Microsoft Adds Risky System-Wide Undelete to Vista

[flowerpot]

When is a deleted file really deleted? With Windows Vista, that answer gets complicated.

 

 

 

Microsoft recently revealed that Windows Vista would inherit "volume shadow copy" technology from Windows XP and Windows Server 2003. In those older operating systems, volume shadow copy is used to take periodic snapshots of key system files, though the service can also be instructed to monitor any kind of data for the purposes of creating a system "restore point."

 

With Windows Vista, the operating system will make "shadow" (that is, backup) copies of files and folders for users who have "System Protection" enabled (the default setting). The feature will be called Previous Versions, and will be accessible via the right-click properties menu as "Restore previous versions."

 

The utility will show multiple versions of a file throughout a limited history and users will be able to restore, delete, or copy those versions. The service is configured to monitor modifications to files up to and including the latest "restore point," although this behavior could be modified by the time Vista ships. "Previous Versions" will also monitor file backups conducted with Vista-aware backup applications and it will list those versions as well, and only monitor changes made after the most recent backup or restore point has been created. That is, a given document may show 5 previous versions but it will not show any "versions" older than the latest official backup.

 

Corporate users may want to manage how "Previous Versions works," as the service will also make shadow copies of files on networked drives. The service can be disabled using the "System Protection" settings in Vista.

 

Users concerned about data security should note that "Previous Versions" makes it possible to restore deleted files, as well. If a given file is moved to the "Recycle Bin" and then deleted, Previous Versions will show enquiring minds what it was you had deleted. A snoop would need to find the folder that originally contained the file which was deleted and then use the "Previous Versions" functionality on the folder itself to identify the missing or modified files.

 

As a result, it will essentially be possible to browse through archived filesystem states. For example, "Previous Versions" will allow you to open a historical backup of a folder to see all of its contents at that time. On our test system in the lab we were able to browse the "Documents" folder through Explorer as it appeared several days ago, making note of what had and had not changed. This means that Joe User won't necessarily escape his new overloads merely by deleting his "Dangerous Thoughts" folder or using a "wipe" utility to overwrite the file. It is also not possible to delete the files from within Explorer when viewing archived data.

 

Some users will find the feature objectionable because it could give the bossman a new way to check up on employees, or perhaps it could be exploited in some nefarious way by some nefarious person. Previous versions of Windows were still susceptible to undelete utilities, of course, but this new functionality makes browsing quite, quite simple.

 

On the other hand, it should be noted that "Previous Versions" does not store its data in the files themselves. That is, unlike Microsoft Office's "track changes," files protected with "Previous Versions" will not carry their documentary history with them.

 

In Windows Vista, each partition that is protected by "System Restore" requires at least 300MB of space, and may use up to 15 percent of the available space on a partition to store previous versions of files. In the event that more space is required, the service will delete older restore points to make room for new ones.

 

We'll comment more on this new Windows Vista feature as it develops in later versions. Microsoft's TechNet entry addressing this new feature is available here, but it currently sports only very basic details.

 

[x2k]

I have no objections to that feature, in fact quite the contrary, so long as it can be completely disabled.

[ripple]

I've used Runtime's GetDataBack for ages for that same purpose. Would be cool to have it as a standard, but i didn't quite catch if the system makes backup copies of the file itself or just the TOC location (so that it could still get overwritten)

[Liam]

This''ll get set to 'disabled' faster than "messenger service"