Description
I noticed that when passing a path to the NTDS.dit file, using the ntdsSource argument, it fails when trying to copy from the shadow.
Take for instance the supplied example (https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1#L27):
Copy-VSS -DestinationDir C:\temp -ntdsSource D:\ntds\ntds.dit
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This fails with the following:
The filename, directory name, or volume label syntax is incorrect.
This due to the script first making a copy of the C drive (https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1#L53):
Get-WmiObject -list win32_shadowcopy).Create("C:\","ClientAccessible")
Then later, it tries to copy from the supplies ntdsSource (https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1#L70), which by using example above will look like this:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[ID]\D:\ntds\ntds.dit
^^^^^^^^^^^^^^^^
This fails because of two things:
- The supplied shadow copy is of the C drive
- The path passed to copy should not include drive letter
I guess there should be some check if the supplied ntdsSource is on the C drive, and if not, there needs to be taken a separate shadow copy of that. Further, the ntdsSource variable needs to be modified so the drive letter is removed, so that the command becomes:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[ID]\ntds\ntds.dit
I ended up running the commands manually, which doesn't take much effort.
Just a heads up :-)