News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • vssvc?

    Tagged: 

    • This topic has 4 replies, 3 voices, and was last updated 1 month ago.
    Viewing 2 reply threads
    • Author
      Posts
      • #2356503
        berniec
        AskWoody Plus

        I just upgraded my main PC to win10 20H2.  {as I expected , since this is the third of my three win10 systems, it went without a hitch}.   But an odd thing happened: I got a ransomware alert about vssvc trying “Volume5”   I don’t know which of my filesystems that is (I have 7 plus an SMB) but what I’m curious about is *why*, after all this time, I suddenly get a vssvc warning.  I didn’t think I was *running* the shadow copy service.  What is it try to shadow-copy and to where?  Do I need the shadow copy service? 

        Should I leave it or kill the service?  If I keep it, how can I figure out what it is configured to be doing?

      • #2356597
        Paul T
        AskWoody MVP

        VSS is a required service and you should not remove it.
        VSS is used by other programs to create a snapshot of (parts of) your file system.

        What is giving you ransomware reports? Windows controlled folder access?
        You should be able to list any snapshots from a Command Prompt (vssadmin list shadows).

        cheers, Paul

        • #2356601
          Alex5723
          AskWoody Plus

          BleepingComputer from 2015 : Why Everyone Should disable VSSAdmin.exe Now!

          …Unfortunately, the developers of Crypto Ransomware are aware of Shadow Volume Copies and design their infections so that they delete ALL Shadow Volume Copies when the ransomware infects your computer. This is done to prevent you from using Shadow Volumes to recover encrypted files.

          There are a few methods that the ransomware malware developers use to delete the Shadow Volume Copies, but the most prevalent one is to use the vssadmin.exe Delete Shadows /All /Quiet command. This command will execute the vssadmin.exe utility and have it quietly delete all of the Shadow Volume Copies on the computer. As this program requires Administrative privileges to run, some ransomware will inject themselves into processes that are running as an Administrator in order to avoid a UAC prompt from being displayed….

        • #2356618
          berniec
          AskWoody Plus

          It was,, indeed, the controlled folder access that complained.   I OK’ed it.

      • #2356862
        Paul T
        AskWoody MVP

        The only ransomware protection you can trust is offline backups created when your machine is clean, or a non-Windows NAS with snapshot capability. And possibly backups created by a ransomware aware app, like Macrium paid.

        Controlled folder access is a kludge at best and doesn’t protect from other catastrophic problems.

        cheers, Paul

    Viewing 2 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: vssvc?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.