This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
We utilize Volume Shadow Copy to create backups, and our standard method for deleting these shadow copies is through 'vssadmin delete shadows.' However, when we attempt to execute this command, the EDR (CrowdStrike Falcon Sensor) system blocks the process, preventing us from deleting the created shadow copy.
Are there alternative methods for deleting the shadow copy without being blocked by the EDR?
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
Hi rootcause000,
You may give a try to the CIM. Run Get-CimInstance -ClassName Win32_ShadowCopy to get the shadow copies and see if you can remove them using Remove-CimInstance.
windows - Accessing Volume Shadow Copy (VSS) Snapshots from powershell - Stack Overflow
Best Regards,
Ian Xue
