tag:blogger.com,1999:blog-4080617372940068027.post5541088153535728766..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Ripping VSCs – Developer MethodCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4080617372940068027.post-33576828958522618962012-08-12T22:56:56.447-04:002012-08-12T22:56:56.447-04:00This was a great post/series that I filed in my bo...This was a great post/series that I filed in my bookmarks to revisit after our Win7 deployment. This post and the information it put together was very helpful in integrating VSC analysis into the script (Powershell)we use for analysis of live systems. <br /><br />I tried the practitioner method, but Office 2010 & App-V broke vssadmin. Thanks to your research, I was able to put together a solution that used WMI and Windows API calls to to loop through all vsc's for a particular search pattern and display the results. If you're interested the code is here: http://pastebin.com/aUh3GyrhKx499https://www.blogger.com/profile/00914036368917731670noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-28722024537366501692012-02-14T17:15:12.818-05:002012-02-14T17:15:12.818-05:00Hi thanks for this post
Searching for a way to ac...Hi thanks for this post<br /><br />Searching for a way to access VSC volumes directly using Powershell and WMI I finally find the tool dosdev...<br /><br />It's a really simple way to access data in VSC...ok that's some kind of symbolic link but that works (for what i've tested).<br /><br />http://blogs.msdn.com/b/adioltean/archive/2005/10/04/477164.aspx<br /><br />http://blogs.msdn.com/b/adioltean/archive/2006/09/18/761515.aspxThierry13noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-19346237883586024452012-02-13T06:48:33.135-05:002012-02-13T06:48:33.135-05:00Great stuff, Corey...thanks for posting!Great stuff, Corey...thanks for posting!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-53515182186047754012012-02-12T22:23:07.562-05:002012-02-12T22:23:07.562-05:00Andrew,
I download the Windows 7 VSS SDK kit but ...Andrew,<br /><br />I download the Windows 7 VSS SDK kit but haven't had the chance to read through the documentation yet. I'l make sure to read how regdecoderlive does it through WMI and the native API. Thanks for the pointers.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-87691113782116376162012-02-12T22:06:08.791-05:002012-02-12T22:06:08.791-05:00"The way to accomplish identifying a volume’s..."The way to accomplish identifying a volume’s VSCs will be dependent on the person writing the code but I'm currently researching a way to do this without using the vssadmin command. "<br /><br />We do this in regdecoderlive through WMI:<br /><br />http://code.google.com/p/regdecoderlive/source/browse/trunk/acquire_files.py#266<br /><br />There is also a native API for it:<br /><br />http://msdn.microsoft.com/en-us/library/windows/desktop/aa382706(v=vs.85).aspxAndrew Casehttps://www.blogger.com/profile/11014708860635242525noreply@blogger.com