1

I am trying to write some digital forensics software in python, which means I need a way to access volume shadow copies on windows. I am following this article from SANS https://www.sans.org/blog/using-volume-shadow-copies-from-python, using the following block of code.

import win32com.client

def vss_list(self):
        wcd = win32com.client.Dispatch("WbemScripting.SWbemLocator")
        wmi = wcd.ConnectServer(".", "root\cimv2")
        obj = wmi.ExecQuery("SELECT * FROM Win32_ShadowCopy")
        return [x.DeviceObject for x in obj]

My problem is that this function returns pywintypes.com_error: (-2147217388, 'OLE error 0x80041014', None, None). The same happens if I change the return statement to return obj[0]. I have looked to try and find an explanation of the error code and the best I have found is at https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-error-constants

WBEM_E_INITIALIZATION_FAILURE

2147749908 (0x80041014)

Component, such as a provider, failed to initialize for internal reasons.

I am not sure if this is what the code means, or what my problem is and how to fix it.

Thanks in advance for any help

incarnadine
  • 658
  • 7
  • 19

1 Answers1

1

Although this might not be the case in your situation one thing that causes me grief with VSS WMI classes is its architecture dependency. On 64-Bit OS this will not run from a 32-Bit process. Make sure your Python interpreter is running as a 64-Bit process.

From the Win32_ShadowCopy class documentation.

Note This class is unavailable for 32-bit applications on Windows Server 2008 x64. To access the class with Visual Studio, go to Project Properties, then General, and un-check the Prefer 32-bit box.

I hope this is all that is standing in your way.

Paul G
  • 1,219
  • 7
  • 14
  • Thanks for this reply. I was using 32-bit python, and have now switched to 64-bit. Unfortunately, this hasn't solved my problem and I am still getting the same error as before. – incarnadine Aug 16 '20 at 15:45