Using `esentutl.exe /vss` to examine an in-use database

  • Article

This feature has been present in Exchange with eseutil.exe, but now it will be part of Windows 10 esentutl.exe.

Normally, when we try to access ESE database files, we get ACCESS_DENIED, because the ESE engine opens files exclusively.

VSS (Volume Shadow Copy Services) allows us to grab a Snapshot of the volume, and access the file in a Read-Only mode.

But with a VSS writer, there is a callback that allows us to modify these files in a small window (OnPostSnapshot). We do this in 'esevss.dll', and it allows us to replay the log files on the in-use database, get to a clean state, and then have the Read-Only copy of the database in a clean state. Some examples are below.

This is rather useful for accessing database files without stopping the process. But beware that any transactions that haven't been committed at the time of the snapshot will be rolled back, and will be missing from the snapshotted database. Therefore it's more useful as a diagnostic tool, and not very useful for backups (well, some people may still find it useful to get most of the data...).

Performance implications: Yes, there are implications. VSS snapshots end up increasing the I/O load on the volume. The first write operation for a file turns in to THREE I/Os: (Read the old value; Write the old value in a special Diff area; Write the new value). I won't go in to the gory details here, because it's been around for years.

 

Normally, we can't access the database:

 c:\Users\martinc\AppData\Local\Microsoft\Internet Explorer\Indexed DB $ esentutl -mh AppQuota.edb

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 10.0
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating FILE DUMP mode...
Error: Access to source database 'AppQuota.edb' failed with Jet error -1032.

Operation terminated with error -1032 (JET_errFileAccessDenied, Cannot access file, the file is locked or in use) after 0.188 seconds.



We can dump an in-use database. Note that it's in a Dirty state. Check out the funky file name -- HarddiskVolumeShadowCopy1.
c:\Users\martinc\AppData\Local\Microsoft\Internet Explorer\Indexed DB $ esentutl -mh AppQuota.edb -vss

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 10.0
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initializing VSS subsystem...

Initiating FILE DUMP mode...
 Database: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\martinc\AppData\Local\Microsoft\Internet Explorer\Indexed DB\AppQuota.edb


DATABASE HEADER:
Checksum Information:
Expected Checksum: 0x7ea2e77c
 Actual Checksum: 0x7ea2e77c

Fields:
 File Type: Database
 Checksum: 0x7ea2e77c
 Format ulMagic: 0x89abcdef
 Engine ulMagic: 0x89abcdef
 Format ulVersion: 0x620,20
 Engine ulVersion: 0x620,20
Created ulVersion: 0x620,20
 DB Signature: Create time:11/19/2014 18:38:18.049 Rand:408092127 Computer:
 cbDbPage: 32768
 dbtime: 65844 (0x10134)
 State: Dirty Shutdown
...

Operation completed successfully in 6.282 seconds.

Here's an example using vssrec to get it ta clean state first:
c:\Users\martinc\AppData\Local\Microsoft\Internet Explorer\Indexed DB $ esentutl -mh AppQuota.edb -vssrec edb .

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 10.0
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initializing VSS subsystem...

Initiating FILE DUMP mode...
 Database: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Users\martinc\AppData\Local\Microsoft\Internet Explorer\Indexed DB\AppQuota.edb


DATABASE HEADER:
Checksum Information:
Expected Checksum: 0x7fadd805
 Actual Checksum: 0x7fadd805

Fields:
 File Type: Database
 Checksum: 0x7fadd805
 Format ulMagic: 0x89abcdef
 Engine ulMagic: 0x89abcdef
...
 DB Signature: Create time:11/19/2014 18:38:18.049 Rand:408092127 Computer:
 cbDbPage: 32768
 dbtime: 65854 (0x1013e)
 State: Clean Shutdown
...


Operation completed successfully in 6.422 seconds.

  

Also very useful is the ability to copy the database, in case you want to do multiple operations (e.g. esentutl.exe -ms to dump the space used). This copies the file to c:\tmp\clean.edb.

 c:\Users\martinc\AppData\Local\Microsoft\Internet Explorer\Indexed DB [14:24:49.24] +$ esentutl -y AppQuota.edb -d \tmp\clean.edb -vssrec edb .

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 10.0
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initializing VSS subsystem...

Initiating COPY FILE mode...
 Source File: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Users\martinc\Ap
Destination File: \tmp\clean.edb

 Copy Progress (% complete)

 0 10 20 30 40 50 60 70 80 90 100
 |----|----|----|----|----|----|----|----|----|----|
 ...................................................

 Total bytes read = 0x1c80000 (29884416) (28 MB)
 Total bytes written = 0x1c80000 (29884416) (28 MB)


Operation completed successfully in 8.359 seconds.

Theoretically, `esentutl.exe -y -vss` could work for any file that's locked exclusively.

We hope you find it useful!

-martin