Troubleshooting VSS (Volume Shadow Copy) Issues
Table of Contents
INTRO
Troubleshooting VSS (Volume Shadow Copy Service) issues got pretty involved a couple times on some servers I was managing, and I took some notes on things that worked for me. This is a WIP post but I felt there was too much to add to the Laboratory page. So, VSS issues will be its own post.
ACRONIS CYBER PROTECT CLOUD
Acronis has their own tools to help with troubleshooting.
Troubleshooting VSS Issues with Acronis Software
- Download the Acronis VSS Doctor Diagnostic Tool and run on the affected system.
VOLUME SHADOW COPY STORAGE
In Windows volume shadow copies can really start filling drives up if you have no limit set, if there are issues with it, you might not be able to delete the data stored for it, making you stuck in a pinch, so you will want to correct that.
Checking the Amount of Data Stored by Shadow Copies
- Right-click the drive letters and select “Configure Shadow Copies”.
- Check the space used vs the “Use limit” value when clicking “Settings”.
- If enough free space is present on the drive, select “No limit” for “Maximum size”.
DELETE SHADOW COPIES
You can delete shadow copy storage by going into volume properties and setting a lower limit than what’s used, however when that doesn’t work or errors out the below commands might do the trick.
Deleting Shadow Copy Data
Open Command Prompt as Administrator
diskshadow
delete shadows all- Wait around 15-20 minutes for the process or however long it takes. Some AV vendors like SentinelOne will see this command as malicious so you may need to temporarilty disable real-time protection on the endpoint before running it.
ANALYZE LIST WRITERS
List Writers Troubleshooting
Open Command Prompt as Administrator
vssadmin list writersAll writers should say “Stable” for “State:” and “Last error:” should say “No Error”.
System Writer
Verify the Network Service account has Full permissions to the following Registry Key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
The system writer fails because permissions to files in the %windir%\winsxs\filemaps\ or %windir%\winsxs\temp\PendingRenames directories are incorrect.
takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant BUILTIN\Users:(RX)
takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)
net stop cryptsvc
net start cryptsvcWMI Writer
Open Command Prompt as Administrator
winmgmt /verifyrepository
winmgmt /salvagerepositoryRestart Services:
net stop winmgmt && net start winmgmtCLEANUP LOGS
You can delete all Windows Event logs with the below command so that Event Viewer loads faster and that you can easily see new logs for troubleshooting if you don’t mind wiping the logs.
Deleting Windows Event Logs
Open Command Prompt as Administrator
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"REPAIR INTEGRITY
Verify Operating System Integrity
Guide: Open Command Prompt as Administrator
DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannowVerify the results and check if there is any corruption and if all errors are repaired. You may need to do a reboot after each scan then run again until it says all errors where repaired.
findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"Check the sfcdetails.txt file for errors and research.
chkdsk /fI recommend running Check Disk before the DISM or SFC commands.
CONCLUSION
Well, that’s it for now, if you have anything you would like to add to this let me know via the comments or Contact page and I will take a look.
My name is Dex Sandel, author at WinReflection, a blog which aims to help others on various IT and Christian related subjects. DON’T TREAD ON ME! The best is yet to come, and nothing can stop what’s coming!
You all have a greater destiny in Christ, should you choose to ‘follow’ Him, not just believe. Many of you feel lost, without drive, and lack a greater purpose in your life causing depression, sadness, anxiety, and loneliness. Working your 9-5 job isn’t your primary purpose. So, then what is? That’s for you to discover, but hopefully I can provide some new unlocks along your path.
What will ‘you’ do, and what will your destiny be?
John 3:16: For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.
Leave a Reply
Want to join the discussion?Feel free to contribute!