New
#1
[CMD] Create Consistent Copy of your registry using VSS
This script uses VSS (also on workstations!) to create a Live backup of your registry.
Code:@echo off REM REM Tweakradje 2015 v1.3 REM Cls Title Creating Volume Snapshot for Live Registry Backup Echo. Echo Creating Volume Snapshot... Echo. REM Wmic.exe shadowcopy call create ClientAccessible,"C:\" REM Executing (Win32_ShadowCopy)->create() REM Method execution successful. REM Out Parameters: REM instance of __PARAMETERS REM { REM ReturnValue = 0; REM ShadowID = "{7F3058E6-79A6-47D7-A6F9-04AF456ABEF1}"; REM }; For /f "tokens=3" %%s in ('"Wmic.exe shadowcopy call create ClientAccessible,"C:\""^|Findstr ShadowID') Do Call :CopyRegistry %%s Pause Exit /b %%s :CopyRegistry REM %1 like "{4BA387DD-5A18-4BFA-BBCB-071560ABC77E}"; Set VSSID=%~1 REM Check if left char is a { If Not (%VSSID:~,1%) == ({) Echo "No valid Snapshot made!" & Exit /b Echo. Echo Snapshot succes. (ID %VSSID%) Echo. REM vssadmin list shadows /Shadow={a759180d-6bbe-4aaf-b3aa-57d219aa3e88} REM vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool REM (C) Copyright 2001-2005 Microsoft Corp. REM REM Contents of shadow copy set ID: {caf5cc6b-0c9d-4f88-abe8-83f89faf96bf} REM Contained 1 shadow copies at creation time: 16-5-2015 15:44:13 REM Shadow Copy ID: {a759180d-6bbe-4aaf-b3aa-57d219aa3e88} REM Original Volume: (C:)\\?\Volume{2bfd2d95-a745-11e4-9803-806e6f6e6963}\ REM Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy23 REM Originating Machine: ASUS REM Service Machine: ASUS REM Provider: 'Microsoft Software Shadow Copy provider 1.0' REM Type: ClientAccessible REM Attributes: Persistent, Client-accessible, No auto release, No writers, Differential REM Get the Shadow Copy Volume, Find the line in output with GLOBALROOT, divide line by : and take 2nd part For /f "tokens=2 delims=:" %%s in ('"vssadmin.exe list shadows /Shadow=%VSSID%"^|FindStr GLOBALROOT') Do Set VSSVOL=%%s Echo. Echo Copying Registry files from %VSSVOL% to C:\Temp Echo. Echo|SET /p=software & Copy /Y %VSSVOL%\Windows\System32\Config\software c:\temp\hklm_software Echo|SET /p=system & Copy /Y %VSSVOL%\Windows\System32\Config\system c:\temp\hklm_system Echo|SET /p=components & Copy /Y %VSSVOL%\Windows\System32\Config\components c:\temp\hklm_components Echo|SET /p=security & Copy /Y %VSSVOL%\Windows\System32\Config\security c:\temp\hklm_security Echo|SET /p=sam & Copy /Y %VSSVOL%\Windows\System32\Config\sam c:\temp\hklm_sam Echo|SET /p=default & Copy /Y %VSSVOL%\Windows\System32\Config\default c:\temp\hkcu_default Echo|SET /p=LocalService & Copy /Y %VSSVOL%\Windows\ServiceProfiles\LocalService\ntuser.dat c:\temp\hku_localservice Echo|SET /p=NetworkService & Copy /Y %VSSVOL%\Windows\ServiceProfiles\NetworkService\ntuser.dat c:\temp\hku_networkservice Echo|SET /p=SystemProfile & Copy /Y %VSSVOL%\Windows\System32\config\systemprofile\ntuser.dat c:\temp\hku_system Echo|SET /p=CurrentUser (%USERNAME%) & Copy /Y %VSSVOL%\%USERPROFILE:~3%\ntuser.dat c:\temp\hku_%USERNAME% Echo|SET /p=CurrentUser Classes & Copy /Y %VSSVOL%\%LOCALAPPDATA:~3%\Microsoft\Windows\UsrClass.dat c:\temp\hku_%USERNAME%_classes Echo. Echo Done. Removing VSS Snapshot (ID %VSSID%)... Echo. vssadmin.exe delete Shadows /Shadow=%VSSID% /Quiet >nul If %errorlevel% == 1 ( Echo "Snapshot ID %VSSID% not deleted!" ) Else ( Echo "Snapshot succesfully removed." ) Exit /b
Last edited by tweakradje; 20 May 2015 at 17:42.