What's "Generic volume shadow copy"?

I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
doing it after a restart, because my email-and-news software (Turnpike,
quite old) behaved oddly once or twice.

It may have nothing to do with that fact, but twice a "new hardware
found" popup has appeared, and when I let it proceed to the point where
it tells me what the new hardware actually is, it has said "Generic
volume shadow copy". (I cancel it at that point.)

I haven't added any new hardware (it's a netbook, with nothing plugged
into it other than the power supply at the moment). I _have_ added a
"subst" into my startup sequence, but that was a few days ago, and the
popups have only appeared on this session.

Any idea what it is? It _sounds_ as if it just might be malware, but I'm
fairly careful, and have never had any in decades of computing. (Avira
says it's done 41.3% - scanned 47215 objects - so far, and not found
anything.)

I'll just go to Google it ...
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

.... back in the olden days ... Britain was entirely made of wood and lit by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

In message <(E-Mail Removed)>, "J. P. Gilliver
(John)" <(E-Mail Removed)> writes:
>I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
>doing it after a restart, because my email-and-news software (Turnpike,
>quite old) behaved oddly once or twice.
>
>It may have nothing to do with that fact, but twice a "new hardware
>found" popup has appeared, and when I let it proceed to the point where
>it tells me what the new hardware actually is, it has said "Generic
>volume shadow copy". (I cancel it at that point.)
>
>I haven't added any new hardware (it's a netbook, with nothing plugged
>into it other than the power supply at the moment). I _have_ added a
>"subst" into my startup sequence, but that was a few days ago, and the
>popups have only appeared on this session.
>
>Any idea what it is? It _sounds_ as if it just might be malware, but
>I'm fairly careful, and have never had any in decades of computing.
>(Avira says it's done 41.3% - scanned 47215 objects - so far, and not
>found anything.)
>
>I'll just go to Google it ...

Hmm. Done so; it seems to be something to do with System Restore, or
similar. And at least one other person encountered it while doing a
system scan - though no-one (that I've found so far) has explained
either (a) why it's popping up at random, or (b) why, if it's a
Microsoft thing anyway, it says it hasn't been checked.

(AVIRA finished a scan, and is now doing another one - or, is scanning a
different part of the system. It says it's found 2 "Detections", the
last being "HTML/Rce.Gen", which it says isn't very dangerous. I can't
ask it what the other one is - could be just the EICAR test virus which
I know I have on here somewhere and is by definition harmless. Avira
says 24.3% done on this pass.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

.... back in the olden days ... Britain was entirely made of wood and lit by
one enormous candle, tended by the Queen
- Steven Moffat, Radio Times, 24-30 July 2010

Avira forums, HoopleHead.

"J. P. Gilliver (John)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In message <(E-Mail Removed)>, "J. P. Gilliver (John)"
> <(E-Mail Removed)> writes:
>>I'm doing a complete system scan at the moment (AVIRA is my AV). I'm doing
>>it after a restart, because my email-and-news software (Turnpike, quite
>>old) behaved oddly once or twice.
>>
>>It may have nothing to do with that fact, but twice a "new hardware found"
>>popup has appeared, and when I let it proceed to the point where it tells
>>me what the new hardware actually is, it has said "Generic volume shadow
>>copy". (I cancel it at that point.)
>>
>>I haven't added any new hardware (it's a netbook, with nothing plugged
>>into it other than the power supply at the moment). I _have_ added a
>>"subst" into my startup sequence, but that was a few days ago, and the
>>popups have only appeared on this session.
>>
>>Any idea what it is? It _sounds_ as if it just might be malware, but I'm
>>fairly careful, and have never had any in decades of computing. (Avira
>>says it's done 41.3% - scanned 47215 objects - so far, and not found
>>anything.)
>>
>>I'll just go to Google it ...
>
> Hmm. Done so; it seems to be something to do with System Restore, or
> similar. And at least one other person encountered it while doing a system
> scan - though no-one (that I've found so far) has explained either (a) why
> it's popping up at random, or (b) why, if it's a Microsoft thing anyway,
> it says it hasn't been checked.
>
> (AVIRA finished a scan, and is now doing another one - or, is scanning a
> different part of the system. It says it's found 2 "Detections", the last
> being "HTML/Rce.Gen", which it says isn't very dangerous. I can't ask it
> what the other one is - could be just the EICAR test virus which I know I
> have on here somewhere and is by definition harmless. Avira says 24.3%
> done on this pass.)
> --
> J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
>
> ... back in the olden days ... Britain was entirely made of wood and lit
> by
> one enormous candle, tended by the Queen
> - Steven Moffat, Radio Times, 24-30 July 2010

The Window's service "Volume Shadow Copy" is a built-in service that
enables the operating system to copy files that would otherwise return the
error : "Access Denied - File in use by another process" (or similar) when
a file is "locked" by another program or the OS itself.

As has been quite rightly mentioned - it is indeed used by "System
Restore", but is by no means limited to only this.

It is also used by "NT Backup" and any third-part programs that have been
written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
backup for NT (google ERUNT for more on this)).

==

Cheers, Tim Meddick, Peckham, London. :-)




"J. P. Gilliver (John)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
> doing it after a restart, because my email-and-news software (Turnpike,
> quite old) behaved oddly once or twice.
>
> It may have nothing to do with that fact, but twice a "new hardware
> found" popup has appeared, and when I let it proceed to the point where
> it tells me what the new hardware actually is, it has said "Generic
> volume shadow copy". (I cancel it at that point.)
>
> I haven't added any new hardware (it's a netbook, with nothing plugged
> into it other than the power supply at the moment). I _have_ added a
> "subst" into my startup sequence, but that was a few days ago, and the
> popups have only appeared on this session.
>
> Any idea what it is? It _sounds_ as if it just might be malware, but I'm
> fairly careful, and have never had any in decades of computing. (Avira
> says it's done 41.3% - scanned 47215 objects - so far, and not found
> anything.)
>
> I'll just go to Google it ...
> --
> J. P. Gilliver. UMRA: 1960/<1985
> MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
>
> ... back in the olden days ... Britain was entirely made of wood and lit
> by
> one enormous candle, tended by the Queen
> - Steven Moffat, Radio Times, 24-30 July 2010

In message <icds4q$d39$(E-Mail Removed)>, Harden Thicke
<(E-Mail Removed)> writes:
>Avira forums, HoopleHead.

1. I don't do "forums".

2. This isn't just Avira.
>
>"J. P. Gilliver (John)" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> In message <(E-Mail Removed)>, "J. P. Gilliver (John)"
>> <(E-Mail Removed)> writes:
>>>I'm doing a complete system scan at the moment (AVIRA is my AV). I'm doing
>>>it after a restart, because my email-and-news software (Turnpike, quite
>>>old) behaved oddly once or twice.
>>>
>>>It may have nothing to do with that fact, but twice a "new hardware found"
>>>popup has appeared, and when I let it proceed to the point where it tells
>>>me what the new hardware actually is, it has said "Generic volume shadow
>>>copy". (I cancel it at that point.)
[]
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

<Squawk> Pieces of eight!
<Squawk> Pieces of eight!
<Squawk> Pieces of nine!
<SYSTEM HALTED: parroty error!>

In message <icdt7b$fh2$(E-Mail Removed)>, Tim Meddick
<(E-Mail Removed)> writes:
>The Window's service "Volume Shadow Copy" is a built-in service that
>enables the operating system to copy files that would otherwise return
>the error : "Access Denied - File in use by another process" (or
>similar) when a file is "locked" by another program or the OS itself.
>
>As has been quite rightly mentioned - it is indeed used by "System
>Restore", but is by no means limited to only this.
>
>It is also used by "NT Backup" and any third-part programs that have
>been written to utilize the Volume Shadow Copy service, such as
>ERUNT.exe (reg backup for NT (google ERUNT for more on this)).
[]
Thanks for the more intelligent response than the other idiot.

What puzzles me are:

o Why did it (only) pop up when I was doing a scan? (I have - and use
occasionally - ERUNT, and it doesn't then.)

o Why does it see it as new hardware?

o I checked, and I already had restore points (going back to I think
November 7 - certainly from before I did the scan), so why hadn't it
popped up when it did those.

o I checked in Device Manager, and (once I'd turned on show hidden) I
already had the phantom drives (I forget the wording used) that are
involved.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

<Squawk> Pieces of eight!
<Squawk> Pieces of eight!
<Squawk> Pieces of nine!
<SYSTEM HALTED: parroty error!>

I'm afraid I just can't answer that, it's a question more about your
Anti-Virus / Anti-Malware program than about the WinXP OS!

But the fact is that the Volume Shadow Copy Service has always been a
feature of NT systems - set to automatic start by default.

I would question the effectiveness of my Anti-Virus / Anti-Malware software
if such a genuine element of the Window's OS is being returned as in any
way bogus by it!

Such behaviour of "spotting" viruses / malware where there isn't any is a
feature of Malware itself.....

(An example of this below...)
http://blogs.technet.com/b/mmpc/arch...ssentials.aspx

==

Cheers, Tim Meddick, Peckham, London. :-)




"J. P. Gilliver (John)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In message <icdt7b$fh2$(E-Mail Removed)>, Tim Meddick
> <(E-Mail Removed)> writes:
>>The Window's service "Volume Shadow Copy" is a built-in service that
>>enables the operating system to copy files that would otherwise return
>>the error : "Access Denied - File in use by another process" (or similar)
>>when a file is "locked" by another program or the OS itself.
>>
>>As has been quite rightly mentioned - it is indeed used by "System
>>Restore", but is by no means limited to only this.
>>
>>It is also used by "NT Backup" and any third-part programs that have been
>>written to utilize the Volume Shadow Copy service, such as ERUNT.exe (reg
>>backup for NT (google ERUNT for more on this)).
> []
> Thanks for the more intelligent response than the other idiot.
>
> What puzzles me are:
>
> o Why did it (only) pop up when I was doing a scan? (I have - and use
> occasionally - ERUNT, and it doesn't then.)
>
> o Why does it see it as new hardware?
>
> o I checked, and I already had restore points (going back to I think
> November 7 - certainly from before I did the scan), so why hadn't it
> popped up when it did those.
>
> o I checked in Device Manager, and (once I'd turned on show hidden) I
> already had the phantom drives (I forget the wording used) that are
> involved.
> --
> J. P. Gilliver. UMRA: 1960/<1985
> MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
>
> <Squawk> Pieces of eight!
> <Squawk> Pieces of eight!
> <Squawk> Pieces of nine!
> <SYSTEM HALTED: parroty error!>

"J. P. Gilliver (John)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In message <icds4q$d39$(E-Mail Removed)>, Harden Thicke
> <(E-Mail Removed)> writes:
>>Avira forums, HoopleHead.
>
> 1. I don't do "forums".

You're a lazy HoopleHead.

> 2. This isn't just Avira.
>>
>>"J. P. Gilliver (John)" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed)...
>>> In message <(E-Mail Removed)>, "J. P. Gilliver
>>> (John)"
>>> <(E-Mail Removed)> writes:
>>>>I'm doing a complete system scan at the moment (AVIRA is my AV). I'm
>>>>doing
>>>>it after a restart, because my email-and-news software (Turnpike, quite
>>>>old) behaved oddly once or twice.
>>>>
>>>>It may have nothing to do with that fact, but twice a "new hardware
>>>>found"
>>>>popup has appeared, and when I let it proceed to the point where it
>>>>tells
>>>>me what the new hardware actually is, it has said "Generic volume shadow
>>>>copy". (I cancel it at that point.)
> []
> --
> J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
>
> <Squawk> Pieces of eight!
> <Squawk> Pieces of eight!
> <Squawk> Pieces of nine!
> <SYSTEM HALTED: parroty error!>

In message <icgeog$603$(E-Mail Removed)>, Tim Meddick
<(E-Mail Removed)> writes:
>I'm afraid I just can't answer that, it's a question more about your
>Anti-Virus / Anti-Malware program than about the WinXP OS!
>
>But the fact is that the Volume Shadow Copy Service has always been a
>feature of NT systems - set to automatic start by default.
>
>I would question the effectiveness of my Anti-Virus / Anti-Malware
>software if such a genuine element of the Window's OS is being returned
>as in any way bogus by it!

No, not at all: the AV didn't object to it at all. It's just that, while
running an AV scan, (a) the "new hardware found" thing popped up twice,
(b) when I told it (the new hardware thing) to proceed to the next
stage, it (again, the normal Windows self-protecting thing) said that
what I was about to allow - i. e. the driver it had found for this
phantom new hardware - wasn't Microsoft signed. That latter is
particularly puzzling, this Shadow Copy thing being as you have
explained part of the system. (From what I found on line, others get the
same thing, though.)
>
>Such behaviour of "spotting" viruses / malware where there isn't any is
>a feature of Malware itself.....
[]
(No, that wasn't what was happening.)

(FWIW all AV found were two instances of some HTML code that matched
some Trojan.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

The fool doth think he is wise, but the wise man knows himself to be a fool.

Ah, I understand you now..... I also have experienced this and similar
sorts of behaviours. I'm afraid, again, I have no explanation at the
moment for it.

This is because it hadn't happened to me recently, and I have to be able to
reproduce the sequence of events that lead to getting a particular
errormessage in order for me to investigate it.

This is so I can then query the system to which processes are involved and
what software/hardware conflicts may be happening. I can only do such
things while the error is "in progress".

But I will certainly keep it in mind so that if it ever happens on my
system again, I will attempt to identify it's cause for you.....

==

Cheers, Tim Meddick, Peckham, London. :-)

P.S. I must assure you, however, again, that the service "Volume Shadow
Copy" or VSS (Volume Snapshot Service) is definitely a normal part of every
version of Windows since WinXP Service Pack 2 and Server 2003.


"J. P. Gilliver (John)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In message <icgeog$603$(E-Mail Removed)>, Tim Meddick
> <(E-Mail Removed)> writes:
>>I'm afraid I just can't answer that, it's a question more about your
>>Anti-Virus / Anti-Malware program than about the WinXP OS!
>>
>>But the fact is that the Volume Shadow Copy Service has always been a
>>feature of NT systems - set to automatic start by default.
>>
>>I would question the effectiveness of my Anti-Virus / Anti-Malware
>>software if such a genuine element of the Window's OS is being returned
>>as in any way bogus by it!
>
> No, not at all: the AV didn't object to it at all. It's just that, while
> running an AV scan, (a) the "new hardware found" thing popped up twice,
> (b) when I told it (the new hardware thing) to proceed to the next stage,
> it (again, the normal Windows self-protecting thing) said that what I was
> about to allow - i. e. the driver it had found for this phantom new
> hardware - wasn't Microsoft signed. That latter is particularly puzzling,
> this Shadow Copy thing being as you have explained part of the system.
> (From what I found on line, others get the same thing, though.)
>>
>>Such behaviour of "spotting" viruses / malware where there isn't any is a
>>feature of Malware itself.....
> []
> (No, that wasn't what was happening.)
>
> (FWIW all AV found were two instances of some HTML code that matched some
> Trojan.)
> --
> J. P. Gilliver. UMRA: 1960/<1985
> MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf
>
> The fool doth think he is wise, but the wise man knows himself to be a
> fool.