete shadows /shadow={ID}”?
Answer: /all removes every shadow copy system-wide; /shadow={ID} removes only a specific copy identified by its GUID.
Use /all for bulk cleanup, but target exact /shadow={ID} when preserving other copies. Syntax:
vssadmin delete shadows /shadow={GUID}
vssadmin delete shadows /allWhen should I use the /quiet flag with vssadmin?
Answer: Use /quiet in automation scripts to suppress confirmation prompts during shadow copy deletion.
Required for non-interactive scheduled tasks or CI/CD pipelines. Combine with other flags:
vssadmin delete shadows /for=C: /all /quietDoes vssadmin work on cloud provider VMs (AWS, Azure, GCP)?
Answer: Yes, vssadmin operates natively on all Windows VMs for local volume management, independent of cloud provider.
For application-consistent snapshots via cloud APIs, use provider-specific tools (e.g., AWS Systems Manager, Azure Backup). vssadmin commands work identically on EC2, Azure VMs, and GCE instances with Windows Server. Example:
vssadmin create shadow /for=C:What is the fastest way to delete all shadow copies on a specific volume with vssadmin?
Answer: Use “vssadmin delete shadows /for=C: /all /quiet” to remove all shadow copies on volume C: without confirmation.
The /quiet flag bypasses prompts, making it script-friendly. For a specific volume:
vssadmin delete shadows /for=D: /all /quietTo delete only oldest copies, leverage shadow storage limits instead.
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.