What's "Generic volume shadow copy"?

I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
doing it after a restart, because my email-and-news software (Turnpike,
quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found" popup has appeared, and when I let it proceed to the point where
it tells me what the new hardware actually is, it has said "Generic
volume shadow copy". (I cancel it at that point.)

I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but I'm
fairly careful, and have never had any in decades of computing. (Avira
says it's done 41.3% - scanned 47215 objects - so far, and not found
anything.)

I'll just go to Google it ...
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

.... back in the olden days ... Britain was entirely made of wood and lit by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

In message , "J. P. Gilliver
(John)" writes:
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
doing it after a restart, because my email-and-news software (Turnpike,
quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found" popup has appeared, and when I let it proceed to the point where
it tells me what the new hardware actually is, it has said "Generic
volume shadow copy". (I cancel it at that point.)

I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but
I'm fairly careful, and have never had any in decades of computing.
(Avira says it's done 41.3% - scanned 47215 objects - so far, and not
found anything.)

I'll just go to Google it ...

Hmm. Done so; it seems to be something to do with System Restore, or
similar. And at least one other person encountered it while doing a
system scan - though no-one (that I've found so far) has explained
either (a) why it's popping up at random, or (b) why, if it's a
Microsoft thing anyway, it says it hasn't been checked.

(AVIRA finished a scan, and is now doing another one - or, is scanning a
different part of the system. It says it's found 2 "Detections", the
last being "HTML/Rce.Gen", which it says isn't very dangerous. I can't
ask it what the other one is - could be just the EICAR test virus which
I know I have on here somewhere and is by definition harmless. Avira
says 24.3% done on this pass.)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

.... back in the olden days ... Britain was entirely made of wood and lit by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

Avira forums, HoopleHead.

"J. P. Gilliver (John)" wrote in message
...
In message , "J. P. Gilliver (John)"
writes:
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm doing
it after a restart, because my email-and-news software (Turnpike, quite
old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware found"
popup has appeared, and when I let it proceed to the point where it tells
me what the new hardware actually is, it has said "Generic volume shadow
copy". (I cancel it at that point.)

I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but I'm
fairly careful, and have never had any in decades of computing. (Avira
says it's done 41.3% - scanned 47215 objects - so far, and not found
anything.)

I'll just go to Google it ...

Hmm. Done so; it seems to be something to do with System Restore, or
similar. And at least one other person encountered it while doing a system
scan - though no-one (that I've found so far) has explained either (a) why
it's popping up at random, or (b) why, if it's a Microsoft thing anyway,
it says it hasn't been checked.

(AVIRA finished a scan, and is now doing another one - or, is scanning a
different part of the system. It says it's found 2 "Detections", the last
being "HTML/Rce.Gen", which it says isn't very dangerous. I can't ask it
what the other one is - could be just the EICAR test virus which I know I
have on here somewhere and is by definition harmless. Avira says 24.3%
done on this pass.)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

... back in the olden days ... Britain was entirely made of wood and lit
by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

In message , Harden Thicke
writes:
Avira forums, HoopleHead.

1. I don't do "forums".

2. This isn't just Avira.

"J. P. Gilliver (John)" wrote in message
...
In message , "J. P. Gilliver (John)"
writes:
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm doing
it after a restart, because my email-and-news software (Turnpike, quite
old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware found"
popup has appeared, and when I let it proceed to the point where it tells
me what the new hardware actually is, it has said "Generic volume shadow
copy". (I cancel it at that point.)
[]
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

"J. P. Gilliver (John)" wrote in message
...
In message , Harden Thicke
writes:
Avira forums, HoopleHead.

1. I don't do "forums".

You're a lazy HoopleHead.

2. This isn't just Avira.

"J. P. Gilliver (John)" wrote in message
...
In message , "J. P. Gilliver
(John)"
writes:
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
doing
it after a restart, because my email-and-news software (Turnpike, quite
old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found"
popup has appeared, and when I let it proceed to the point where it
tells
me what the new hardware actually is, it has said "Generic volume shadow
copy". (I cancel it at that point.)
[]
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

But none can beat YOU for being a hooplehead, thick. If you're this lonely,
you need help you won't find around here!


In ,
Harden Thicke typed:
"J. P. Gilliver (John)" wrote
in message ...
In message ,
Harden Thicke writes:
Avira forums, HoopleHead.

1. I don't do "forums".

You're a lazy HoopleHead.

2. This isn't just Avira.

"J. P. Gilliver (John)" wrote
in message ...
In message , "J.
P. Gilliver (John)"
writes:
I'm doing a complete system scan at the moment (AVIRA
is my AV). I'm doing
it after a restart, because my email-and-news software
(Turnpike, quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a
"new hardware found"
popup has appeared, and when I let it proceed to the
point where it tells
me what the new hardware actually is, it has said
"Generic volume shadow copy". (I cancel it at that
point.)
[]
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return the
error : "Access Denied - File in use by another process" (or similar) when
a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have been
written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
backup for NT (google ERUNT for more on this)).

==

Cheers, Tim Meddick, Peckham, London. :-)




"J. P. Gilliver (John)" wrote in message
...
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
doing it after a restart, because my email-and-news software (Turnpike,
quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found" popup has appeared, and when I let it proceed to the point where
it tells me what the new hardware actually is, it has said "Generic
volume shadow copy". (I cancel it at that point.)

I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but I'm
fairly careful, and have never had any in decades of computing. (Avira
says it's done 41.3% - scanned 47215 objects - so far, and not found
anything.)

I'll just go to Google it ...
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

... back in the olden days ... Britain was entirely made of wood and lit
by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

In message , Tim Meddick
writes:
The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return
the error : "Access Denied - File in use by another process" (or
similar) when a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have
been written to utilize the Volume Shadow Copy service, such as
ERUNT.exe (reg backup for NT (google ERUNT for more on this)).
[]
Thanks for the more intelligent response than the other idiot.

What puzzles me a

o Why did it (only) pop up when I was doing a scan? (I have - and use
occasionally - ERUNT, and it doesn't then.)

o Why does it see it as new hardware?

o I checked, and I already had restore points (going back to I think
November 7 - certainly from before I did the scan), so why hadn't it
popped up when it did those.

o I checked in Device Manager, and (once I'd turned on show hidden) I
already had the phantom drives (I forget the wording used) that are
involved.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

I'm afraid I just can't answer that, it's a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware software
if such a genuine element of the Window's OS is being returned as in any
way bogus by it!

Such behaviour of "spotting" viruses / malware where there isn't any is a
feature of Malware itself.....

(An example of this below...)
http://blogs.technet.com/b/mmpc/arch...ssentials.aspx

==

Cheers, Tim Meddick, Peckham, London. :-)




"J. P. Gilliver (John)" wrote in message
...
In message , Tim Meddick
writes:
The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return
the error : "Access Denied - File in use by another process" (or similar)
when a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have been
written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
backup for NT (google ERUNT for more on this)).
[]
Thanks for the more intelligent response than the other idiot.

What puzzles me a

o Why did it (only) pop up when I was doing a scan? (I have - and use
occasionally - ERUNT, and it doesn't then.)

o Why does it see it as new hardware?

o I checked, and I already had restore points (going back to I think
November 7 - certainly from before I did the scan), so why hadn't it
popped up when it did those.

o I checked in Device Manager, and (once I'd turned on show hidden) I
already had the phantom drives (I forget the wording used) that are
involved.
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

In message , Tim Meddick
writes:
I'm afraid I just can't answer that, it's a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware
software if such a genuine element of the Window's OS is being returned
as in any way bogus by it!

No, not at all: the AV didn't object to it at all. It's just that, while
running an AV scan, (a) the "new hardware found" thing popped up twice,
(b) when I told it (the new hardware thing) to proceed to the next
stage, it (again, the normal Windows self-protecting thing) said that
what I was about to allow - i. e. the driver it had found for this
phantom new hardware - wasn't Microsoft signed. That latter is
particularly puzzling, this Shadow Copy thing being as you have
explained part of the system. (From what I found on line, others get the
same thing, though.)

Such behaviour of "spotting" viruses / malware where there isn't any is
a feature of Malware itself.....
[]
(No, that wasn't what was happening.)

(FWIW all AV found were two instances of some HTML code that matched
some Trojan.)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

The fool doth think he is wise, but the wise man knows himself to be a fool.

Ah, I understand you now..... I also have experienced this and similar
sorts of behaviours. I'm afraid, again, I have no explanation at the
moment for it.

This is because it hadn't happened to me recently, and I have to be able to
reproduce the sequence of events that lead to getting a particular
errormessage in order for me to investigate it.

This is so I can then query the system to which processes are involved and
what software/hardware conflicts may be happening. I can only do such
things while the error is "in progress".

But I will certainly keep it in mind so that if it ever happens on my
system again, I will attempt to identify it's cause for you.....

==

Cheers, Tim Meddick, Peckham, London. :-)

P.S. I must assure you, however, again, that the service "Volume Shadow
Copy" or VSS (Volume Snapshot Service) is definitely a normal part of every
version of Windows since WinXP Service Pack 2 and Server 2003.


"J. P. Gilliver (John)" wrote in message
...
In message , Tim Meddick
writes:
I'm afraid I just can't answer that, it's a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware
software if such a genuine element of the Window's OS is being returned
as in any way bogus by it!

No, not at all: the AV didn't object to it at all. It's just that, while
running an AV scan, (a) the "new hardware found" thing popped up twice,
(b) when I told it (the new hardware thing) to proceed to the next stage,
it (again, the normal Windows self-protecting thing) said that what I was
about to allow - i. e. the driver it had found for this phantom new
hardware - wasn't Microsoft signed. That latter is particularly puzzling,
this Shadow Copy thing being as you have explained part of the system.
(From what I found on line, others get the same thing, though.)

Such behaviour of "spotting" viruses / malware where there isn't any is a
feature of Malware itself.....
[]
(No, that wasn't what was happening.)

(FWIW all AV found were two instances of some HTML code that matched some
Trojan.)
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

The fool doth think he is wise, but the wise man knows himself to be a
fool.

In ,
J. P. Gilliver (John) typed:
I'm doing a complete system scan at the moment (AVIRA is my
AV). I'm doing it after a restart, because my
email-and-news software (Turnpike, quite old) behaved oddly
once or twice.
It may have nothing to do with that fact, but twice a "new
hardware found" popup has appeared, and when I let it
proceed to the point where it tells me what the new
hardware actually is, it has said "Generic volume shadow
copy". (I cancel it at that point.)
I haven't added any new hardware (it's a netbook, with
nothing plugged into it other than the power supply at the
moment). I _have_ added a "subst" into my startup sequence,
but that was a few days ago, and the popups have only
appeared on this session.
Any idea what it is? It _sounds_ as if it just might be
malware, but I'm fairly careful, and have never had any in
decades of computing. (Avira says it's done 41.3% - scanned
47215 objects - so far, and not found anything.)

I'll just go to Google it ...

Have you tried any of the many spyware and malware programs around? Search
back on this group for recommendations or simply ask the question for whiich
ones people use.
Avira, IMO is only mediocre in itis reliability and tends to false
positives IME, which are still repeatable in my last testing of it. It wants
to delete a legtimate setup.exe which lives in an unexpected folder and
that's the ONLY reason it wants to delete it. I notified them, they agreed
wtih me, promised to fix it, and never did.
AVG or AVAST are a couple decent freebies you can try out for AV work
that's better than Avira. There are other freebie AV programs too and a good
chance some will pipe in to offer their suggestions, same as with malware
detectors.

Having read all your reponses to date here, it sounds very much like you
have malware aboard. Regardless of how "safe" you think you are with
surfing, there are just too many ways to become infected; safe hex alone
just won't do it. A good firewall (ZoneAlarm?), a good AV package (not
Avira) and good malware detectors are the "norm" for protection. Some will
claim that programs like Super AntiMalware & such are all that's needed;
don't beleive them. Many programs may catch many of them, but no single
program yet will catch all of them; there are just too many of them and
increasing every day.

HTH,

Twayne`

In message , Twayne
writes:
[]
Having read all your reponses to date here, it sounds very much like you

Are you sure you have done so, because:
1. it is not my AV, but the OS's own trap, that is objecting. You know
how when you add new hardware, and the system asks for a driver, and you
load the driver that came with it, as often as not you get a popup
warning you that said driver is not "Microsoft signed" or something like
that. What was happening was that - despite not having added any new
hardware - the "new hardware found" thing was popping up (saying the new
hardware was this "... shadow copy"), and when I let it find drivers for
it, the "not signed" box popped up.
2. I already had several restore points present; presumably the shadow
copy thing must have already been there in order to make those. So why
is it popping up again?
[]
just won't do it. A good firewall (ZoneAlarm?), a good AV package (not

I have a firewall (plus what's in the routers of course).

Avira) and good malware detectors are the "norm" for protection. Some will
claim that programs like Super AntiMalware & such are all that's needed;
don't beleive them. Many programs may catch many of them, but no single
program yet will catch all of them; there are just too many of them and
increasing every day.

Agreed. (How many of each [AV, firewall, detector] - and which ones - do
_you_ run?)

HTH,

Twayne`





(Why the lines at the end?)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

If vegetarians eat vegetables,..beware of humanitarians!

It is possible that some sort of malware is un-registering the Volume
Shadow Copy service, and, as a matter of course, I would run both MRT.exe
and MalwareBytes (both "full" scan - not the "quick").

This would explain the behaviour.

What service pack are you running - if you have not already done so, would
you consider upgrading to service pack 3 ??......

Windows XP Service Pack 3 Network Installation Package for IT Professionals
and Developers (316.4MB)
http://www.microsoft.com/downloadS/d...displaylang=en

Windows XP Service Pack 3 - ISO-9660 CD Image File (544.9MB)
http://www.microsoft.com/downloads/d...displaylang=en

==

Cheers, Tim Meddick, Peckham, London. :-)




"J. P. Gilliver (John)" wrote in message
...
In message , Twayne
writes:
[]
Having read all your reponses to date here, it sounds very much like you

Are you sure you have done so, because:
1. it is not my AV, but the OS's own trap, that is objecting. You know
how when you add new hardware, and the system asks for a driver, and you
load the driver that came with it, as often as not you get a popup
warning you that said driver is not "Microsoft signed" or something like
that. What was happening was that - despite not having added any new
hardware - the "new hardware found" thing was popping up (saying the new
hardware was this "... shadow copy"), and when I let it find drivers for
it, the "not signed" box popped up.
2. I already had several restore points present; presumably the shadow
copy thing must have already been there in order to make those. So why is
it popping up again?
[]
just won't do it. A good firewall (ZoneAlarm?), a good AV package (not

I have a firewall (plus what's in the routers of course).

Avira) and good malware detectors are the "norm" for protection. Some
will
claim that programs like Super AntiMalware & such are all that's needed;
don't beleive them. Many programs may catch many of them, but no single
program yet will catch all of them; there are just too many of them and
increasing every day.

Agreed. (How many of each [AV, firewall, detector] - and which ones - do
_you_ run?)

HTH,

Twayne`





(Why the lines at the end?)
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

If vegetarians eat vegetables,..beware of humanitarians!

What I was saying was; that at times, when you A the "New Hardware
wizard" popping-up to re-install the service, could indicate that "Volume
Shadow Copy" had [at that point] been un-registered.
However, obviously, if you are using the System Restore or NT Backup
utilities normally, then the "Volume Shadow Copy" service is registered
properly.
Nonetheless, it could indicate some malware / virus on the system, even
if the I effect of having to re-install the service doesn't happen all the
time and is quite intermittent. I still recommend that you do a [full]
scan with MRT.exe and Malwarebytes as soon as is practicable

==

Cheers, Tim Meddick, Peckham, London. :-)




"J. P. Gilliver (John)" wrote in message
...
In message , Twayne
writes:
[]
Having read all your reponses to date here, it sounds very much like you

Are you sure you have done so, because:
1. it is not my AV, but the OS's own trap, that is objecting. You know
how when you add new hardware, and the system asks for a driver, and you
load the driver that came with it, as often as not you get a popup
warning you that said driver is not "Microsoft signed" or something like
that. What was happening was that - despite not having added any new
hardware - the "new hardware found" thing was popping up (saying the new
hardware was this "... shadow copy"), and when I let it find drivers for
it, the "not signed" box popped up.
2. I already had several restore points present; presumably the shadow
copy thing must have already been there in order to make those. So why is
it popping up again?
[]
just won't do it. A good firewall (ZoneAlarm?), a good AV package (not

I have a firewall (plus what's in the routers of course).

Avira) and good malware detectors are the "norm" for protection. Some
will
claim that programs like Super AntiMalware & such are all that's needed;
don't beleive them. Many programs may catch many of them, but no single
program yet will catch all of them; there are just too many of them and
increasing every day.

Agreed. (How many of each [AV, firewall, detector] - and which ones - do
_you_ run?)

HTH,

Twayne`





(Why the lines at the end?)
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

If vegetarians eat vegetables,..beware of humanitarians!