none
Can PowerShell restore previous versions of files/folders via Volume Shadow Services (VSS)?

    Question

  • We are working with MS Tech Support to determine why many of our students' home folders are being deleted on logon in Windows 7 and 2008R2. We are in the US, but there are other schools around the world that are experiencing the same issue; schools are unique in that we have a large number of students passing through a relatively smaller number of computers every day. This is a Premium Support case, and I am hoping they are narrowing down the cause; in the meanwhile, I have learned PowerShell to help manage the situation on a day-to-day basis.

    I use PowerShell to quickly locate those deleted home folders. We are in our 3rd month of this situation, and I spend at least an hour a day on home folder issues.  One of my scripts compares our Active Directory student users with the list of the home folders on the folder share, and tells me whose folders are missing - I run this every hour, usually just after classes begin each period. When I find missing folders, I restore them to the last non-null previous version with Restore Previous Versions (our server takes VSS snapshots 3x/day), and then I also need to manually reset the security of the students' folder as I've found that the student no longer has control over their own folder/files, which will throw an error on login. This is all manageable if I'm missing 1-2 folders; when I get a batch of 10 or 20 that come up all at once, it's a nightmare. My very small tech staff has other responsibilities, like teaching and data management, and they do not do this procedure every day as I do ... so when I'm out of the office, it's even harder to manage. For that matter, *I* have lots of other responsibilities, and it irks me that I spend so much time on this every day!

    I'd like to extend the script to do more: (1) re-create the home folder (easy);  (2) find the last Previous Version that exists, and restore it (a complete unknown); and (3) set security to give the user full control of their folder and child objects (manageable, I think). I am not finding anything online about using PowerShell to do that middle step - to automate restoration of folders or file from VSS.  Does that possibility exist?


    -Pam
    Wednesday, November 17, 2010 3:41 AM

All replies

  • ohhh messy...

    so, I think this can be done. there is apparently a COM reference to VSS that you'd be able to hook in to.

    http://msdn.microsoft.com/en-us/library/aa384648(VS.85).aspx

    you'd either need to find the com name or guid and use new-object -com <name> and then you can use the API functions documented above.

    and setting ownership with PS can be done but its not straightforward. you need to use some .NET classes for this because the set-acl just wont do it for you. I know there are some references on the web about this but I don’t know any off hand.

    also have you turned on auditing to the folders to see what is deleting them? and I assume MSFT has gone through GPO's and login scripts pretty carefully?

    Wednesday, November 17, 2010 1:03 PM
  • Thanks jrich - yes, it's messy! Yes, I would say that we've had a very thorough evaluation of our GPOs and scripts. We've turned on auditing on the server and it showed that that something on the client system requests the deletion. We've turned off offline files, etc. We don't know if it's Win7 or one of the edu apps that we use, but since we turned on our 2008R2 remote desktop server farm a few weeks ago, it started happening there, as well - since it didn't happen under XP, 2003 TS, or 2008 TS, I think it is probably something related to Win 7 / 2008R2. Recently, MSFT instructed me to make some registry changes on the clients, which turns on very detailed profile, folder redirection, and logon logging - and they think those log files may be helpful. THAT required a PowerShell registry script pushed out through Group Policy.

    Thanks for the references - I think accessing COM objects may be a little over my head, but I will start playing with it!

    I did discover that a .vbs script did a better job of seting security recursively than PowerShell, so thank you for confirming that for me. Does anyone know how to call a .vbs script from PowerShell, is that possible?

     


    -Pam
    Wednesday, November 17, 2010 1:20 PM
  • well I'd be interested in hearing what the exact problem was in the end and for that matter the registry changes they had you make to increase profile logging.

    as far as com objects, its really the same. create an object and .source it.. so you can poke around your com list (mmc snappin for com's) and find the name or guid and then do new-object -com <name> and you can access any of the functions/classes etc from there. nothing too crazy.

    as far as running a vbs that’s pretty simple, you'd do it with start-process and if you want you can use the -wait argument to wait for it to finish before you go on.

    start-process -filepath "cscript.exe" -argumentlist "c:\scripts\thescript.vbs" -wait

    or something like that anyways..

    Wednesday, November 17, 2010 1:32 PM
  • also I wouldn’t rule out a command line way to do the VSS restore. I'd imagine there is one out there.

    http://technet.microsoft.com/en-us/library/ee923636(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc772172(WS.10).aspx

    might be easier. I've never really used it so its hard to say but it looks like you can restore with that tool.

    you can use invoke-command or start-process to run these tools

    Wednesday, November 17, 2010 1:47 PM
  • well I'd be interested in hearing what the exact problem was in the end and for that matter the registry changes they had you make to increase profile logging.

    Sure. I don't know if those .etl files are useful to the lay person, but here are the registry changes to start the logging! Excuse my scripting, it's not very elegant. To push these out with GP as Startup Scripts, I had to first create a computer policy to enable PowerShell script execution. Computer Configuration -> Preferences -> Windows Settings -> Registry . Right-click to create New Registry Item. Action: Update.

    Properties
    Hive: HKEY_LOCAL_MACHINE 
    Key path: SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell 
    Value name: ExecutionPolicy 
    Value type: REG_SZ 
    Value data: RemoteSigned 
    
    

    The Folder Redirection Script:

    $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger"
    $regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\FR"
    $regKey2 = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\FR\{2955e23c-4e0b-45ca-a181-6ee442ca1fc0}"
    
    #open a log file to log which machines have grabbed the script
    $logFile = "\\depot\logs$\msRegProfChanges.txt"
    get-content env:computername | Out-File -filepath filesystem::$logFile -append
    Get-Date | Out-File -filepath filesystem::$logFile -append
    
    
    #does the registry key exist? 
    if (test-Path($regKey))
    {
      #Write-host Registry Path exists
      Out-File -filepath filesystem::$logFile -append -input "... Folder Redirection trace, registry items modified"
      #modify the objects
      set-location $regKey
      Set-ItemProperty -path $RegKey -Name Status -Value 00000000
      Set-ItemProperty -path $RegKey -Name FileName -Value "C:\\FR.etl"
      Set-ItemProperty -path $RegKey -Name GUID -Value "{2955e23c-4e0b-45ca-a181-6ee442ca1fc0}"
      Set-ItemProperty -path $RegKey -Name Start -Value 00000001
    }
    else 
    {
      #Write-host Registry Path not found
      Out-File -filepath filesystem::$logFile -append -input "...Folder Redirection trace, registry items created"
      #create the registry objects
      New-Item -path $RegKey -type Directory
      New-ItemProperty -path $RegKey -Name Status -PropertyType dWord -Value 00000000
      New-ItemProperty -path $RegKey -Name FileName -PropertyType string -Value "C:\\FR.etl"
      New-ItemProperty -path $RegKey -Name GUID -PropertyType string -Value "{2955e23c-4e0b-45ca-a181-6ee442ca1fc0}"
      New-ItemProperty -path $RegKey -Name Start -PropertyType dWord -Value 00000001
    }
    if (test-Path($regKey2))
    {
      #Write-host Registry Path exists
      #modify the objects
      set-location $regKey2
      Set-ItemProperty -path $RegKey2 -Name Enabled -Value 00000001
      Set-ItemProperty -path $RegKey2 -Name EnableFlags -Value 31
      Set-ItemProperty -path $RegKey2 -Name EnableLevel -Value 00000004
      Set-ItemProperty -path $RegKey2 -Name Status -Value 00000000
    }
    else 
    {
      New-Item -path $RegKey2 -type Directory
      New-ItemProperty -path $RegKey2 -Name Enabled -PropertyType dWord -Value 00000001
      New-ItemProperty -path $RegKey2 -Name EnableFlags -PropertyType dWord -Value 31
      New-ItemProperty -path $RegKey2 -Name EnableLevel -PropertyType dWord -Value 00000004
      New-ItemProperty -path $RegKey2 -Name Status -PropertyType dWord -Value 00000000
    }
    
    

    Profile:

    $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger"
    $regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Profile"
    $regKey2 = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Profile\{EB7428F5-AB1F-4322-A4CC-1F1A9B2C5E98}"
    
    #open a log file
    $logFile = "\\depot\logs$\msRegProfChanges.txt"
    get-content env:computername | Out-File -filepath filesystem::$logFile -append
    Get-Date | Out-File -filepath filesystem::$logFile -append
    
    
    #does the registry key exist? 
    if (test-Path($regKey))
    {
      #Write-host Registry Path exists
      Out-File -filepath filesystem::$logFile -append -input "...Registry items exist"
      #modify the objects
      set-location $regKey
      Set-ItemProperty -path $RegKey -Name Status -Value 00000000
      Set-ItemProperty -path $RegKey -Name FileName -Value "C:\\Profile.etl"
      Set-ItemProperty -path $RegKey -Name GUID -Value "{EB7428F5-AB1F-4322-A4CC-1F1A9B2C5E98}"
      Set-ItemProperty -path $RegKey -Name Start -Value 00000001
    }
    else 
    {
      #Write-host Registry Path not found
      Out-File -filepath filesystem::$logFile -append -input "...Registry items created"
      #create the registry objects
      New-Item -path $RegKey -type Directory
      New-ItemProperty -path $RegKey -Name Status -PropertyType dWord -Value 00000000
      New-ItemProperty -path $RegKey -Name FileName -PropertyType string -Value "C:\\Profile.etl"
      New-ItemProperty -path $RegKey -Name GUID -PropertyType string -Value "{EB7428F5-AB1F-4322-A4CC-1F1A9B2C5E98}"
      New-ItemProperty -path $RegKey -Name Start -PropertyType dWord -Value 00000001
    }
    if (test-Path($regKey2))
    {
      #Write-host Registry Path exists
      #modify the objects
      set-location $regKey2
      Set-ItemProperty -path $RegKey2 -Name Enabled -Value 00000001
      Set-ItemProperty -path $RegKey2 -Name EnableFlags -Value 255
      Set-ItemProperty -path $RegKey2 -Name EnableLevel -Value 00000003
      Set-ItemProperty -path $RegKey2 -Name Status -Value 00000000
    }
    else 
    {
      New-Item -path $RegKey2 -type Directory
      New-ItemProperty -path $RegKey2 -Name Enabled -PropertyType dWord -Value 00000001
      New-ItemProperty -path $RegKey2 -Name EnableFlags -PropertyType dWord -Value 255
      New-ItemProperty -path $RegKey2 -Name EnableLevel -PropertyType dWord -Value 00000003
      New-ItemProperty -path $RegKey2 -Name Status -PropertyType dWord -Value 00000000
    }
    

    Login:

    $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger"
    $regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\winlogon Trace"
    $regKey2 = "HKLM:\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Winlogon Trace\{D451642C-63A6-11D7-9720-00B0D03E0347}"
    
    #open a log file
    $logFile = "\\depot\logs$\msRegProfChanges.txt"
    get-content env:computername | Out-File -filepath filesystem::$logFile -append
    Get-Date | Out-File -filepath filesystem::$logFile -append
    
    
    #does the registry key exist? 
    if (test-Path($regKey))
    {
      #Write-host Registry Path exists
      Out-File -filepath filesystem::$logFile -append -input "...Logon trace, registry items modified"
      #modify the objects
      set-location $regKey
      Set-ItemProperty -path $RegKey -Name Status -Value 00000000
      Set-ItemProperty -path $RegKey -Name FileName -Value "C:\\WinlogonTrace.etl"
      Set-ItemProperty -path $RegKey -Name GUID -Value "{D451642C-63A6-11D7-9720-00B0D03E0347}"
      Set-ItemProperty -path $RegKey -Name Start -Value 00000001
    }
    else 
    {
      #Write-host Registry Path not found
      Out-File -filepath filesystem::$logFile -append -input "...Logon trace, registry items created"
      #create the registry objects
      New-Item -path $RegKey -type Directory
      New-ItemProperty -path $RegKey -Name Status -PropertyType dWord -Value 00000000
      New-ItemProperty -path $RegKey -Name FileName -PropertyType string -Value "C:\\WinlogonTrace.etl"
      New-ItemProperty -path $RegKey -Name GUID -PropertyType string -Value "{D451642C-63A6-11D7-9720-00B0D03E0347}"
      New-ItemProperty -path $RegKey -Name Start -PropertyType dWord -Value 00000001
    }
    if (test-Path($regKey2))
    {
      #Write-host Registry Path exists
      #modify the objects
      set-location $regKey2
      Set-ItemProperty -path $RegKey2 -Name Enabled -Value 00000001
      Set-ItemProperty -path $RegKey2 -Name EnableFlags -Value 65535
      Set-ItemProperty -path $RegKey2 -Name EnableLevel -Value 00000005
      Set-ItemProperty -path $RegKey2 -Name Status -Value 00000000
    }
    else 
    {
      New-Item -path $RegKey2 -type Directory
      New-ItemProperty -path $RegKey2 -Name Enabled -PropertyType dWord -Value 00000001
      New-ItemProperty -path $RegKey2 -Name EnableFlags -PropertyType dWord -Value 65535
      New-ItemProperty -path $RegKey2 -Name EnableLevel -PropertyType dWord -Value 00000005
      New-ItemProperty -path $RegKey2 -Name Status -PropertyType dWord -Value 00000000
    }
    

    And then here are registry entries to "undo" the above and stop the logging:

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\FR]
    "Status"=dword:00000000
    "FileName"="C:\\FR.etl"
    "GUID"="{2955e23c-4e0b-45ca-a181-6ee442ca1fc0}"
    "Start"=dword:00000001

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\FR\{2955e23c-4e0b-45ca-a181-6ee442ca1fc0}]
    "Enabled"=dword:00000001
    "EnableFlags"=dword:0000001f
    "EnableLevel"=dword:00000004
    "Status"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Profile]
    "Status"=dword:00000000
    "FileName"="C:\\Profile.etl"
    "GUID"="{EB7428F5-AB1F-4322-A4CC-1F1A9B2C5E98}"
    "Start"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Profile\{EB7428F5-AB1F-4322-A4CC-1F1A9B2C5E98}]
    "Enabled"=dword:00000001
    "EnableFlags"=dword:000000ff
    "EnableLevel"=dword:00000003
    "Status"=dword:00000000


    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Winlogon Trace]
    "FileName"="C:\\WinlogonTrace.etl"
    "GUID"="{D451642C-63A6-11D7-9720-00B0D03E0347}"
    "Start"=dword:00000001
    "Status"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Winlogon Trace\{D451642C-63A6-11D7-9720-00B0D03E0347}]
    "Enabled"=dword:00000001
    "EnableLevel"=dword:00000005
    "EnableFlags"=dword:0000ffff
    "Status"=dword:00000000

     


    -Pam
    Wednesday, November 17, 2010 2:09 PM
  • no problem reading those. its event tracing stuff. surprised it was done through the registry, maybe that was just a way to deploy it.

    thanks!

    Wednesday, November 17, 2010 4:13 PM
  • Sure, no problem.

    I know this is off the PowerShell topic, but as an update MSFT has found the problem today from the log files, but not the cause of it. In the 2nd line below,  it is not seeing the server name (\\depot) and the FQDN (\\depot.alton.school.com) as the same path, and is deleting the folder because of this discrepancy. We've just done a full search of the group policies and haven't seen the FQDN of the server anywhere (it's always mapped as %HOMESHARE%, so we're trying to find out why this discrepancy is occurring.

    [1]0394.0454::11/16/2010-23:03:16.950 [kfapi] <INFO> kfapi::CFolderRedirector::Redirect Got redirection source path = \\depot.alton.school.com\students\10577
    [0]0394.0454::11/16/2010-23:03:17.556 [kfapi] <API> kfapi::CFolderRedirector::PerformRedirection Entering, fid = {FDD39AD0-238F-46AF-ADB4-6C85480369C7}, source = \\depot.alton.school.com\students\10577, target = \\depot\students\10577
    [0]0394.0454::11/16/2010-23:03:24.788 [kfapi] <INFO> kfapi::CFolderRedirector::PerformRedirection Known folder path updated
    [1]0394.0454::11/16/2010-23:03:24.827 [kfapi] <INFO> kfapi::CFolderRedirector::PerformRedirection Delete source folders
    

    -Pam
    Wednesday, November 17, 2010 5:07 PM
  • Hi Pam

    I know that this is not a PowerShell topic. But we currently have the same issues as you describes. We use folder redirection and offline files and from time to time the home folders of the users are being deleted on logon in Windows 7.

    We are using NetBIOS names in the user object to map home folders. Now we think about to change this to FQDN. But we ar not sure if that will solve anithing. Do you have any additional information about this issue?

    Daniel

    Tuesday, February 08, 2011 7:39 AM
  • Hi Daniel -

    Yes, we do have a fix that worked for us. What follows is the registry key and an explanation of it! For some reason, Windows 7 is comparing the FQDN path with the short path (even though the FQDN path is NOT set anywhere in our policies or AD properties any longer - we checked extensively; although it was set at one time because I tried it as a potential fix to the problem below). It sees them as two different folders and then deletes one of them!

    Give it a try, and best of luck! We are still having issues with some netbooks (only one model) not being able to access students' home folders using the short name path, and that part of the case has been escalated to a Networking Team in MS Tech Support - they are still analyzing network logs. But, at least the folders aren't being deleted any longer.

    -Pam

    HKLM\Software\Policies\Microsoft\Windows\Explorer\CheckSameSourceAndTargetForFRAndDFS = 1

    In conversation with my colleague, we came across a policy for Windows Explorer that addresses this very issue:

     

    Machine Policies \Windows Components\Windows Explorer

    “Verify old and new Folder Redirection targets point to the same share before redirecting”

     

    Policy Info:

    This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths.

     

    If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted.  The temporary file is deleted.

     

    If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different.

     

    Note: If the paths point to different network shares, this policy setting is not required.  If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled.

     

    Tuesday, February 08, 2011 1:14 PM
  • Hi Pam

    We can solve the problem with this registry key entry in our company.
    Thanks for this tip!
    Martin
    Tuesday, January 17, 2012 2:22 PM
  • We are having the same issue with our students logging in on Windows 7 in our schools. It is a sporadic\intermittent issue where their home drive folders are being deleted. We do not see the registry entry you reference above, did you have to push out the entire explorer key and setting? was it a combination of the registry key\value and the group policy setting being enabled? or an either\or situation?

    thanks for any help you can provide!

    Ken

    Wednesday, November 07, 2012 7:25 PM
  • Hi Ken,

    It's been a couple of years, so I'm a little rusty on this one. I don't think Microsoft ever managed to really fix this issue - they certainly never gave me a resolution.

    However, per my post on Feb 8, 2011, the following Group Policy seems to help, at least with the folder deletions. I apply it to all OU's where I have client machines.

    This, I think, does the same thing as the registry key I put in the same post.

    We still do have the problems with the short name of the server not being resolved when we have a lot of machines online. I would love to know if anyone ever found a REAL fix. We are planning to move to Windows 8 and 2012 server next summer, perhaps that combination will be better?

    Pam


    -Pam

    Wednesday, November 07, 2012 7:54 PM
  • I am remembering now that one workaround was to create a PowerShell script to prevent users from deleting their own folder by resetting their NTFS security ACL. That did work, but I later removed the workaround so that we could continue to try to pin down the problem. If I ever find that script again, I will post it here!


    -Pam


    PS. My Microsoft Support Incident number was  110092159909810
    • Edited by altonK12 Wednesday, November 07, 2012 8:06 PM added MS incident number
    Wednesday, November 07, 2012 8:05 PM
  • I just wanted to update this thread - we are still having the folder redirection issue under Windows 7 with our students on wireless devices. Although these things have helped, the issue still occurs.
    Monday, April 29, 2013 12:50 PM