VMDK manual conolidation

webdude8 · ‎10-23-2020

I got hit by ransomware and during the decryption process that disk got full and the VM stopped and couldn't;t start with an error related to the disk. I wanted to expand the size of the disk but didn't work due to snapshots are made on this VM. after some readings on the internet I found on forums that in order to expand you have to delete all snapshots and I did so and still can't expand the disk size. I tried to run VM and it is running an old snapshot or the original VMDK and all the files are not up to date.

I browsed the VM Datastore and found many sub-vmdks (child-vmdk files) but I don't know how to use them or consolidate them. I opened again the snapshot manager and found nothing.

my questions are:

1- how can I run the latest child-vmdk? I need to access the latest files on the VM

2- How can I consolidate manually the child-vmdsk with the parent-vmdk?

3- Can I mount the latest child-vmdk on a new Windows OS and do you think I can find the latest files on this child-vmdk?

please advise.

a_p_ · ‎10-23-2020

Welcome to the Community,

did you shut dow the VM immediately after you discovered that it had been reset to an old state! The longer the VM ran on this state, the higher the chance of filesystem corruption.

To find out what's possible:

enable SSH on the host, and connect to it via e.g. putty (ssh)
go to the VM's folder, e.g. cd /vmfs/volumes/<datatore-name>/<vm-name>
run df -h and post the result in your next reply
run ls -lisa > filelist.txt to list the files in the VM's folder
use e.g. WinSCP and connect to the host
download the following files from the VM's folder, compress/zip them, and attach the .zip archive to your next reply
filelist.txt, *.vmx, *.vmdk (only the small text files without flat, delta, or sesparse in their names), vmware*.log

Note: Please ensure that the .vmx file, or the vmware*.log files do not contain any confidential information, e.g. a password in the "Annotations" setting.

André

scott28tt · ‎10-23-2020

Moderator: Thread moved to the Backup & Recovery area.

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

webdude8 · ‎10-24-2020

Hello A.P.

Below the information you requested.

##################################### ls and df command results #####################

[root@localhost:/vmfs/volumes/52f9e147-57803591-ea1f-001e67a0481c/YFC-Win2k8R2-XenAPP] ls -la

total 1082989592

drwxr-xr-x 1 root root 6160 Oct 8 12:05 .

drwxr-xr-t 1 root root 2520 Oct 8 11:45 ..

-rw------- 1 root root 644245094400 Oct 8 12:13 YFC-Win2k8R2-XenAPP-000001-flat.vmdk

-rw------- 1 root root 566 Oct 8 12:05 YFC-Win2k8R2-XenAPP-000001.vmdk

-rw------- 1 root root 4915712 Nov 7 2018 YFC-Win2k8R2-XenAPP-000002-ctk.vmdk

-rw------- 1 root root 252891136 Nov 7 2018 YFC-Win2k8R2-XenAPP-000002-delta.vmdk

-rw------- 1 root root 421 Nov 7 2018 YFC-Win2k8R2-XenAPP-000002.vmdk

-rw------- 1 root root 4915712 Oct 8 09:35 YFC-Win2k8R2-XenAPP-000003-ctk.vmdk

-rw------- 1 root root 4915712 Oct 8 09:35 YFC-Win2k8R2-XenAPP-000004-ctk.vmdk

-rw------- 1 root root 4915712 Nov 7 2018 YFC-Win2k8R2-XenAPP-000005-ctk.vmdk

-rw------- 1 root root 722653184 Nov 7 2018 YFC-Win2k8R2-XenAPP-000005-delta.vmdk

-rw------- 1 root root 428 Nov 7 2018 YFC-Win2k8R2-XenAPP-000005.vmdk

-rw------- 1 root root 4915712 Jun 21 2019 YFC-Win2k8R2-XenAPP-000006-ctk.vmdk

-rw------- 1 root root 16895889408 Jun 21 2019 YFC-Win2k8R2-XenAPP-000006-delta.vmdk

-rw------- 1 root root 455 Jun 20 2019 YFC-Win2k8R2-XenAPP-000006.vmdk

-rw------- 1 root root 4915712 Nov 7 2018 YFC-Win2k8R2-XenAPP-000007-ctk.vmdk

-rw------- 1 root root 1326632960 Nov 7 2018 YFC-Win2k8R2-XenAPP-000007-delta.vmdk

-rw------- 1 root root 428 Nov 7 2018 YFC-Win2k8R2-XenAPP-000007.vmdk

-rw------- 1 root root 4915712 Oct 7 18:51 YFC-Win2k8R2-XenAPP-000008-ctk.vmdk

-rw------- 1 root root 117106200576 Oct 7 19:45 YFC-Win2k8R2-XenAPP-000008-delta.vmdk

-rw------- 1 root root 455 Oct 7 18:51 YFC-Win2k8R2-XenAPP-000008.vmdk

-rw------- 1 root root 33193 Oct 8 09:35 YFC-Win2k8R2-XenAPP-Snapshot100.vmsn

-rw------- 1 root root 33122 Oct 8 09:35 YFC-Win2k8R2-XenAPP-Snapshot93.vmsn

-rw------- 1 root root 8640061440 Oct 8 10:05 YFC-Win2k8R2-XenAPP-Snapshot94.vmsn

-rw------- 1 root root 33131 Oct 8 09:35 YFC-Win2k8R2-XenAPP-Snapshot95.vmsn

-rw------- 1 root root 9598140416 Oct 8 10:08 YFC-Win2k8R2-XenAPP-Snapshot96.vmsn

-rw------- 1 root root 9399304192 Oct 8 10:07 YFC-Win2k8R2-XenAPP-Snapshot97.vmsn

-rw------- 1 root root 33131 Oct 8 09:35 YFC-Win2k8R2-XenAPP-Snapshot98.vmsn

-rw------- 1 root root 9375318016 Oct 8 10:06 YFC-Win2k8R2-XenAPP-Snapshot99.vmsn

-rw-r--r-- 1 root root 13 Oct 8 05:33 YFC-Win2k8R2-XenAPP-aux.xml

-rw------- 1 root root 4915712 Nov 7 2018 YFC-Win2k8R2-XenAPP-ctk.vmdk

-rw------- 1 root root 644245094400 Oct 31 2018 YFC-Win2k8R2-XenAPP-flat.vmdk

-rw------- 1 root root 8684 Oct 7 19:46 YFC-Win2k8R2-XenAPP.nvram

-rw------- 1 root root 581 Oct 17 2018 YFC-Win2k8R2-XenAPP.vmdk

-rw-r--r-- 1 root root 79 Oct 8 05:33 YFC-Win2k8R2-XenAPP.vmsd

-rwx------ 1 root root 3556 Oct 8 05:33 YFC-Win2k8R2-XenAPP.vmx

-rw------- 1 root root 4379 Apr 18 2020 YFC-Win2k8R2-XenAPP.vmxf

-rw------- 1 root root 268525 Oct 7 19:46 vmware-54.log

-rw------- 1 root root 66419 Oct 7 19:46 vmware-55.log

-rw------- 1 root root 65955 Oct 7 20:10 vmware-56.log

-rw------- 1 root root 66040 Oct 8 05:37 vmware-57.log

-rw------- 1 root root 66040 Oct 8 10:39 vmware-58.log

-rw------- 1 root root 65955 Oct 8 11:02 vmware-59.log

-rw------- 1 root root 66286 Oct 8 11:43 vmware.log

df: error: no such option: -a

[root@localhost:/vmfs/volumes/52f9e147-57803591-ea1f-001e67a0481c/YFC-Win2k8R2-XenAPP] df -h

Filesystem Size Used Available Use% Mounted on

VMFS-5 3.6T 2.9T 749.7G 80% /vmfs/volumes/Virtual Machines

VMFS-5 922.8G 15.4G 907.3G 2% /vmfs/volumes/datastore1

VMFS-5 3.6T 2.6T 1.0T 72% /vmfs/volumes/WD RAID1 Storage 1

vfat 285.8M 203.6M 82.2M 71% /vmfs/volumes/52f9dbe5-526e8172-203e-001e67a0481c

vfat 249.7M 157.0M 92.7M 63% /vmfs/volumes/5ced9578-21bf83f4-e787-f66cd7a83ed6

vfat 4.0G 16.9M 4.0G 0% /vmfs/volumes/59c36cb2-596dd522-ee9f-001e67a0481c

vfat 249.7M 169.7M 80.0M 68% /vmfs/volumes/bada3c76-1a2e795d-e0d8-11a9d8532d7d

[root@localhost:/vmfs/volumes/52f9e147-57803591-ea1f-001e67a0481c/YFC-Win2k8R2-XenAPP]

##########################################################################################################

Also, please find an attached a zip file containing (VMX, LOG, and VMDK files) as per your request.

Your help is highly appreciated.

Thank you,

a_p_ · ‎10-24-2020

There are some things that I' like you to explain, so that I understand what has been done so far.

The files "YFC-Win2k8R2-XenAPP-000001.vmdk" and "YFC-Win2k8R2-XenAPP-000001-flat.vmdk" are configured as flat (base) virtual disk files, although - from the file names - they look like snapshot files!? What exactly did you do so far in the attempt to resolve the issue?
Is this the VM's original folder, or a copy? I'm asking because of the files' time stamps, which are from Oct. 8th, and older?
The "YFC-Win2k8R2-XenAPP.vmdk" file is missing in the attachment.

The more I know/understand of what exactly happened so far, the better are chances to find a solution.

André

webdude8 · ‎10-25-2020

Hi Andre,

I took several snapshots previously for this VM. However, while decrypting the files on this VM the operation stopped because the disk usage reached the maximum and the VM stopped. I tried to expand the disk but it was not possible so I had to remove the snapshots from the snapshot manager. but I'm still seeing multiple vmdk files and that's why I was thinking if I can consolidate those vmdk files so I can access the latest files on this VM.

regarding the access date, I had to copy the files to external storage to have a backup in case I messed with these files.

Please find attached the file you requested.

Thank you for your cooperation.

a_p_ · ‎10-26-2020

Since you have free disk space your datastores, you may try to clone the current virtual disk, which consolidating the snapshots using the following command:

vmkfstools -i "/vmfs/volumes/52f9e147-57803591-ea1f-001e67a0481c/YFC-Win2k8R2-XenAPP/YFC-Win2k8R2-XenAPP-000008.vmdk" "/vmfs/volumes/<datastore-name>/<foldename>/YFC-Win2k8R2-XenAPP-Clone.vmdk" -d thin

Replace "<datastore-name>\<foldename>" as needed to point to the destination where you want to create the clone. Please remember that the target folder has to exist, so create it before you run the command if needed. I recommend that you create the clone on another than the source datastore.

The command will create a thin provisioned clone (just to save some physical disk space), which you then can attach to a virtual machine, and resize as needed.

I found a file locked error message for the "YFC-Win2k8R2-XenAPP-000008-delta.vmdk" file in one of the logs. If this also happens with the command, try whether deleting/renaming "YFC-Win2k8R2-XenAPP-000008-ctk.vmdk" helps.

André

All

VMDK manual conolidation