What is the role of the Volume Shadow Copy Service (VSS) in recovering files from system restore points?

VSS automatically creates backups of system files at restore points (e.g., after patch installations). Attackers with admin privileges can list these shadow copies using `vssadmin list shadows` or WMIC commands, then create a symbolic link (e.g., `mklink /d c:\testvsc \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\`) to access and recover files from a specific restore point, such as the NTDS.dit database for domain credential extraction.