A forum for reverse engineering, OS internals and malware analysis 

Fail to add a folder into restore point using VssExpressWriter.

Forum for discussion about user-mode development.

Fail to add a folder into restore point using VssExpressWriter.

 #33141  by Iradicator
 Sun Aug 11, 2019 9:08 pm
I'd like to include a selected folder in restore point once it's performed.

This require registering into`VssExpressWriter`which I've done using the code below, and I also verify it's worked as expected by checking that my selected folder is actually reside in vssadmins list writers.

However, eventually the folder wasn't properly reconstructed after restore in the following scenario:
1. Register using the following code (see below).
2. Create system restore point.
3. Delete my folder.
4. Restart
5. Restore my system... and the folder is nowhere to be seen again ...

Here's my code:
Code: Select all
int main()
{
    ::CoInitialize(NULL);

    createAndRegister();

}

int createAndRegister()
{
    CComPtr<IVssExpressWriter>                  spExpressWriter;
    CComPtr<IVssCreateExpressWriterMetadata>    spMetadata;

    CreateVssExpressWriter(&spExpressWriter);

    spExpressWriter->CreateMetadata(EXPRESS_WRITER_SAMPLE_GUID, L"Sample Express Writer", VSS_UT_USERDATA, 1, 0, 0, &spMetadata);

    PCWSTR  wszComponent = L"myExpressWriter";


    spMetadata->SetRestoreMethod(
        VSS_RME_RESTORE_AT_REBOOT, ////I've also tried it with different option of this enum
        NULL,
        NULL,                              
        VSS_WRE_NEVER,                     
        false),
        L"SetRestoreMethod failed");

    spMetadata->AddComponent(
        VSS_CT_FILEGROUP,
        NULL,
        wszComponent,
        wszComponent,
        NULL,
        0,
        false,
        false,
        false);   

    spMetadata->AddFilesToFileGroup(
        NULL,
        wszComponent,
        L"c:\\ProgramData\\myFolder",
        L"*.*",
        true,
        NULL,
        NULL),


    spExpressWriter->Register();
}
perhaps anyone can help me understand what went wrong ... I've based my code on formal example from microsoft github page.
 Return to “User-Mode Development”