Thursday, February 23, 2012

Restore from formatted offline files database

Congratulations, you fixed offline files syncing at the expense of the last six months of work for a company executive.  They've given you an  hour to restore their files or to pack up your stuff.  Your frantic internet searches give you some false hopes, but you start to realize your screwed.

Not quite yet!  Highly Unsupported has one last option for you that might just save you from having to get your interview suit dry cleaned.

Windows stores offline files in the folder: C:\Windows\CSC.  The folder is locked down to prevent access from any interactive user.  However if your files are still in there, you can follow numerous instructions online to simply take control of this folder and browse to the files you need.  Or alternatively you can use the psexec method below to hack into it without needing to forcibly take control.

But if you're gone through the trouble of formatting the offline files database, your files won't be there anyways. Your one last hope is one feature Microsoft added with Windows ME, System Restore.  It's never done me any good to actually fix a broken operating system, but it can save you now.

First off, from the afflicted computer, run "vssadmin list shadows" to see if you even have any restore points.

If you have some restore points from before you blew away the offline files cache, and after they created the files, you are in business.

You'll need volrest.exe and psexec for these next steps.  volrest.exe comes from the Windows Server 2003 Resource Kit Tools.  Don't worry though, it'll install and work just fine on Windows 7 (just ignore the incompatibility error).  You can download the Resource Kit here:
http://www.microsoft.com/download/en/details.aspx?id=17657

Grab psexec off http://live.sysinternals.com .  If you don't know what PSEXEC is you should spend sometime to find out after you've saved your job.

The reason we need psexec is because while you could take ownership of the CSC folder which is presently in the operating system, you have no way to take control of the one inside of the restore point.  Microsoft, trying to provide security through obscurity, doesn't let you restore folders you don't have access to, but as administrator that's merely a hurtle.  Run this command to create a cmd window running as nt authority\system

psexec.exe -i -s -d cmd


In XP you could have used the "at" command with the /interactive flag to have accomplished this same thing, but again, Microsoft made it slightly more difficult for "security".

Now the fun part.  Use volrest to restore the CSC directory.  Volrest only works with UNC paths, but that's not an issue, the administrative share provides you with the unc path you need.

volrest \\localhost\c$\windows\CSC /s /e /sct /r:C:\temp\directory

This will restore a copy of every file under the path C:\Windows\CSC for every restore point which has those files in it.  If you have a lot of restore points, you could end up with a lot of files.  The /sct flag date stamps all the files, so you can quickly sort out which is the newest.

Now, copy the files back to the proper locations and make sure the offline files sync is working properly.


Credit:
Information for this solution was collected from numerous websites to generate a complete solution.  Special thanks also needs to be extended to Jim Banach whom not only created this problem in the first place, but was the primary force in discovering this solution.

11 comments:

  1. That was some serious voodoo, but I just used this to restore a customer's lost file. Big ups to you and JB for both finding and posting this solution!

    ReplyDelete
  2. This helped a lot! Only problem is i could not use volrest to the path for some reason (path not found), but, i found you can use mklink to mount the restore point file using the shadow copy volume path from list shadows and then browse to the CSC folder and copy out the my documents. Eitherway.. smart moves sir, smart moves.

    ReplyDelete
  3. Yeah baby! I had encrypted network file(pgp disk) in my offline cash and had been working on it for almost week. I was installing some updates and software and suddenly my power was cut, my OS and offline cash was corrupted. Did system restore and then this for the pgp disk and other files. This saved a lot of work for me, thanks :D

    ReplyDelete
  4. Many thanks for taking the time to post this, I have just found it very useful (-:

    ReplyDelete
  5. You have no idea how helpful this was. Literally saved my job.

    ReplyDelete
  6. Thank u!! This saved my ass as I had formatted corrupted offline sync but than discovered it really had never synced so all files were gone!

    ReplyDelete
  7. We have a similar issue however they had encryption turned on and we can't access the data. Keeps stating Access Denied when copying the files to an external USB.

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Thank you so much for this, it saved my ass.

    I made a slight change after messing around a bit. I have PC's that have multiple people that have logged into them over time, which made the restore extremely long because the CSC database had everyone's user profile in it. I only really needed to restore the primary current user's profile. We happen to use dfs so your path may vary, but you can figure out your path by starting the restore of the entire CSC database as outlined above and then doing a ctrl-c and inspecting the output. For example, for mine on dfs:

    volrest "\\localhost\c$\windows\CSC\namespace\whatever.local\NamespaceName\ShareName\RedirectedFolderName\*" /s /e /r:C:\temp\DirectoryToRestoreTo


    I also removed the /sct flag so that I could restore the files to the user without having all of those appended dates and times on the filenames, which break any existing shortcuts.

    Once again, thank you so much for this article. It's terrible that Windows will even let this happen. Offline files often seems like a curse.

    (Had to submit another comment and delete my one above because my comment got mangled by greater-than less-than symbols, and I couldn't get the usual methods to make it stop. Are there escape characters or something in this box? Whatever :))

    ReplyDelete
  10. I did the restore, but all folders are empty, and there are files starting with pq or sm in their names, could this be some kind of database files and if su how can i extract the information? the PQ files have different names with day and date in them

    ReplyDelete
  11. Due to this trend, massive amounts of computer storage is getting used. In enterprise-level applications, the cost of saving massive data is often shocking.Database Diagram Tool

    ReplyDelete