After installing the Elastic agent and enabling the Endpoint integration, Windows servers are now throwing a VSS error whenever a shadow copy of a volume is made. In this case the timing of the errors corresponds to the shadow copies used for the 'previous versions' feature on files.
The error in the application event log is:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
. This is often caused by incorrect security settings in either the writer or requestor process.
Operation:
Gathering Writer Data
Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {affed3d5-3532-4367-b319-e37bdc3833c5}
This error only appears on machines with the agent and endpoint enabled. Machines with the agent but no endpoint are not affected. Windows versions are Windows 10, Server 2016, Server 2019, and Server 2022. The Endpoint settings are the defaults for a basic license (no malware protection, etc). This is happening on version 8.2.2 and 8.3.1.
I don't see any entries in the agent logs corresponding to the times of the errors that indicate a problem.
We do think we've recreated the issue (or at least one that is similar?) and are going to aim to fix it in an upcoming release.
As far as you can tell did this error message also end up with any negative impact to the previous versions feature? From our testing it seems like there isn't any other impact besides this error message in the logs.
As far as I can tell the previous version feature still works when the error is thrown.
The main reason for bringing this up was that I'm going to have to explain to our other system admins why they are suddenly getting this error as we roll the agent/Endpoint out to more of our servers.
In order to fix Volume Shadow Copy Service (VSS) errors in your system, and before you dive into the details of our Volume Shadow Copy Service Error Troubleshooting Guide, you need to know exactly what causes these errors in your system. If you encounter VSS failures in BackupChain, you’ll need to check the Windows Event Viewer as follows:
It automates most of the steps shown below.
Open the Windows Event Viewer and check the Windows Logs, Application and System. Look for Disk, VSS, and Vol Snap entries occurring at the time of backup or approximately the time when the error is reported in BackupChain:
The error may look like this:
It also helps to run search using your favorite search engine and search for: VOLSNAP 27 or VSS 8193.
You basically use the Event ID and Source in your search to find additional information online on how to fix your particular error.
Most of the time, however, the way to fix the error becomes obvious when reading the error message, see the following Hyper-V example:
Hyper-V Volume Shadow Copy Errors
If you are using Hyper-V, you may find additional Hyper-V VSS error information by navigating further down to:
Applications and Services Logs -> Microsoft -> Windows -> Hyper-V XXXXXXX
You will find about a dozen different Hyper-V logs and more often than not you’ll find the answer to your problem right there.
The following example shows that the virtual machine’s Hyper-V Integration Services are not available or installed: Volume shadow copy service error hyper-v event viewer
Please collect as much information as possible and email the exported Event Viewer logs to our support for further investigation.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.