Re: [Burp-users] Windows: is VSS feature optional?
Brought to you by:
grke
Menu
▾
▴
Re: [Burp-users] Windows: is VSS feature optional?
|
From: Graham K. <gr...@gr...> - 2016-11-26 02:26:19
|
Burp uses the Windows backup API. My best guess is that the data is coming out of the backup API. I imagine that the data would more accurately be called 'api data', though I usually call it 'vss data'. There should probably be an option to turn off the API too, or along with the VSS snapshots. This issue is related: https://github.com/grke/burp/issues/165 When I get a chance, I will try some experiments with trying to turn off VSS. On Fri, Nov 25, 2016 at 08:51:25AM +0100, Sven Ehret wrote: > > Thanks, but what puzzles me is that every file in the backup directory > is of type “data” when questioned by the “file” command. My guess is > that the file signature/magic number has been made unaccessible by the > backed up vss header. > > Testing this, I used the vss_strip binary on a text and on an xml file > and this hardened my suspicion: > > $ vss_strip -i TEST_Belegung.txt -o TEST_Belegung_stripped.txt > $ vss_strip -i TEST_dsNew_Contact.xml -o TEST_dsNew_Contact_stripped.xml > > $ file * > TEST_Belegung_stripped.txt: ASCII text, with very long lines, with > no line terminators > TEST_Belegung.txt: data > TEST_dsNew_Contact_stripped.xml: XML 1.0 document, ASCII text, with CRLF > line terminators > TEST_dsNew_Contact.xml: data > > So I guess that the vss feature is buggy in version 1.4.40? > > Thanks again for your dedicated work. > Sven > > > Am 24.11.2016 um 22:06 schrieb Graham Keeling: > > On Thu, November 24, 2016 6:11 pm, Sven Ehret wrote: > >> Hello, > >> > >> I am sorry if this has been answered before, I cannot find good > >> information about that. > >> > >> Is it really possible to switch off VSS snapshots (version 1.4.40, > >> protocol 1)? I should do so to not interfere with a second backup > >> process. I put the option "vss_drives = 0" in both server and client > >> configuration, but in the backup console log, it seems like this is > >> ignored: > >> > >> C:\Program Files\Burp>bin\burp -a b > >> 2016-11-24 09:08:56: bin\burp[7268] before client > >> 2016-11-24 09:08:56: bin\burp[7268] begin client > >> 2016-11-24 09:08:56: bin\burp[7268] auth ok > >> 2016-11-24 09:08:56: bin\burp[7268] Server version: 1.4.40 > >> 2016-11-24 09:08:56: bin\burp[7268] nocsr ok > >> 2016-11-24 09:08:56: bin\burp[7268] SSL is using cipher: > >> DHE-RSA-AES256-GCM-SHA3 > >> 84 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD > >> 2016-11-24 09:08:57: bin\burp[7268] Compression level: 0 > >> 2016-11-24 09:08:57: bin\burp[7268] do backup client > >> 2016-11-24 09:08:57: bin\burp[7268] Control handler registered. > >> Generate VSS snapshots. > >> Driver="VSS Vista", Drive(s)="0" > >> 2016-11-24 09:09:02: bin\burp[7268] VSS drive letters: 0 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 0 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 1 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 2 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 3 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 4 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 5 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 6 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 7 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 8 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 9 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 10 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 11 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 12 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 13 > >> 2016-11-24 09:09:02: bin\burp[7268] VSS writer count: 14 > >> 2016-11-24 09:09:02: bin\burp[7268] Phase 1 begin (file system scan) > >> 2016-11-24 09:09:58: bin\burp[7268] Phase 1 end (file system scan) > >> 2016-11-24 09:09:58: bin\burp[7268] Phase 2 begin (send file data) > >> 2016-11-24 09:09:59: bin\burp[7268] Phase 2 end (send file data) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "Task > >> Scheduler Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "VSS > >> Metadata Store Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): > >> "Performance Counters Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "System > >> Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "ASR > >> Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "FSRM > >> Writer",State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "DFS > >> Replication service writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "WMI > >> Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "Dedup > >> Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): > >> "MSSearch Service Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "Shadow > >> Copy Optimization Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): > >> "Registry Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "COM+ > >> REGDB Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "Dhcp > >> Jet Writer", State: 0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] VSS Writer (BackupComplete): "NTDS", > >> State:0x1 (VSS_WS_STABLE) > >> 2016-11-24 09:10:02: bin\burp[7268] backup finished ok > >> 2016-11-24 09:10:02: bin\burp[7268] after client > >> > >> Please, what is the status of the VSS feature? If it can be switched > >> off, how? > > > > Hello, > > > > It looks to me like it is initialising the writers, but not actually doing > > any snapshots. I guess it should not bother with the writers either, if > > you have set "0". > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Burp-users mailing list > > Bur...@li... > > https://lists.sourceforge.net/lists/listinfo/burp-users > > > > -- > Sven Ehret |
