[CMD] Create Consistent Copy of your registry using VSS

[tweakradje]

This script uses VSS (also on workstations!) to create a Live backup of your registry.

@echo off
REM
REM Tweakradje 2015 v1.3
REM 
Cls
Title Creating Volume Snapshot for Live Registry Backup

Echo.
Echo Creating Volume Snapshot...
Echo.

REM Wmic.exe shadowcopy call create ClientAccessible,"C:\"
REM Executing (Win32_ShadowCopy)->create()
REM Method execution successful.
REM Out Parameters:
REM instance of __PARAMETERS
REM {
REM         ReturnValue = 0;
REM         ShadowID = "{7F3058E6-79A6-47D7-A6F9-04AF456ABEF1}";
REM };

For /f "tokens=3" %%s in ('"Wmic.exe shadowcopy call create ClientAccessible,"C:\""^|Findstr ShadowID') Do Call :CopyRegistry %%s
Pause
Exit /b %%s

:CopyRegistry
REM %1 like "{4BA387DD-5A18-4BFA-BBCB-071560ABC77E}";
Set VSSID=%~1
REM Check if left char is a {
If Not (%VSSID:~,1%) == ({) Echo "No valid Snapshot made!" & Exit /b
Echo.
Echo Snapshot succes. (ID %VSSID%)
Echo.
REM vssadmin list shadows /Shadow={a759180d-6bbe-4aaf-b3aa-57d219aa3e88}
REM vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
REM (C) Copyright 2001-2005 Microsoft Corp.
REM 
REM Contents of shadow copy set ID: {caf5cc6b-0c9d-4f88-abe8-83f89faf96bf}
REM    Contained 1 shadow copies at creation time: 16-5-2015 15:44:13
REM       Shadow Copy ID: {a759180d-6bbe-4aaf-b3aa-57d219aa3e88}
REM          Original Volume: (C:)\\?\Volume{2bfd2d95-a745-11e4-9803-806e6f6e6963}\
REM          Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy23
REM          Originating Machine: ASUS
REM          Service Machine: ASUS
REM          Provider: 'Microsoft Software Shadow Copy provider 1.0'
REM          Type: ClientAccessible
REM          Attributes: Persistent, Client-accessible, No auto release, No writers, Differential

REM Get the Shadow Copy Volume, Find the line in output with GLOBALROOT, divide line by : and take 2nd part

For /f "tokens=2 delims=:" %%s in ('"vssadmin.exe list shadows /Shadow=%VSSID%"^|FindStr GLOBALROOT') Do Set VSSVOL=%%s

Echo.
Echo Copying Registry files from %VSSVOL% to C:\Temp
Echo.

Echo|SET /p=software & Copy /Y %VSSVOL%\Windows\System32\Config\software c:\temp\hklm_software
Echo|SET /p=system & Copy /Y %VSSVOL%\Windows\System32\Config\system c:\temp\hklm_system
Echo|SET /p=components & Copy /Y %VSSVOL%\Windows\System32\Config\components c:\temp\hklm_components
Echo|SET /p=security & Copy /Y %VSSVOL%\Windows\System32\Config\security c:\temp\hklm_security
Echo|SET /p=sam & Copy /Y %VSSVOL%\Windows\System32\Config\sam c:\temp\hklm_sam
Echo|SET /p=default & Copy /Y %VSSVOL%\Windows\System32\Config\default c:\temp\hkcu_default
Echo|SET /p=LocalService & Copy /Y %VSSVOL%\Windows\ServiceProfiles\LocalService\ntuser.dat c:\temp\hku_localservice
Echo|SET /p=NetworkService & Copy /Y %VSSVOL%\Windows\ServiceProfiles\NetworkService\ntuser.dat c:\temp\hku_networkservice
Echo|SET /p=SystemProfile & Copy /Y %VSSVOL%\Windows\System32\config\systemprofile\ntuser.dat c:\temp\hku_system
Echo|SET /p=CurrentUser (%USERNAME%) & Copy /Y %VSSVOL%\%USERPROFILE:~3%\ntuser.dat c:\temp\hku_%USERNAME%
Echo|SET /p=CurrentUser Classes & Copy /Y %VSSVOL%\%LOCALAPPDATA:~3%\Microsoft\Windows\UsrClass.dat c:\temp\hku_%USERNAME%_classes

Echo.
Echo Done. Removing VSS Snapshot (ID %VSSID%)...
Echo.
vssadmin.exe  delete Shadows /Shadow=%VSSID% /Quiet >nul
If %errorlevel% == 1 (
	Echo "Snapshot ID %VSSID% not deleted!"
) Else (
	Echo "Snapshot succesfully removed."
)

Exit /b

 

[JustCall]

Never seen something like this before. Great work!

 

[tweakradje]

Dank je!

Maybe take a look at my wmi tool too in this section.

I hope to inspire

 

[JustCall]

Haha bedankt!