What's "Generic volume shadow copy"?

I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
doing it after a restart, because my email-and-news software (Turnpike,
quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found" popup has appeared, and when I let it proceed to the point where
it tells me what the new hardware actually is, it has said "Generic
volume shadow copy". (I cancel it at that point.)

I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but I'm
fairly careful, and have never had any in decades of computing. (Avira
says it's done 41.3% - scanned 47215 objects - so far, and not found
anything.)

I'll just go to Google it ...
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

.... back in the olden days ... Britain was entirely made of wood and lit by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

In message , "J. P. Gilliver
(John)" writes:
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
doing it after a restart, because my email-and-news software (Turnpike,
quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found" popup has appeared, and when I let it proceed to the point where
it tells me what the new hardware actually is, it has said "Generic
volume shadow copy". (I cancel it at that point.)

I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but
I'm fairly careful, and have never had any in decades of computing.
(Avira says it's done 41.3% - scanned 47215 objects - so far, and not
found anything.)

I'll just go to Google it ...

Hmm. Done so; it seems to be something to do with System Restore, or
similar. And at least one other person encountered it while doing a
system scan - though no-one (that I've found so far) has explained
either (a) why it's popping up at random, or (b) why, if it's a
Microsoft thing anyway, it says it hasn't been checked.

(AVIRA finished a scan, and is now doing another one - or, is scanning a
different part of the system. It says it's found 2 "Detections", the
last being "HTML/Rce.Gen", which it says isn't very dangerous. I can't
ask it what the other one is - could be just the EICAR test virus which
I know I have on here somewhere and is by definition harmless. Avira
says 24.3% done on this pass.)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

.... back in the olden days ... Britain was entirely made of wood and lit by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

Avira forums, HoopleHead.

"J. P. Gilliver (John)" wrote in message
...
In message , "J. P. Gilliver (John)"
writes:
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm doing
it after a restart, because my email-and-news software (Turnpike, quite
old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware found"
popup has appeared, and when I let it proceed to the point where it tells
me what the new hardware actually is, it has said "Generic volume shadow
copy". (I cancel it at that point.)

I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but I'm
fairly careful, and have never had any in decades of computing. (Avira
says it's done 41.3% - scanned 47215 objects - so far, and not found
anything.)

I'll just go to Google it ...

Hmm. Done so; it seems to be something to do with System Restore, or
similar. And at least one other person encountered it while doing a system
scan - though no-one (that I've found so far) has explained either (a) why
it's popping up at random, or (b) why, if it's a Microsoft thing anyway,
it says it hasn't been checked.

(AVIRA finished a scan, and is now doing another one - or, is scanning a
different part of the system. It says it's found 2 "Detections", the last
being "HTML/Rce.Gen", which it says isn't very dangerous. I can't ask it
what the other one is - could be just the EICAR test virus which I know I
have on here somewhere and is by definition harmless. Avira says 24.3%
done on this pass.)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

... back in the olden days ... Britain was entirely made of wood and lit
by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return the
error : "Access Denied - File in use by another process" (or similar) when
a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have been
written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
backup for NT (google ERUNT for more on this)).

==

Cheers, Tim Meddick, Peckham, London. :-)




"J. P. Gilliver (John)" wrote in message
...
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
doing it after a restart, because my email-and-news software (Turnpike,
quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found" popup has appeared, and when I let it proceed to the point where
it tells me what the new hardware actually is, it has said "Generic
volume shadow copy". (I cancel it at that point.)

I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but I'm
fairly careful, and have never had any in decades of computing. (Avira
says it's done 41.3% - scanned 47215 objects - so far, and not found
anything.)

I'll just go to Google it ...
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

... back in the olden days ... Britain was entirely made of wood and lit
by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

In message , Harden Thicke
writes:
Avira forums, HoopleHead.

1. I don't do "forums".

2. This isn't just Avira.

"J. P. Gilliver (John)" wrote in message
...
In message , "J. P. Gilliver (John)"
writes:
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm doing
it after a restart, because my email-and-news software (Turnpike, quite
old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware found"
popup has appeared, and when I let it proceed to the point where it tells
me what the new hardware actually is, it has said "Generic volume shadow
copy". (I cancel it at that point.)
[]
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

In message , Tim Meddick
writes:
The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return
the error : "Access Denied - File in use by another process" (or
similar) when a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have
been written to utilize the Volume Shadow Copy service, such as
ERUNT.exe (reg backup for NT (google ERUNT for more on this)).
[]
Thanks for the more intelligent response than the other idiot.

What puzzles me a

o Why did it (only) pop up when I was doing a scan? (I have - and use
occasionally - ERUNT, and it doesn't then.)

o Why does it see it as new hardware?

o I checked, and I already had restore points (going back to I think
November 7 - certainly from before I did the scan), so why hadn't it
popped up when it did those.

o I checked in Device Manager, and (once I'd turned on show hidden) I
already had the phantom drives (I forget the wording used) that are
involved.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

I'm afraid I just can't answer that, it's a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware software
if such a genuine element of the Window's OS is being returned as in any
way bogus by it!

Such behaviour of "spotting" viruses / malware where there isn't any is a
feature of Malware itself.....

(An example of this below...)
http://blogs.technet.com/b/mmpc/arch...ssentials.aspx

==

Cheers, Tim Meddick, Peckham, London. :-)




"J. P. Gilliver (John)" wrote in message
...
In message , Tim Meddick
writes:
The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return
the error : "Access Denied - File in use by another process" (or similar)
when a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have been
written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
backup for NT (google ERUNT for more on this)).
[]
Thanks for the more intelligent response than the other idiot.

What puzzles me a

o Why did it (only) pop up when I was doing a scan? (I have - and use
occasionally - ERUNT, and it doesn't then.)

o Why does it see it as new hardware?

o I checked, and I already had restore points (going back to I think
November 7 - certainly from before I did the scan), so why hadn't it
popped up when it did those.

o I checked in Device Manager, and (once I'd turned on show hidden) I
already had the phantom drives (I forget the wording used) that are
involved.
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

"J. P. Gilliver (John)" wrote in message
...
In message , Harden Thicke
writes:
Avira forums, HoopleHead.

1. I don't do "forums".

You're a lazy HoopleHead.

2. This isn't just Avira.

"J. P. Gilliver (John)" wrote in message
...
In message , "J. P. Gilliver
(John)"
writes:
I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
doing
it after a restart, because my email-and-news software (Turnpike, quite
old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found"
popup has appeared, and when I let it proceed to the point where it
tells
me what the new hardware actually is, it has said "Generic volume shadow
copy". (I cancel it at that point.)
[]
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

In message , Tim Meddick
writes:
I'm afraid I just can't answer that, it's a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware
software if such a genuine element of the Window's OS is being returned
as in any way bogus by it!

No, not at all: the AV didn't object to it at all. It's just that, while
running an AV scan, (a) the "new hardware found" thing popped up twice,
(b) when I told it (the new hardware thing) to proceed to the next
stage, it (again, the normal Windows self-protecting thing) said that
what I was about to allow - i. e. the driver it had found for this
phantom new hardware - wasn't Microsoft signed. That latter is
particularly puzzling, this Shadow Copy thing being as you have
explained part of the system. (From what I found on line, others get the
same thing, though.)

Such behaviour of "spotting" viruses / malware where there isn't any is
a feature of Malware itself.....
[]
(No, that wasn't what was happening.)

(FWIW all AV found were two instances of some HTML code that matched
some Trojan.)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

The fool doth think he is wise, but the wise man knows himself to be a fool.

Ah, I understand you now..... I also have experienced this and similar
sorts of behaviours. I'm afraid, again, I have no explanation at the
moment for it.

This is because it hadn't happened to me recently, and I have to be able to
reproduce the sequence of events that lead to getting a particular
errormessage in order for me to investigate it.

This is so I can then query the system to which processes are involved and
what software/hardware conflicts may be happening. I can only do such
things while the error is "in progress".

But I will certainly keep it in mind so that if it ever happens on my
system again, I will attempt to identify it's cause for you.....

==

Cheers, Tim Meddick, Peckham, London. :-)

P.S. I must assure you, however, again, that the service "Volume Shadow
Copy" or VSS (Volume Snapshot Service) is definitely a normal part of every
version of Windows since WinXP Service Pack 2 and Server 2003.


"J. P. Gilliver (John)" wrote in message
...
In message , Tim Meddick
writes:
I'm afraid I just can't answer that, it's a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware
software if such a genuine element of the Window's OS is being returned
as in any way bogus by it!

No, not at all: the AV didn't object to it at all. It's just that, while
running an AV scan, (a) the "new hardware found" thing popped up twice,
(b) when I told it (the new hardware thing) to proceed to the next stage,
it (again, the normal Windows self-protecting thing) said that what I was
about to allow - i. e. the driver it had found for this phantom new
hardware - wasn't Microsoft signed. That latter is particularly puzzling,
this Shadow Copy thing being as you have explained part of the system.
(From what I found on line, others get the same thing, though.)

Such behaviour of "spotting" viruses / malware where there isn't any is a
feature of Malware itself.....
[]
(No, that wasn't what was happening.)

(FWIW all AV found were two instances of some HTML code that matched some
Trojan.)
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

The fool doth think he is wise, but the wise man knows himself to be a
fool.

But none can beat YOU for being a hooplehead, thick. If you're this lonely,
you need help you won't find around here!


In ,
Harden Thicke typed:
"J. P. Gilliver (John)" wrote
in message ...
In message ,
Harden Thicke writes:
Avira forums, HoopleHead.

1. I don't do "forums".

You're a lazy HoopleHead.

2. This isn't just Avira.

"J. P. Gilliver (John)" wrote
in message ...
In message , "J.
P. Gilliver (John)"
writes:
I'm doing a complete system scan at the moment (AVIRA
is my AV). I'm doing
it after a restart, because my email-and-news software
(Turnpike, quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a
"new hardware found"
popup has appeared, and when I let it proceed to the
point where it tells
me what the new hardware actually is, it has said
"Generic volume shadow copy". (I cancel it at that
point.)
[]
--
J. P. Gilliver. UMRA: 1960/1985
MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf Squawk Pieces of eight!
Squawk Pieces of eight!
Squawk Pieces of nine!
SYSTEM HALTED: parroty error!

In ,
J. P. Gilliver (John) typed:
I'm doing a complete system scan at the moment (AVIRA is my
AV). I'm doing it after a restart, because my
email-and-news software (Turnpike, quite old) behaved oddly
once or twice.
It may have nothing to do with that fact, but twice a "new
hardware found" popup has appeared, and when I let it
proceed to the point where it tells me what the new
hardware actually is, it has said "Generic volume shadow
copy". (I cancel it at that point.)
I haven't added any new hardware (it's a netbook, with
nothing plugged into it other than the power supply at the
moment). I _have_ added a "subst" into my startup sequence,
but that was a few days ago, and the popups have only
appeared on this session.
Any idea what it is? It _sounds_ as if it just might be
malware, but I'm fairly careful, and have never had any in
decades of computing. (Avira says it's done 41.3% - scanned
47215 objects - so far, and not found anything.)

I'll just go to Google it ...

Have you tried any of the many spyware and malware programs around? Search
back on this group for recommendations or simply ask the question for whiich
ones people use.
Avira, IMO is only mediocre in itis reliability and tends to false
positives IME, which are still repeatable in my last testing of it. It wants
to delete a legtimate setup.exe which lives in an unexpected folder and
that's the ONLY reason it wants to delete it. I notified them, they agreed
wtih me, promised to fix it, and never did.
AVG or AVAST are a couple decent freebies you can try out for AV work
that's better than Avira. There are other freebie AV programs too and a good
chance some will pipe in to offer their suggestions, same as with malware
detectors.

Having read all your reponses to date here, it sounds very much like you
have malware aboard. Regardless of how "safe" you think you are with
surfing, there are just too many ways to become infected; safe hex alone
just won't do it. A good firewall (ZoneAlarm?), a good AV package (not
Avira) and good malware detectors are the "norm" for protection. Some will
claim that programs like Super AntiMalware & such are all that's needed;
don't beleive them. Many programs may catch many of them, but no single
program yet will catch all of them; there are just too many of them and
increasing every day.

HTH,

Twayne`

In ,
J. P. Gilliver (John) typed:
I'm doing a complete system scan at the moment (AVIRA is my
AV). I'm doing it after a restart, because my
email-and-news software (Turnpike, quite old) behaved oddly
once or twice.
It may have nothing to do with that fact, but twice a "new
hardware found" popup has appeared, and when I let it
proceed to the point where it tells me what the new
hardware actually is, it has said "Generic volume shadow
copy". (I cancel it at that point.)
I haven't added any new hardware (it's a netbook, with
nothing plugged into it other than the power supply at the
moment). I _have_ added a "subst" into my startup sequence,
but that was a few days ago, and the popups have only
appeared on this session.
Any idea what it is? It _sounds_ as if it just might be
malware, but I'm fairly careful, and have never had any in
decades of computing. (Avira says it's done 41.3% - scanned
47215 objects - so far, and not found anything.)

I'll just go to Google it ...

Generic Volume Shadow Copy is a windows program that allows the backing
up/manipulation of files that are "in use" by taking a snapshot of them.
Most archiving, backup and imaging programs require it in order to work.
It is a service that should be started automatically every time you boot
up unless you are an expert at manipulating its use. Check to see if it's
set to "automatic" under Services.

Unless the file is a phony, no AV or malware program should find it. If
it's a phony, it was placed there by malware. Or the original file was
overwritten with the phony.

WinPatrol Says:
Manages and implements Volume Shadow Copies used for backup and other
purposes. If this service is stopped, shadow copies will be unavailable for
backup and the backup may fail. If this service is disabled, any services
that explicitly depend on it will fail to start.

and

the executable is at:
C:\WINDOWS\System32\vssvc.exe

.... Administrative Tools; Services will open a window in XP where you
can start/stop the service, and set whether it starts "automatic", "Manual"
or Never.
I don't give a path for the admin tools because the user can change it
after it's installed. Search your boot drive for vsssvc.exe if necessary.
Check to see that it's set to "automatc" and that the setting sticks
(stays after a Restart).

HTH,

Twayne`

In message , Tim Meddick
writes:
Ah, I understand you now..... I also have experienced this and similar
sorts of behaviours. I'm afraid, again, I have no explanation at the
moment for it.

This is because it hadn't happened to me recently, and I have to be
able to reproduce the sequence of events that lead to getting a
particular errormessage in order for me to investigate it.

This is so I can then query the system to which processes are involved
and what software/hardware conflicts may be happening. I can only do
such things while the error is "in progress".

But I will certainly keep it in mind so that if it ever happens on my
system again, I will attempt to identify it's cause for you.....
[]
Thanks. Don't go out of your way - I was just curious as to:
1. what it was (I know more or less now)
2. why it suddenly popped p as "new hardware found", despite the fact
that I already had several restore points so it must have already been
present to make them;
3. why, when it does pop up, the OS itself (not my AV) says it's not
"Microsoft signed" or whatever.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

If vegetarians eat vegetables,..beware of humanitarians!

In message , Twayne
writes:
[]
Having read all your reponses to date here, it sounds very much like you

Are you sure you have done so, because:
1. it is not my AV, but the OS's own trap, that is objecting. You know
how when you add new hardware, and the system asks for a driver, and you
load the driver that came with it, as often as not you get a popup
warning you that said driver is not "Microsoft signed" or something like
that. What was happening was that - despite not having added any new
hardware - the "new hardware found" thing was popping up (saying the new
hardware was this "... shadow copy"), and when I let it find drivers for
it, the "not signed" box popped up.
2. I already had several restore points present; presumably the shadow
copy thing must have already been there in order to make those. So why
is it popping up again?
[]
just won't do it. A good firewall (ZoneAlarm?), a good AV package (not

I have a firewall (plus what's in the routers of course).

Avira) and good malware detectors are the "norm" for protection. Some will
claim that programs like Super AntiMalware & such are all that's needed;
don't beleive them. Many programs may catch many of them, but no single
program yet will catch all of them; there are just too many of them and
increasing every day.

Agreed. (How many of each [AV, firewall, detector] - and which ones - do
_you_ run?)

HTH,

Twayne`





(Why the lines at the end?)
--
J. P. Gilliver. UMRA: 1960/1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

If vegetarians eat vegetables,..beware of humanitarians!