Tag Archives: cryptolocker

Using subst to map a drive to help restore from a volume shadow copy

I needed to copy only missing files from a volume shadow copy back to a clients share after clearing out crypto malware encrypted files, and IĀ found a new favourite command:
subst drive1: drive2:path
Substitutes a path for a drive letter, for example:
subst x: c:\users\adam\desktop

maps x: to my desktop in my profile.

Where this came in particular handy for me we using robocopy to restore files an folders out of a volume shadow copy (previous version).

I wanted to run robocopy a: b: /xc /xn /xo /s which only copies missing files, and does not copy existing files – regardless of age or difference, to extract missing files from the shadow copy.

So first I found the path to the file by right clicking on a file in the shadow copy and copying the location then running subst:

subst x: "\\localhost\C$\@GMT-2016.10.24-14.01.30\Server Shares\Company"

I could then run my robocopy from the x: drive.

Finished off with subst x: /d to remove the drive mapping.

Useful write up here:

https://chaoliu12.wordpress.com/2013/02/11/restore-files-from-shadow-copy/

And subst technet article here:

https://technet.microsoft.com/en-gb/library/bb491006.aspx