Full uninstall of Powershadow

Discussion in 'sandboxing & virtualization' started by MerleOne, Apr 18, 2008.

Thread Status:
Not open for further replies.
  1. MerleOne

    MerleOne Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    1,272
    Location:
    France
    Hi,

    As mentioned in an older thread here (https://www.wilderssecurity.com/showthread.php?t=178018&highlight=snpshot.sys), after having installed then uninstalled Powershadow 2.x, a driver remains active, snpshot.sys, which is apparently loaded with the kernel at boot time.

    If I try to disable it with for instance Sysinternals/Autoruns, I get an immediate BSOD at next boot. Solution is to revert to last good configuration (F8 + selection of the corresponding option), or restore a backup !

    Does anyone knows how to remove that %$¤!#&!! thing ?

    Thanks !
     
    Last edited: Apr 18, 2008
  2. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Not exactly how to do that,but sure just deleting it is dangerous.
    Find the registry entries and unregister the lower and upperfilters for that driver,then reboot.If done then just delete the driver in the system 32 folder,i should do this anything in Safe mode. But if i was you, just wait for someone that would give you based on experience the exact procedure to follow.
     
  3. MerleOne

    MerleOne Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    1,272
    Location:
    France
    Thanks for your reply. What do you mean by unregistering the upper and lower filter ? I have searched the register for any occurence of "snpshot.sys" but found none.
     
  4. MerleOne

    MerleOne Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    1,272
    Location:
    France
    I looked again into the registry and found that snpshot (and not snpshot.sys) is indeed a parameter in several registry keys named "Upperfilters" together with several other strings like Phylock (used by Image For Windows). I'll delete snpshot from these registry keys and hopefully it won't be loaded after reboot...

    I'll let you know...
     
  5. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
  6. MerleOne

    MerleOne Registered Member

    Joined:
    Mar 6, 2006
    Posts:
    1,272
    Location:
    France
    Actually it seems I did it the following way :

    I used a registry editor, the one from TuneUP2006, for the following string "snpshot". At first I used snpshot.sys, which was a big mistake since there was no such string in the registry...

    I found around four keys called UpperFilters, which were each a list of strings separated by CR, each containing "snpshot". Each list was the same, I just removed the "snpshot" string from each one.

    I rebooted, then used the latest autoruns utility (MSFT/Sysinternals) to disable the driver. Reboot again, and then the driver appeared not to be loaded any longer. I was even able to delete snpshot.sys file from c:\windows\system32\drivers. But I restaured it there. As long as it is not loaded, I don't care.

    Also, thanks for the links. I looked at the one from StorageCraft and it's very informative, in particular to remove the service registry key. I'll try the same for snpshot...

    Now, I hope I'll remember all the procedure for next time and I wish I could do the same for "CPUIDle", a software I uninstalled some months ago and which has left some active parts, but of a different kind...

    Thanks again !
     
    Last edited: Apr 19, 2008
  7. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    nice to have it solved ! :D
     
  8. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Thanks for this!

    I followed the exact same procedure, and finally got rid of this annoying snpshot driver debris let behind by PowerShadow's uninstall. I am now enjoying Shadow Defender's nice bundle of enhanced security (MBR sector protection) in simplicity concept :)

    I should probably do the same with Acronis TI's snapman driver, now that I'm using ShadowProtect.

    Thanks again for this thread, MerleOne & Huupi :thumb: :thumb:
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Speculation:

    I suspect it was by design that PS earlier version since it also shadows the entire disk as compared to a single/system partition is partially responsible for it's difficulty to remove for some users.

    Normal means for removal is not in every users literary abilities, but it can easily be removed with the right registry tools. The SYSTEM/LEGACY keys are always an issue in NT Systems because they require manual checkmarking for "everyone" in order for Windows to fulfill such a registry removal entry.

    I have always used (personally) RegCrawler by 4Developers to JUMP to locked registry entries, then it is but a simple matter of clicking permissions and adding "everyone", then a simple delete command removes the entries.

    There are other registry searchers out there, and if you can use one that JUMPS to locked entries, theres really nothing stopping a user (ADMIN) from taking control for removing.

    snpshot.sys is the only driver in PS that's given users fits, but it's by design and for security reasons that it protects itself with Windows own permissions feature.

    EASTER
     
  10. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    I had difficulty removing Raxco Snapshot Driver (rss.sys)and faced the same BSOD,after following the StorageCraft procedure i solved it.
    Its always tricky to delete a orphaned Driver,my guess is that generally they are harmless and will stay quietly there.
     
  11. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Thanks for this pointer.

    I used this for settling snpshot and snpman orphaned drivers, both with same success. I will surely keep it handy for when next needs arise, as I'm pretty sure it will happend again.

    And for reference the actual Nate's procedure can be read at
    http://forum.storagecraft.com/Community/forums/p/368/1575.aspx#1575
     
  12. erreale

    erreale Registered Member

    Joined:
    May 2, 2004
    Posts:
    22
    To resolve the problem of powershadow, just use the function fixmbr of Windows CD, then you can remove the driver.
     
  13. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Really?

    Did you try?

    Could you elaborate a bit on the relation between the problematic driver and your solution. Or provide some www-literature explanation. It would be a nice-&-easy fix, if it isn't braking loose somethingelsewhere at same time (FD-ISR, Acronis, other shadow softweres...?).
     
  14. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Will break the F11 Acronis bootloader (if you installed it) for sure, and I also fail to see a relation b/w some third-party driver and MBR.
     
Thread Status:
Not open for further replies.