vssadmin.exe

vssadmin.exe drives the Volume Shadow Copy Service (VSS), the Windows component that takes consistent point-in-time snapshots of a volume even while files are open. Those shadow copies are what backup tools, System Restore, and the Previous Versions feature rely on. vssadmin can list existing shadows, create new ones, delete them, and resize the storage set aside for them. It requires administrative rights and lives at C:\Windows\System32\vssadmin.exe.

Legitimately, vssadmin is run by administrators and backup products, usually infrequently and in a clear maintenance context. On a normal workstation it is uncommon, and its command-line verb says exactly what a given instance is doing.

vssadmin.exe is central to ransomware (T1490). The command vssadmin delete shadows /all /quiet is one of the most recognizable steps in an encryption attack, wiping every shadow copy so the victim cannot roll back. resize shadowstorage to a tiny size achieves the same thing indirectly, forcing Windows to discard existing snapshots. Either command run from a shell or an Office application, rather than backup software, is close to a confirmed incident.

It is also a route to credential theft (T1003.003). Files like the Active Directory database (ntds.dit) and the registry hives are locked while Windows is running, so an attacker runs vssadmin create shadow to get a stable snapshot and then copies ntds.dit and the SYSTEM hive out of it for offline extraction of domain password hashes. A create shadow followed by reads from the snapshot path is the pattern.

Because the binary is genuine and signed and every one of these is a legitimate administrative operation, detection is behavioral: the verb, the parent process, and whether the machine runs any backup product that would explain the activity.