Each Shadow Copy is 300 MB in size, and there are up to 64 shadow copies per volume; a month or two of daily backups!
That means you can investigate files changed, deleted, or added throughout that time period.
Here is the Previous Versions tab of the C: drive properties on a Windows 7 virtual machine, showing two previous versions available.
Here's the command-line tool VSSADMIN showing the available shadow copies:
Volume Shadow copies are also used by System Restore:
To make VSS files more convenient to access, copy the UNC path to them like this:
Then create a symbolic link to the shadow copy like this:
Choose the desired shadow volume:
Now two drives show up, labelled C: and D: -- D: is actually an earlier version of C: formed from the Shadow Copy.
I repeated the process for the other shadow copy to create an E: drive.
I compared the two volumes:
I compared C: to D:
The process took about 12 minutes:
The files that have been added, deleted, or changed appear in a pop-up box:
You can filter by action:
Or filter by file type:
At this point, I made a mistake and clicked "Check All". This caused a lot of boxes to pop up, asking me to comment on every file. I hit the Esc key many times to close all those boxes, and accidentally closed the "Compare Volumes Result" box. After that, there is no way to get it back without repeating the 12-minute comparison operation again.
This option is called "Extract Volume Shadow Copies":
Here I am comparing one shadow copy with the other, getting everything changed between Sep. 30 and Oct 19:
Here is the extraction in progress--see the activity note at the lower left:
Here is the result. Prodiscover forms a group of files that were changed as a separate image called an LFC:
Here is a file that changed in the Windows directory:
