System State fails with error: "Data source 'System state (VSS)' is not ready for backup: VSS writer "System Writer" is missing."

Last Modified

Thu Dec 31 12:54 GMT 2020


  • System state backup fails with error: Data source 'System state (VSS)' is not ready for backup: VSS writer "System Writer" is missing. Please ensure that "Cryptographic Services" service has enough rights.


  • Cove Data Protection (Cove)


  • The VSS writers are part of the Windows environment and must be operational to perform a backup
    • Use the steps below to troubleshoot some common errors
    • If this does not resolve the issue, investigate Application and System Event logs from the device for further insight, and contact Microsoft for further support
  • Multiple troubleshooting steps are presented here
    • Perform each step in the order listed
    • Not all steps may be necessary
  • Run this command in an elevated command prompt to verify writer status:
    • vssadmin list writers
    • Check the list for errors and ensure none of the following are missing:
      • System Writer
      • ASR Writer
      • WMI Writer
    • If any of the listed writers are missing, follow these steps:
  1. Restart services:
    • Cryptographic Services—should be set to Automatic startup
    • Volume Shadow Copy—should be set to Manual startup
    • Backup Service Controller—should be set to Automatic startup
  2. If the System Writer is not visible you can check the following Microsoft article for some steps.
  3. If the above Microsoft article doesn't help then try re-registering the VSS writers using one of the two below scripts:
  4. If the System Writer shows in the vssadmin list writers list, but the error still shows in Backup Manager, do this:
    1. Open services.msc
    2. Right-click Backup Service Controller> Properties > Log On tab
    3. Choose This user and enter an administrator user's credentials
    4. Click OK
    5. Restart service
      • Right-click Backup Service Controller > Restart
  5. Ensure there is enough shadow copy space on the device (lack of shadow copy space can cause a writer to fail to run or load correctly)
    1. Run these commands in an elevated command prompt:
      • vssadmin delete shadows /all /quiet
        vssadmin resize shadowstorage /for=?: /on=?: /maxsize=25%

        • Where ? is drive letter of drive on system where shadowstorage space needs to be added
        • Microsoft recommends 25%, but at least 10% of the drive is needed
        • Other values can be set in terms of MB (minimum 300), GB, TB or UNBOUNDED to allow full space
      • If you receive an error when running resize command, you can try adding space instead:
        • vssadmin add shadowstorage /for=?: /on=?: /maxsize=25%
    2. Restart services
      • Cryptographic Services
      • Volume Shadow Copy
      • Backup Service Controller
  6. Ensure writer system permissions are correct:
    1. Run commands to grant permissions to writer:
      • takeown /f C:\WINDOWS\winsxs\ /a /r
        icacls C:\WINDOWS\winsxs\ /grant "NT AUTHORITY\SYSTEM:(RX)" /t /c
        icacls C:\WINDOWS\winsxs\ /grant "NT Service\trustedinstaller:(F)" /t /c
        icacls C:\WINDOWS\winsxs\ /grant BUILTIN\Users:(RX) /t /c
    2. Open regedit
      • Start > type regedit > Enter
    3. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl key
    4. Change value of NT AUTHORITY\NETWORK SERVICE (REG_DWORD) to 1
    5. Restart services
      • Cryptographic Services
      • Volume Shadow Copy
      • Backup Service Controller
  7. Check temporary ASP.NET files
    • Standard location is C:\Windows\Microsoft.NET
    • Relocate temporary ASP.NET files to new location
    • Restart services
      • Cryptographic Services
      • Volume Shadow Copy
      • Backup Service Controller
  8. There is also a known issue that Microsoft has fixed via the following Microsoft hotfix
  9. (Server 2008 only) Uninstall Windows update KB4019276, reboot and see if System Writer has appeared
  10. Modify COM Security config
    1. Start > type dcomcnfg > Enter
    2. On the left pane navigate to Component Services > Computer > My Computer
    3. Right-click My Computer > Properties
    4. Select COM Security tab > Access Permissions > Edit Default
    5. Select Add... button > Add Network Service account to permission list
    6. Verify that only Local Access box is checked > OK
    7. Close Component Services
    8. Reboot device