clickbay.de

Various VSS Error:
Volume Shadow Copy Service Error
Schattenkopien Fehler

 

various issues after image or restore on new disk, hdd, raid, volume.

btw: how to fix errors after KB940032


Restore, Image or Clone - (without Sysprep aso..) -> on new RAID/HDD/VOL.

Acronis, NetBackup or BackupExec... various VSS issues. note the new vol signatur..

symptoms
"Volume Shadow Copy Service" error:


A)Shadow Copies:
    Local Disk Properties > Error 0x8004230f

B) Event ID: 12293 Event Source: VSS - 0x8000ffff Cannot ask provider

C) Event ID: 12293 Event Source: VSS - 0x8000ffff Error Shadow Copy Provider

D) ntbackup systemstate error:
    Error returned while creating the volume shadow copy:8004230f

E) Symantec NetBackup can't open object:
    Shadow Copy Components: 0xE000FECB     0xE000FEDD

F) cause / Ursache

G) HOW TO FIX issues A) - E)

H) various issues after KB940032:
    (Symptoms and fix)
        Eventlog Appl: Source: VSS, Event ID: 12293  - 12298  - 12310
        Eventlog System: Source: Volsnap, EventID: 8
how to fix

symptoms A) - E):

A)
Local Disk > Properties >  "Shadow Copies":

Failed to retrieve volumes that are eligible for shadow copies. Error 0x8004230f: The shadow copy provider had an unexpected error while trying to process the specified operation.
Shadow Copy Error 0x8004230f



# Various 'Volume Shadow Copy Service' error:
# Fehlercode: 8004230f = VSS_E_UNEXPECTED_PROVIDER_ERROR


B)
Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 12293
Description:
Volume Shadow Copy Service error: Error calling a routine on the Shadow Copy Provider {b5946137-7b9f-4925-af80-51abd60b20d5}. Routine details Cannot ask provider {b5946137-7b9f-4925-af80-51abd60b20d5} if volume is supported. [0x8000ffff] [hr = 0x8000ffff].


C)
Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 12293
Description:
Volume Shadow Copy Service error: Error calling a routine on the Shadow Copy Provider {b5946137-7b9f-4925-af80-51abd60b20d5}. Routine details IVssSnapshotProvider::QueryVolumesSupportedForSnapshots(ProviderId,-1,...) [hr = 0x8000ffff].


D)
ntbackup systemstate error:
(ntbackup-logfile)

Backup Status
Operation: Backup
Active backup destination: File
Media name: "Backup.bkf created 05.09.2020 at 17:12"
Volume shadow copy creation: Attempt 1.
Error returned while creating the volume shadow copy:0x8004230f.

Aborting Backup.

----------------------

The operation did not successfully complete.

----------------------


E)
Symantec NetBackup log:

WRN - can't open object: Shadow Copy Components: (BEDS 0xE000FECB: A failure occurred accessing the backup component document.)
WRN - can't open object: Shadow Copy Components:\System State\System Files\System Files (BEDS 0xE000FEDD: A failure occurred accessing the object list.)
WRN - can't open object: Shadow Copy Components:\System State\COM+ Class Registration Database\COM+ REGDB (BEDS 0xE000FEDD: A failure occurred accessing the object list.)
WRN - can't open object: Shadow Copy Components:\System State\Registry\Registry (BEDS 0xE000FEDD: A failure occurred accessing the object list.)
WRN - can't open object: Shadow Copy Components:\System Service\Windows Management Instrumentation\WMI (BEDS 0xE000FEDD: A failure occurred accessing the object list.)
WRN - can't open object: Shadow Copy Components:\System Service\Event Logs\Event Logs (BEDS 0xE000FEDD: A failure occurred accessing the object list.)


F) cause / Ursache:

Cause the VSC VSS issues:
volsnap.sys not bound on disk

Die neue Festplatte hat eine andere Signatur.
Die alte Signature ist jedoch noch im folgenden Schlüssel gespeichert:

New DISK, new Signature.       old Signature is currently stored within
SYSTEM\ControlSet00x\Enum\STORAGE\Volume\1&30a96598&0&>>Signaturexxxxx<<Offset13873BA800Length86AB65800)
Regedit\Enum\Storage\Volume - Sigantur (MBR)


G) How to fix A) - E):

doing:
Delete current SubRegKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\STORAGE\Volume
Note: only offline! this is a long way...


better than ...
A) Speed Fix / schnelle Lösung

write new disk signatur online with MbrFix.exe  (www.sysint.no)


mbrfix /drive 0 readsignature >> read the current signature from MBR
mbrfix /drive 0 writesignature 12345678 >> writes an new signatur into MBR
mbr write signature


restart

Windows detect new hdd, install drivers and write a new subkey within "HKLM\SYSTEM\ControlSet00x\Enum\STORAGE\Volume\"
Windows detect one new hdd and writes signature

restart, done!




B) the long way:

Delete the SubRegKeys below the current Key "HKLM\SYSTEM\ControlSet00x\Enum\STORAGE\Volume\"


@'*#!§? :-)
- customer changed hardware config (disk to raid)

RESULT:
- backup did not work after hardware change

CAUSE:
- volsnap.sys not correctly bound to new disk (nt!_DEVICE_NODE.ServiceName
damaged)

RESOLUTION:
--- volsnap.sys not bound to volume
- in VSS trace:
[0000935375,0x001cf0:0x1d1c:0x0d5c3c93] server\inc\ichannel.hxx(0389): CVssMachineInformation::ReadMinDiffArea: IOCTL sent: 534058 on device \\?\Volume{10f8fde4-a270-11dc-b87d-806e6f6e6963}
Input buffer size: 0, Output buffer size: 4096
[0000935390,0x001cf0:0x1d1c:0x0d5c3c93] server\inc\ichannel.hxx(0428): CVssMachineInformation::ReadMinDiffArea: Could not send the IOCTL 0x00534058 on device \\?\Volume{10f8fde4-a270-18dc-b87d-806e6f6e7983} - 0x00000180.
[0x00000001]
[0000935437,0x001cf0:0x1d1c:0x0d4c3c99] server\inc\ichannel.hxx(0428):
CVssMachineInformation::ReadMinDiffArea: Throwing HRESULT code 0x8000ffff. Previous
HRESULT code = 0x00000000
--- solution for volsnap.sys not bound to volume



delete keys below HKLM\system\currentcontrolset\enum\storage\volume\ ..
this step ensured, that volsnap.sys is properly bound to the volumes again (solved problem with the netnode)



detailed steps for the key deletion:
A) english B) deutsch

A) english
Action plan:

1) Run WinPE, BartPE, ERDCommander, Parallelinstallation, Parallelsystem
2) start regedit
3) Regedit-> select "HKEY_USERS" -> click Menu "File" -> select "Load Hive"
load the SYSTEM Hive (e.g. C:\WINDOWS\system32\config\ File: "system")
give one name for the loaded hive: "TEST"
4) view on
"HKEY_USERS\TEST\SYSTEM\Select\"    Value="Current"
This Value point to the current ControlSet: "ControlSet001" or "ControlSet00x" or "ControlSet00y"
5) now go to the specified Current ControlSet00x:
"HKEY_USERS\TEST\SYSTEM\ControlSet00x\" within the loaded hive
and expand to:
"\SYSTEM\ControlSet00x\Enum\STORAGE\Volume\"
and delete all subkeys below \SYSTEM\ControlSet002\Enum\STORAGE\Volume\
(e.g. "HKEY_USERS\TEST\SYSTEM\ControlSet00x\Enum\STORAGE\Volume\1&30a96598&0&Signature12345678Offset13873BA800Length86AB600)"
6) unload the hive (Regedit->File->Unload Hive)
7) shutdown und boot original system
8) Windows detect new vol, install drivers and write the new keys > reboot and ready


B) deutsch
Löschen der SubRegKeys unterhalb des aktuellen
 "HKLM\SYSTEM\ControlSet00x\Enum\STORAGE\Volume\"

1) Starte Win_PE usw.
2) regedit starten
3) Regedit-> markieren von "HKEY_USERS" -> Klick Menü "Datei" -> "Struktur laden..."
gehe zu "SYSTEM" (z.B. %SystemRoot%\system32\config\    Datei: "system")
jetzt einen Namen für die zu ladende Struktur vergeben: "TEST"
4) unter
HKEY_USERS\TEST\SYSTEM\Select\ mit dem WERT="Current"
steht der Verweis, welcher ControlSet00x der Aktuelle ist.
5) gehe zum aktuellen "HKEY_USERS\TEST\SYSTEM\ControlSet00x",
navigiere bis zum Schlüssel "\SYSTEM\ControlSet00x\Enum\STORAGE\Volume\"
und lösche alle Schlüssel innerhalb von "\SYSTEM\ControlSet00x\Enum\STORAGE\Volume\"
(z.B. HKEY_USERS\TEST\SYSTEM\ControlSet00x\Enum\STORAGE\Volume\1&30a96598&0&Signature35633562Offset13873BA800Length86AB65800)
6) Datei > "Struktur entladen.."
7) shutdown Win_PE, danach das originale System booten
8) Windows erkennt eine neue Festplatte und schreibt die Schlüssel neu > reboot und fertig

H) various issues after KB940032:

Eventlog Appl: Source: VSS, Event ID: 12293  - 12298  - 12310
Eventlog System: Source: Volsnap, EventID: 8

cause:
"regsvr32 /i eventcls.dll" dosnt work fine!

symptoms:

vssadmin "list writers" take a long time

after any minutes:

Writer name: 'Removable Storage Manager'
Writer Id: {5d3c3e01-0297-445b-aa81-a48d7151e235}
Writer Instance Id: {e94e87e2-375a-4f10-a3e6-9a5534ccdd9c}
State: [9] Failed
Last error: Not responding

Event Type: Error
Event Source: VSS
Event ID: 12301
Description:
Volume Shadow Copy Service error: Writer Removable Storage Manager did not respond to a GatherWriterStatus call.

and VSS: EventID 8 - time out
result:
the Value "OwnerSID" within

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}]

are changed from default "S-1-5-18" to your SID  "OwnerSID"="S-1-5-21-xxxxx-xxxxxxx-xxxxxxx-xxxxx"

and

the Value "TypeLib" points not into %SystemRoot%
"TypeLib"="C:\\EVENTCLS.DLL"

change the value to systemroot and type  "S-1-5-18".


how to:

Please check if these keys exist, that system can access these keys and that there's the correct path to EVENTCLS.DLL:

----------------------------------------------------

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Class Name: <NO CLASS>

Value Name: Active
Type: REG_DWORD
Data: 0x1

Value Name: EventClassID
Type: REG_SZ
Data: {FAF53CC4-BD73-4E36-83F1-2B23F46E513E}

Value Name: EventClassName
Type: REG_SZ
Data: VssEvent

Value 3 Name: OwnerSID
Type: REG_SZ
Data: S-1-5-18

Value Name: TypeLib
Type: REG_SZ
Data: G:\WINDOWS\system32\EVENTCLS.DLL
======> This key should point to %windir%\system32\eventcls.dll


Value Name: AllowInprocActivation
Type: REG_DWORD
Data: 0xffffffff

Value Name: FireInParallel
Type: REG_DWORD
Data: 0

Value Name: EventClassPartitionID
Type: REG_SZ
Data: {00000000-0000-0000-0000-000000000000}

Value Name: EventClassApplicationID
Type: REG_SZ
Data: {00000000-0000-0000-0000-000000000000}