drop registry export and system evtx csv · detect volume shadow copy service disabled or shadow copy creation suppressed · identify configuration changes preventing future shadow copy creation · surface vss service manipulation · runs locally
VSS/swprv Start=4 · FilesNotToSnapshot · 7036 · 7040 · 8193/8194 · vssadmin resize shadowstorage · wmic shadowcopy create · scheduled shadow-delete tasks
drop registry export · system evtx csv · security evtx csv (4688)