Copy-VSS fails when NTDS is not on C drive

[mfaerevaag]

I noticed that when passing a path to the NTDS.dit file, using the ntdsSource argument, it fails when trying to copy from the shadow.

Take for instance the supplied example (https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1#L27):

Copy-VSS -DestinationDir C:\temp -ntdsSource D:\ntds\ntds.dit
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This fails with the following:

The filename, directory name, or volume label syntax is incorrect.

This due to the script first making a copy of the C drive (https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1#L53):

Get-WmiObject -list win32_shadowcopy).Create("C:\","ClientAccessible")

Then later, it tries to copy from the supplies ntdsSource (https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1#L70), which by using example above will look like this:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[ID]\D:\ntds\ntds.dit
                                                        ^^^^^^^^^^^^^^^^

This fails because of two things:

• The supplied shadow copy is of the C drive
• The path passed to copy should not include drive letter

I guess there should be some check if the supplied ntdsSource is on the C drive, and if not, there needs to be taken a separate shadow copy of that. Further, the ntdsSource variable needs to be modified so the drive letter is removed, so that the command becomes:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[ID]\ntds\ntds.dit

I ended up running the commands manually, which doesn't take much effort.

Just a heads up :-)