From 6fef73df2b06b9ca1452c33059cdda21d416a99c Mon Sep 17 00:00:00 2001 From: Nicole Rappe Date: Sun, 6 Jul 2025 19:02:53 -0600 Subject: [PATCH] Update Workflows/Windows/VSS/Delete Shadow Copies.md --- Workflows/Windows/VSS/Delete Shadow Copies.md | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/Workflows/Windows/VSS/Delete Shadow Copies.md b/Workflows/Windows/VSS/Delete Shadow Copies.md index 3bd73ec..7f1fc69 100644 --- a/Workflows/Windows/VSS/Delete Shadow Copies.md +++ b/Workflows/Windows/VSS/Delete Shadow Copies.md @@ -1,20 +1,32 @@ ## Purpose -You may find that you need to delete shadow copies on a disk for any number of reasons such as freeing up space. Sometimes the shadow copies simply don't want to be deleted gracefully. In those circumstances, you can use the two methods seen below to delete the shadows. +There are times when you may need to delete shadow copies (Volume Shadow Copies) from a drive—commonly to free up disk space. While this is usually straightforward, you may encounter scenarios where shadow copies cannot be deleted through normal means. The following methods provide ways to forcibly remove all shadow copies from a specific volume. !!! warning - These commands will delete **all** shadow copies for the associated drive letter. In these examples, the drive letter will be `D:\`. + The examples below will **permanently delete all shadow copies** on the specified drive. The examples use drive `D:`—adjust the drive letter as needed. + +## Method 1: Delete Shadow Copies Using `vssadmin` +The `vssadmin` utility is the standard tool for managing shadow copies. It is typically safe and handles deletions gracefully. + +However, some antivirus or endpoint protection software may block its execution due to its similarity to behavior used by ransomware. If `vssadmin` fails, use the `diskshadow` method described below. -### Delete Shadows Via `vssadmin` -Vssadmin is generally the de-facto method of deleting shadows, as it is pretty graceful with the process, but sometimes antivirus might not let you run it thinking you are doing something ransomware-ish. If that happens, defer to the `diskshadow` method seen further below. ```batch vssadmin delete shadows /for=D: /all /quiet ``` -### Delete Shadows via `diskshadow` -This method is a little more aggressive than `vssadmin` and should be only used as a *Plan B* if `vssadmin` doesn't work. +* `/for=D:` specifies the target volume. +* `/all` removes all shadow copies on that volume. +* `/quiet` suppresses confirmation prompts. + +## Method 2: Delete Shadow Copies Using `diskshadow` +`diskshadow` is a more direct and lower-level tool than `vssadmin`. It should be used as a fallback option if `vssadmin` fails or is blocked. + ```batch diskshadow set context persistent nowriters delete shadows volume D: exit -``` \ No newline at end of file +``` + +Explanation: +* `set context persistent nowriters` ensures the command does not involve writer components (e.g., for backups), reducing the chance of interference. +* `delete shadows volume D:` removes all persistent shadow copies for volume `D:`. \ No newline at end of file