Troubleshooting VSS (Volume Shadow Copy) Issues
Table of Contents
INTRO
Troubleshooting VSS (Volume Shadow Copy Service) issues got pretty involved a couple times on some servers I was managing, and I took some notes on things that worked for me. This is a WIP post but I felt there was too much to add to the Laboratory page. So, VSS issues will be its own post.
ACRONIS CYBER PROTECT CLOUD
Acronis has their own tools to help with troubleshooting.
Troubleshooting VSS Issues with Acronis Software
- Download the Acronis VSS Doctor Diagnostic Tool and run on the affected system.
VOLUME SHADOW COPY STORAGE
In Windows volume shadow copies can really start filling drives up if you have no limit set, if there are issues with it, you might not be able to delete the data stored for it, making you stuck in a pinch, so you will want to correct that.
Checking the Amount of Data Stored by Shadow Copies
- Right-click the drive letters and select “Configure Shadow Copies”.
- Check the space used vs the “Use limit” value when clicking “Settings”.
- If enough free space is present on the drive, select “No limit” for “Maximum size”.
DELETE SHADOW COPIES
You can delete shadow copy storage by going into volume properties and setting a lower limit than what’s used, however when that doesn’t work or errors out the below commands might do the trick.
Deleting Shadow Copy Data
Open Command Prompt as Administrator
diskshadow
delete shadows all- Wait around 15-20 minutes for the process or however long it takes. Some AV vendors like SentinelOne will see this command as malicious so you may need to temporarilty disable real-time protection on the endpoint before running it.
ANALYZE LIST WRITERS
List Writers Troubleshooting
Open Command Prompt as Administrator
vssadmin list writersAll writers should say “Stable” for “State:” and “Last error:” should say “No Error”.
System Writer
Verify the Network Service account has Full permissions to the following Registry Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
The system writer fails because permissions to files in the %windir%\winsxs\filemaps\ or %windir%\winsxs\temp\PendingRenames directories are incorrect.
takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant BUILTIN\Users:(RX)
takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)
net stop cryptsvc
net start cryptsvcWMI Writer
Open Command Prompt as Administrator
winmgmt /verifyrepository
winmgmt /salvagerepositoryRestart Services:
net stop winmgmt && net start winmgmtCLEANUP LOGS
You can delete all Windows Event logs with the below command so that Event Viewer loads faster and that you can easily see new logs for troubleshooting if you don’t mind wiping the logs.
Deleting Windows Event Logs
Open Command Prompt as Administrator
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"REPAIR INTEGRITY
Verify Operating System Integrity
Guide: Open Command Prompt as Administrator
DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannowVerify the results and check if there is any corruption and if all errors are repaired. You may need to do a reboot after each scan then run again until it says all errors where repaired.
findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"Check the sfcdetails.txt file for errors and research.
chkdsk /fI recommend running Check Disk before the DISM or SFC commands.
CONCLUSION
Well, that’s it for now, if you have anything you would like to add to this let me know via the comments or Contact page and I will take a look.
My name is Dex Sandel, author at WinReflection.
I am a Christian, conservative, and truth seeker that is not afraid to be vocal on important or controversial issues. Unfortunately, when a person has that kind of courage, the enemy tries to send haters and wolves in sheep’s clothing their way to damage their life in various ways. There are many rewards earned in Heaven for those that refuse to give up and fight the good fight. There’s more to life than the worldly status quo, and that’s why many are sad and depressed today, they’re suffocating. Truth and purpose can bring fresh air into one’s life and that’s my mission.
The best is yet to come, and nothing can stop what’s coming!
John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.
Leave a Reply
Want to join the discussion?Feel free to contribute!