[Windows] Shadow Defender removes all changes made to your computer, including viruses and malware, by rebooting

2013-04-30_213849When it comes to software, there are two types of virtualization: full virtualization and light virtualization. Full virtualization is when you have a fully virtualized operating system, such as installing Windows XP in VirtualBox. With full virtualization, you have a whole separate OS that behaves as if it were a real operating system. On the other hand, light virtualization is when you have a virtualized layer over your current system (i.e. no separate operating system) and changes made to your system are only temporary — they are removed upon reboot and/or close, depending on which light virtualization program you are using.

Last month we reviewed Reboot Restore Rx, a freeware light virtualization program that allows you to easily remove malware, viruses, and unwanted changes on from your computer by rebooting. Shadow Defender is a similar program. Let’s see if Shadow Defender is worth your time.

What is it and what does it do

Main Functionality

Shadow Defender is a light virtualization program that allows you to remove all changes made to your computer by simply rebooting. This includes removing all files/computes downloaded, modified, changed, created, etc. and malware, viruses, trojans, rootkits, etc.

Please note while Shadow Defender does help in keeping your computer safe by removing malware/viruses/etc., Shadow Defender is not a replacement for your anti-virus/anti-malware. No light virtualization program is 100% accurate in protecting you against malware/viruses, reglardless of if it is Shadow Defender, Reboot Restore Rx, Sandboxie, Returnil Virtual Safe, DeepFreeze, SteadyState, etc. Sure they are fairly effective, removing most malware/viruses/etc., but they are not 100% effective and some malware can sneak past. For example, SafeSys and TDSS are a trojan and rootkit that bypassed most light virtualization programs in the past, until developers were able to patch for them. So it is highly recommended to always have an up-to-date and modern anti-virus/anti-malware program installed alongside your light virtualization program, regardless of if that light virtualization program is Shadow Defender or some other soft.


  • Removes any and all changes made to all volumes (partitions/hard drives) you decide to protect with ‘Shadow Mode’. When you put a volume into Shadow Mode, Shadow Defender takes a snapshot of the existing state of the volume and reverts the volume back to that state after you reboot your computer (which results in deletion/removal of all changes made).
  • Allows you to select which volumes you want to protect; you can protect just your C:/ partition or opt to protect other partitions also
  • Protects MBR (Master Boot Record)
  • 2013-04-30_214343Allows you to set Shadow Mode to automatically enable every time you boot your computer (to enable this feature, select “Enter Shadow Mode On boot” when enabling Shadow Mode protection instead of “Exit Shadow Mode on Shutdown”)
    • Note: If you enable this feature, the snapshot taken prior to the first enabling of Shadow Mode is the snapshot your computer is reverted to every time you shutdown/restart your computer. This snapshot would only be updated if you were to ever manually stop and re-enable Shadow Mode.
  • 2013-04-30_214130Has an ‘Exclusion List’ that allows you to specify specific files and folders to be not protected by Shadow Mode
  • Allows you to easily save changes made to specific files and folders while Shadow Mode is enabled via ‘Commit Now’ feature (as opposed to letting Shadow Mode get rid of changes to those files and folders)
    • Note: Commit Now is different than Exclusion List. Exclusion List makes it so changes to the specified files and folders always remain — Shadow Mode never protects those files/folders. Commit Now allows you to apply changes to specified files and folders on a one-time basis. In other words, the files/folders you use with Commit Now are protected by Shadow Mode (i.e. changes are dumped upon reboot) unless you manually use Commit Now on those files/folders. If you want to save changes to files/folders multiple times while Shadow Mode is enabled, you will need to use Commit Now multiple times.
  • 2013-04-30_214151Adds an entry in the right-click context menu (‘Commit by Shadow Defender’) to allow you to easily use Commit Now for files/folders
  • Allows you to password protect the program, which prevents unauthorized access to Shadow Defender modes, settings, and features (e.g. you cannot disable Shadow Mode without the password)
    • Note: When enabling password protection, be sure to check the ‘Need password when committing files via shell context menu’ option or else people will be able to save changes made to specific files/folders without the need to enter a password
  • 2013-04-30_214241Displays a floating widget (“desktop tip”) that reminds you that Shadow Mode is enabled (this widget stays on top of all windows)
    • Note: If you don’t want to see this widget, you can disable it by unchecking ‘Enable desktop tip’ from ‘Administration’
  • Protects itself from being uninstalled while Shadow Mode is enabled
  • Extremely easy to use
  • Lightweight (uses roughly 5 MB of RAM and minimal CPU while it is turned on)


  • Does not display any sort of prompt prior to reboot/shutdown that reminds users all changes will be lost if/when the computer is shutdown or restarted. It does have the floating widget that reminds you that Shadow Mode is enabled, but that isn’t the same nor as effective as a prompt right before restart/shutdown. Without such a prompt, it is highly possible many users will forget Shadow Mode is enabled and be very upset when their files/folders/changes are lost and no longer there after reboot.
  • If you decide to exit Shadow Mode after enabling it, you can. However, there is no feature that allows you to tell Shadow Defender to save all changes made to computer, instead of remove all changes, upon exit of Shadow Mode; when you manually exit Shadow Mode, you must restart your computer and all changes, aside from the ones you manually committed via Commit Now, are dumped.
  • Protects MBR but developer does not provide details as to exactly what techniques are being used to protect MBR so it is hard to determine how solid that MBR protection is; the developer just says MBR protection is there
  • Developer of Shadow Defender has a sporadic history of issuing updates. Although the program has received regular updates every few months since Nov 2012, in the past there have been times when over a year has passed with no update to Shadow Defender. So much time between updates for a security program is unforgivable and really casts a shadow of doubt (no pun intended) for anyone that wants to use Shadow Defender. Why? Because all security programs, no matter how good they are, have bugs and loopholes that malware can exploit. Without regular updates, the holes in Shadow Defender are not plugged in a timely fashion.
  • Does not protect itself from being force closed via Windows Task Manager
    • Note: As per my tests, you can force close Shadow Defender’s daemon (the system tray icon — the interface you interact with Shadow Defender settings) but that does not disable Shadow Defender’s Shadow Mode protection, if it is enabled. In other words, force closing Shadow Defender does not mean Shadow Mode stops protecting you; changes are still removed upon restart/shutdown even if the daemon has been force closed.
  • Has the ability to exclude specific files/folders from protection and the ability to commit changes to files/folders while Shadow Mode is enabled. This is nice but I would like to see Shadow Defender have a feature that allows users to seamlessly integrate updates to the system while Shadow Mode is enabled, such as Windows Updates or anti-virus definition updates. Currently you need to disable Shadow Mode, update your computer, and re-enable Shadow Mode. How will the developer add this feature, if they add it at all? I’m not sure, but I do know it is possible because I’ve seen other light virtualization programs that have this feature


2013-04-30_214052As already mentioned above, Shadow Defender is a light virtualization program that gets rid of all changes made to your computer — including malware/viruses downloaded/infected — by rebooting.

As you can see from the ‘Pros’ list above, in terms of features Shadow Defender is pretty good. It allows you to protect multiple volumes, has the ability to exclude specific files/folders from being protected, can save changes to specific files/folders while Shadow Mode is enabled, and has the ability to password protect itself. On top of that, it is very easy to use and lightweight. However, all that is useless if Shadow Defender doesn’t perform as claimed, right? So let’s take a look at performance.

As per my tests, Shadow Defender accurately and effectively gets rid of all changes made to your computer; this includes undoing changes made to existing files/folders/programs/registry entries/etc. and deleting newly added/downloaded/created files/folders/programs/registry entries/etc. However, that isn’t a surprise. Any light virtualization worth a salt can do that. The real test is if Shadow Defender is able to accurately and effectively remove malware/viruses/trojans/rootkits/etc.

Generally speaking, Shadow Defender is considered to be one of the better light virtualization programs when it comes to removal of malware/viruses/trojans/rootkits/etc. However, it is not 100% perfect. As I mentioned in the ‘Main Functionality’ section above, no light virtualization program is perfect (you should always make sure to use an anti-virus/anti-malware program alongside light virtualization) and Shadow Defender is no exception; it accurately and effectively gets rid of common and less sophisticated malware/viruses/trojans/rootkits/etc. but more advanced malware/viruses/trojans/rootkits/etc. may bypass Shadow Defender. For example, the Sinowal trojan bypasses Shadow Defender protection but the version of Shadow Defender (which is currently in Beta at the time of this writing) renders Sinowal useless (Shadow Defender does not completely remove all files associated with Sinowal but renders it useless by removing Sinowal execution).

My point of telling you this is not to rag on Shadow Defender or to say it is bad; the point I’m trying to make here is that no light virtualization will perfectly protect you against malware/viruses/trojans/rootkits/etc. The key when picking a light virtualization program is to pick one that is regularly updated so that holes like the Sinowal one for Shadow Defender are quickly plugged. That then brings up the question: is Shadow Defender regularly updated? My answer is a qualified yes.

You see Shadow Defender has been regularly updated since November 2012. However, Shadow Defender has a history of sporadic updates. There have been times, such as between March 2011 and November 2012, when Shadow Defender has received no updates for over a year. (See Shadow Defender’s official changelog for more details.) Not regularly updating a light virtualization program is completely unacceptable and puts users of said light virtualization program at risk to new and improved malware/viruses/trojans/rootkits/etc. So while Shadow Defender is regularly receiving updates at the time of this writing, what is to say the developer won’t again go back into his shell and stop updating Shadow Defender for long periods of time? That really is my biggest concern with Shadow Defender: the potential for lack of updates.

Conclusion and download link

Overall, Shadow Defender is a very good light virtualization program that will protect you from unwanted changes and malware/viruses/trojans/rootkits/etc. Of course, as I’ve mentioned over and over in this review, no light virtualization program is perfect in removing all malware/viruses/trojans/rootkits/etc. and neither is Shadow Defender. So do not uninstall your anti-virus/anti-malware program thinking Shadow Defender — or any other light virtualization program — will keep you safe. Generally speaking, however, Shadow Defender is a great program.

That being said, Shadow Defender costs $35, which is fine; I love freeware like everyone else but I’m not one of those people who insist that every program must be freeware. After all, developers need to earn a living, too. The issue isn’t that Shadow Defender is not freeware but rather the issue is Sandboxie, another light virtualization program, costs 29 Euros (roughly $38). If I were personally going to spend money on a light virtualization program, I’d much rather pay $38 for Sandboxie than $35 for Shadow Defender because Sandboxie is regularly updated, is more user-friendly because of the way it does light virtualization, and is overall better than Shadow Defender in my opinion. If you disagree with me then by all means get Shadow Defender; as I said, it is a good program. However, if you agree, then I recommend getting Sandboxie over Shadow Defender. The choice is yours.

On the other hand, I know some people are “freeware only” type of people. If you are a “freeware only” person, then check out the following free light virtualization programs: Reboot Restore Rx, ToolWiz Time Freeze, and Returnil System Safe.

Price: $35

Version reviewed:

Supported OS: Windows XP/2003/Vista/Win7/Win8 (32-bit and 64-bit)

Download size: 1.6 MB

VirusTotal malware scan results: 0/46

Is it portable? No

Shadow Defender homepage

Related Posts

  • Sputnik

    When I want to test softwares in a virtual manner, I usually prefer to work with Sandboxie because there is no need to reboot to discard the changes. There is however a problem with Sandboxie : it cannot handle softwares which try to install drivers.

    At this moment I try to install the software with the use of Shadow Defender and it goes well, but only if the software doesn’t need any reboot. If the software needs a reboot, I only have the choice to commit the changes or to discard them : it is impossible to reenter into a shadow mode which keeps the changes done, but with still the possibility to discard them on a next reboot.

    The old version of Acronis True Image had a tool called “Try & Decide” : with this tool it is possible to do what I have just talked about. Unfortunately, Acronis have taken away this tool from True Image and it doesn’t seem that Acronis will launch this tool as a separate software.

    The only way I have found to test any software without affecting my OS is simply to create a clone of it and to boot into it to test any software I want. This way, I may install any kind of software, test it as long as I want in the cloned partition and when I reboot into my regular OS nothing has been changed there. I may also return in the clone partition to test again the installed software or I may also discard these changes by uninstalling these softwares or by doing a new clone of my OS. This way of doing is highly user-friendly and also it got the very good advantage to be completely free.

    So, for software testing purposes, Shadow Defender may be good, but not in all cases.

  • Craig

    Maybe just the best software ever invented. :)

  • Ron

    Shadow Defender does not protect you in safe mode.
    In safe mode one can delete the program files from the HD
    Can’t use this program in schools or internet cafe.

  • vipera


  • Mike

    Also one unique feature, taken from the program’s Facebook page:
    SD has the ability to use system RAM for its virtualization cache. This results in Windows essentially running from RAM, with all the speed and security benefits this entails. No disk writes also means no traceable leftovers left behind after deletions of private data, perfect for the more paranoid users among us. It also saves disks from a lot of unnecessary daily write hits, because all the temporary files that Windows normally creates with each session will only hit the program’s RAM buffer and not the real disks. This dramatically reduces future fragmentation on conventional hard disks, and is also very beneficial towards devices with limited I/O like SSDs, memory cards and memory sticks. Frequent use of the SD RAM buffer feature essentially prolongs the lifespan of all shadowed storage devices, as it saves them from a lot of unnecessary daily writes.

    Basically with your disks on Shadow Mode, the things will last longer, especially if you are using shadow mode on SSDs, memory cards, etc along with a RAM buffer. No other virtualizer has such a feature. You only commit to your disks the writes that matter to you and that you want to keep.

  • Mike

    Shadow Defender is a system-wide sandbox that can protect ALL disks attached to the system. Sandboxie is a great program but it only sandboxes applications. Apples and oranges. Here is why SD is a much more complete software, People who do not have the patience to read long-ish posts, will never know why SD has no parallel out there at the moment. I have tested it personally with a great variety of rootkits and other hardcore malware, including the notorious TDSS/TDL4 family of rootkits, and it has always contained ALL infections and their damage within its cache flushing everything upon reboot and negating the need for virus clean-ups. Clean and fresh Windows with every reboot, regardless of what I threw its way. My tests were carried out on 3 real systems, (and not on virtual machines which doesn’t always give accurate results). Please learn more before posting inaccurate and non-applicable things. And it’s not just about resistance to hardcore zero day malware. SD goes far beyond that. Read here:


  • Galen Huebner

    I wish to retract my previous comment as I now believe I misunderstood your point. By “save all changes” I believe you meant something more than just committing files or folders, such as program installs, driver changes or additions, etc.

    I should have read more carefully and I hope you will accept my apology. The mistake was mine.

  • Galen Huebner

    Actually you are incorrect on at least one major point you made under Cons: You said:

    If you decide to exit Shadow Mode after enabling it, you can. However, there is no feature that allows you to tell Shadow Defender to save all changes made to computer, instead of remove all changes, upon exit of Shadow Mode; when you manually exit Shadow Mode, you must restart your computer and all changes, aside from the ones you manually committed via Commit Now, are dumped.

    Actually, there is a feature that allows you to tell Shadow Defender to save all changes made to the computer. Simply go to Mode Setting and Select Exit Shadow Mode > Commit all changes. Upon reboot all changes will have been made. It works find for me. You can also do this for program installs that require a restart.

    I still would not push my luck however with Windows Updates. I think this should be performed outside the sandbox.

    I hope this information proves useful.

  • Searchy

    Best review I have ever seen on a software product! Ashraf, your site has just replaced Cnet on my bookmarks tab.
    Your review is extremely detailed and I felt accommodated reading it. Instead of being told whether or not the software is good, you left it up to me to decide. This review respected my intelligence and opinion so I thank you for that.
    Please keep up the great work! (I contributed a bit to keep this site running *hint hint ;-)

  • weylin

    TOOLWIZ TIME FREEZE failed twice on me. (Windows 8 64 bit)
    I had to boot from an image to get my Windows system back.

    I installed Shadow Defender and then for grins and giggles I downloaded a few programs that are full of crapware/malware (Pickpic, Sumo, Freemake Video Downloader, Splash Player Lite).
    You should have seen these programs fight for their right to party! My browsers were going nuts!
    I did this of course in Shadow mode so that all I had to do is reboot the computer.
    Clean as the wind driven snow. All junk and traces gone.

    Shadow Defender is great for trying out new or dodgy software.

  • hulkbuster

    How does Ashraf look like,,???

    Would a combination of Shadow Defender (todays Giveaway) and Faronics Anti-executable be enough to protect a user from harmful, malware/trojans etc ???

  • GF

    [@Giovanni] Virtual Kiosk would be very interesting but some programs don’t work well into it.
    I installed some programs into Kiosk: one program doesn’t start, other programs don’t fully work.

  • MerleOne

    Hey, it’s available today on Giveawayoftheday.com

  • Frank

    [@Edbro] Well, Edbro, /productive/ people (you know, the ones who use the keyboard despite being mouse-pushers) LOVE XP. It is SO much more productive than Vista/7/8* for people who knew how computers worked…

    * the latest a simple joke in that matters

  • Edbro

    Looking at Sandboxie requirements make it look woefully out of date. Last supported Windows version is Vista? From their site:

    What are the requirements to run Sandboxie?

    Sandboxie works on Windows 2000, Windows XP, Windows Vista and Windows Server 2003. There is some support for older 64-bit versions of Windows: see the download page.

  • Frank

    [@Frank] BTW: I’m a paid user of Sandboxie, won’t go after this one…

  • Frank

    NO alternative, but a true GIVEAWAY (only for today) is Shadow Defender.
    ONLY today at http://www.giveawayoftheday.com.
    As (almost) always on their site: Only for non-commercial use.

    Cheers, Frank

    P.S. Ashraf knows from other posts of mine that I am not affiliated with them. But use your own brain though ;)

  • Giovanni

    Hey Ashraf!!
    Among FREE alternatives I think you should add a great FREE SECURITY SUITE most people out there (included you maybe…) are completely unaware of.

    I’m talking about COMODO INTERNET SECURITY 2013:


    As you can see, if you use that tool as your main security software, you don’t need this GAOTD or TOOLWIZ TIME FREEZE anymore, because it sports an Auto Sandbox Technology called “Virtual Kiosk” which can isolate any malicious software you may run into from the rest of your PC.

    This is a key feature which is usually found in damn expensive commercial security suite tools out there like BITDEFENDER INTERNET SECURITY or NORTON INTERNET SECURITY.

    I think you should review it and add it as best FREE SECURITY PROGRAM on the market right now in your nice article concerning the best FREE solutions to protect PC users from online threats.

    What do you make of it?

    That being said, another FREE alternative to today’s giveaway is also this:


    Ever heard about it before?

    I’ve just found by chance yesterday and have to try it yet, but reviews about it seem to be very good!!

    See also: