Top Ad unit 728 × 90

Latest News

random

Daily Blog #353: Volume Shadow deletion event IDs

Hello Reader,
          Ever look at a image that had Volume Shadow Copies and wonder if the volume shadow copies were deleted by the system or turned off by the user? In that case check out Event ID 33 in the System log and the source of volsnap. You'll see a message similar to this:
The oldest shadow copy of volume C: was deleted to keep disk space usage for shadow copies of volume C: below the user defined limit.

Here is a screenshot below showing the event in Event Viewer
  
You'll see this for each volume shadow copy that was deleted by the system with a timestamp of when it occurred. On my personal system this goes back a year.

Daily Blog #353: Volume Shadow deletion event IDs Reviewed by David Cowen on June 11, 2014 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.