impacket icon indicating copy to clipboard operation
impacket copied to clipboard
verified publisher icon fortra

Improve VSS parsing: robust, language-agnostic handling and safe cleanup

Open azoxlpf opened this issue 3 months ago • 0 comments

Description

This PR improves the way secretsdump.py parses the output of vssadmin when retrieving shadow copies.

Previously, the code relied on English-specific keywords (e.g. "Shadow Copy ID:", "Volume:"), which caused failures on systems where vssadmin output is localized (e.g. French, German, Spanish).

This patch introduces a regex-based parsing mechanism that:

  • Extracts the GLOBALROOT path directly,

  • Searches for nearby GUIDs ({xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}),

  • Detects volume letters ((C:), (D:), …) independently of the language,

  • Adds fallbacks if parsing fails,

  • Improves error handling when deleting shadows.

This makes secretsdump more robust across non-English domain controllers.

Before :

avant

After :

apres

azoxlpf avatar Sep 18 '25 09:09 azoxlpf