← All Documentation

Shadow Guard

Protects the silent "undo history" Windows keeps for your files, so ransomware can't destroy your last-ditch recovery option.

What is a shadow copy?

Windows quietly keeps point-in-time snapshots of your drive called shadow copies (sometimes called "Previous Versions"). If a file gets corrupted or overwritten, you can right-click it, choose Restore previous versions, and often pull back an earlier copy. It's a genuinely underrated safety net.

The problem: ransomware knows about shadow copies too. One of the first things most ransomware does is run vssadmin delete shadows /all to wipe them out so you can't recover without paying.

What Shadow Guard does

Shadow Guard watches for any program trying to delete your shadow copies and blocks it. Only programs you've explicitly approved are allowed through.

The two protection modes

Real-time Process Watching

Monitors running programs and intercepts any attempt to delete shadow copies in real time. Fast, low overhead, and catches most attacks. Turn this on first.

IFEO Kernel Block

Uses a Windows feature called Image File Execution Options to hijack the standard tools ransomware uses to delete shadow copies (vssadmin.exe, wbadmin.exe, wmic.exe). Any attempt to run them fails unless launched from an approved program. This is the stronger of the two — but may interfere with legitimate backup tools, so pair it with the Allowed Programs list.

How to use it

Go to Protect → Shadow Guard.
Check the Current Shadow Copies panel on the right to confirm Windows is actually creating snapshots. If it shows none, click Create Snapshot Now to make your first one.
Turn on Real-time Process Watching.
If you use a backup program (Macrium, Veeam, Windows Backup), add it to the Allowed Programs list so Shadow Guard doesn't interfere with scheduled snapshots.
Once you're confident nothing's broken, enable IFEO Kernel Block for maximum protection.

Creating manual snapshots

You don't have to wait for Windows to take a shadow copy on its own schedule. Click Create Snapshot, pick a drive, and Shadow Guard will ask Windows to take a fresh snapshot right now. This is a great habit before installing new software or major Windows updates.

How to restore a file from a shadow copy: Right-click the file (or its parent folder) in File Explorer → Properties → Previous Versions tab. Pick a date and click Restore or Open.

Heads up: Shadow copies only work on drives with System Protection turned on. You can enable it in Windows: System Properties → System Protection → Configure. Shadow Guard will warn you on drives where protection is disabled.