{
	"id": "c0bebcbf-a0f2-4636-8936-7ce1b35fe8a4",
	"created_at": "2026-04-06T00:08:16.739048Z",
	"updated_at": "2026-04-10T13:11:59.346692Z",
	"deleted_at": null,
	"sha1_hash": "5f25a72f4609f557dceb8ba1310254b6ab031090",
	"title": "Diskshadow",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56822,
	"plain_text": "Diskshadow\r\nBy robinharwood\r\nArchived: 2026-04-05 16:37:54 UTC\r\nDiskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS). By\r\ndefault, Diskshadow uses an interactive command interpreter similar to that of Diskraid or Diskpart. Diskshadow\r\nalso includes a scriptable mode.\r\nNote\r\nMembership in the local Administrators group, or equivalent, is the minimum required to run Diskshadow.\r\nSyntax\r\nFor interactive mode, type the following at the command prompt to start the Diskshadow command interpreter:\r\ndiskshadow\r\nFor script mode, type the following, where script.txt is a script file containing Diskshadow commands:\r\ndiskshadow -s script.txt\r\nParameters\r\nYou can run the following commands in the Diskshadow command interpreter or through a script file. At a\r\nminimum, only add and create are necessary to create a shadow copy. However, this forfeits the context and\r\noption settings, will be a copy backup, and creates a shadow copy with no backup execution script.\r\nCommand Description\r\nset command Sets the context, options, verbose mode, and metadata file for creating shadow copies.\r\nload metadata\r\ncommand\r\nLoads a metadata .cab file prior to importing a transportable shadow copy or loads the\r\nwriter metadata in the case of a restore.\r\nwriter command\r\nverifies that a writer or component is included or excludes a writer or component from\r\nthe backup or restore procedure.\r\nadd command\r\nAdds volumes to the set of volumes that are to be shadow copied, or adds aliases to\r\nthe alias environment.\r\ncreate command Starts the shadow copy creation process, using the current context and option settings.\r\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\r\nPage 1 of 3\n\nCommand Description\r\nexec command Executes a file on the local computer.\r\nbegin backup\r\ncommand\r\nStarts a full backup session.\r\nend backup\r\ncommand\r\nEnds a full backup session and issues a backupcomplete event with the appropriate\r\nwriter state, if needed.\r\nbegin restore\r\ncommand\r\nStarts a restore session and issues a prerestore event to involved writers.\r\nend restore\r\ncommand\r\nEnds a restore session and issues a postrestore event to involved writers.\r\nreset command Resets Diskshadow to the default state.\r\nlist command\r\nLists writers, shadow copies, or currently registered shadow copy providers that are\r\non the system.\r\ndelete shadows\r\ncommand\r\nDeletes shadow copies.\r\nimport command Imports a transportable shadow copy from a loaded metadata file into the system.\r\nmask command Removes hardware shadow copies that were imported by using the import command.\r\nexpose command Exposes a persistent shadow copy as a drive letter, share, or mount point.\r\nunexpose command Unexposes a shadow copy that was exposed by using the expose command.\r\nbreak command Disassociates a shadow copy volume from VSS.\r\nrevert command Reverts a volume back to a specified shadow copy.\r\nexit command Exits the command interpreter or script.\r\nExamples\r\nThis is a sample sequence of commands that will create a shadow copy for backup. It can be saved to file as\r\nscript.dsh, and executed using diskshadow /s script.dsh .\r\nAssume the following:\r\nYou have an existing directory called c:\\diskshadowdata.\r\nYour system volume is C: and your data volume is D:.\r\nYou have a backupscript.cmd file in c:\\diskshadowdata.\r\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\r\nPage 2 of 3\n\nYour backupscript.cmd file will perform the copy of shadow data p: and q: to your backup drive.\r\nYou can enter these commands manually or script them:\r\n#Diskshadow script file\r\nset context persistent nowriters\r\nset metadata c:\\diskshadowdata\\example.cab\r\nset verbose on\r\nbegin backup\r\nadd volume c: alias systemvolumeshadow\r\nadd volume d: alias datavolumeshadow\r\ncreate\r\nexpose %systemvolumeshadow% p:\r\nexpose %datavolumeshadow% q:\r\nexec c:\\diskshadowdata\\backupscript.cmd\r\nend backup\r\n#End of script\r\nCommand-Line Syntax Key\r\nSource: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\r\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow"
	],
	"report_names": [
		"diskshadow"
	],
	"threat_actors": [],
	"ts_created_at": 1775434096,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f25a72f4609f557dceb8ba1310254b6ab031090.pdf",
		"text": "https://archive.orkl.eu/5f25a72f4609f557dceb8ba1310254b6ab031090.txt",
		"img": "https://archive.orkl.eu/5f25a72f4609f557dceb8ba1310254b6ab031090.jpg"
	}
}