how does physical disk read work with volume shadow for ntfs?

Question

my goal is to make a backup program reading a physical disk (with NTFS partitions) while using VSS for data consistency.

i use windows api's functions CreateFile with '\.\PhysicalDriveN' as described here (basically, it allow me to access a disk as a big file)

https://support.microsoft.com/en-us/help/100027/info-direct-drive-access-under-win32

for tests i create volume shadows with this command

wmic shadowcopy call create Volume='C:\'

this is a temporary solution, i plan on using VSS via the program itself

My question is: how are stored Volume shadows? does it stores data that have been modified since the volume shadow or does it store modification made since the last volume shadow?

in the first case: when i read the disk, will i get consistent data (including ntfs metadata files)?

in the other case: can i access a volume shadow the same way i would access a disk/partition? (in order to read hidden metadata files, etc)

-im am currenctly using windows 7 but planning on using it on differents version of windows server

-i've read a lot of microsoft doc about VSS but how it work seem really unclear for me (if you answer with one please explain a bit it meaning)

-i know that Volume shadows are stored in the folder "System Volume Information" as files with names like {3808876b-c176-4e48-b7ae-04046e6cc752}

Answer 1

So i did more test and actually Shadow Volume are made at block level not file level. it mean that by using createfile with the path \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 it would work in a similar way than using createfile with the path \\.\C:

So yeah you can access a shadow copy file system, it have it own boot sector, mft, etc.

Answer 2

"how are stored Volume shadows? does it stores data that have been modified since the volume shadow or does it store modification made since the last volume shadow?"

A hardware or software shadow copy provider uses one of the following methods for creating a shadow copy:(Answer by msdn doc)

Complete copy This method makes a complete copy (called a "full copy" or "clone") of the original volume at a given point in time. This copy is read-only.

Copy-on-write This method does not copy the original volume. Instead, it makes a differential copy by copying all changes (completed write I/O requests) that are made to the volume after a given point in time.

Redirect-on-write This method does not copy the original volume, and it does not make any changes to the original volume after a given point in time. Instead, it makes a differential copy by redirecting all changes to a different volume.

"when i read the disk, will i get consistent data (including ntfs metadata files)?"

Even if an application does not have its files open in exclusive mode, it is possible—because of the finite time needed to open, back up, and close a file—that files copied to storage media may not all reflect the same application state.

"can i access a volume shadow the same way i would access a disk/partition? (in order to read hidden metadata files, etc)"

Requester Access to Shadow Copied Data

Paths on the shadow copied volume are obtained by replacing the root of the original path with the device object. For example, given a path on the original volume of "C:\DATABASE*.mdb" and a VSS_SNAPSHOT_PROP instance of snapProp, you would obtain the path on the shadow copied volume by concatenating snapProp.m_pwszSnapshotDeviceObject, "\", and "\DATABASE*.mdb".