Cove Data Protection Troubleshooting
System State fails with error: "Data source 'System state (VSS)' is not ready for backup: VSS writer "System Writer" is missing."
Last Modified
Thu Dec 31 12:54 GMT 2020
Description
- System state backup fails with error: Data source 'System state (VSS)' is not ready for backup: VSS writer "System Writer" is missing. Please ensure that "Cryptographic Services" service has enough rights.
Environment
- Cove Data Protection (Cove)
Solution
- The VSS writers are part of the Windows environment and must be operational to perform a backup
- Use the steps below to troubleshoot some common errors
- If this does not resolve the issue, investigate Application and System Event logs from the device for further insight, and contact Microsoft for further support
- Multiple troubleshooting steps are presented here
- Perform each step in the order listed
- Not all steps may be necessary
- Run this command in an elevated command prompt to verify writer status:
- vssadmin list writers
- Check the list for errors and ensure none of the following are missing:
- System Writer
- ASR Writer
- WMI Writer
- If any of the listed writers are missing, follow these steps:
- Restart services:
- Cryptographic Services—should be set to Automatic startup
- Volume Shadow Copy—should be set to Manual startup
- Backup Service Controller—should be set to Automatic startup
- If the System Writer is not visible you can check the following Microsoft article for some steps.
- If the above Microsoft article doesn't help then try re-registering the VSS writers using one of the two below scripts:
- Re-register VSS Writers for Server 2008/2008 R2
- Re-register VSS Writers for Server 2012-2016
Restart the system after re-registering writers before checking writer status.
- If the System Writer shows in the vssadmin list writers list, but the error still shows in Backup Manager, do this:
- Open services.msc
- Right-click Backup Service Controller> Properties > Log On tab
- Choose This user and enter an administrator user's credentials
- Click OK
- Restart service
- Right-click Backup Service Controller > Restart
- Ensure there is enough shadow copy space on the device (lack of shadow copy space can cause a writer to fail to run or load correctly)
- Run these commands in an elevated command prompt:
vssadmin delete shadows /all /quiet
vssadmin resize shadowstorage /for=?: /on=?: /maxsize=25%- Where ? is drive letter of drive on system where shadowstorage space needs to be added
- Microsoft recommends 25%, but at least 10% of the drive is needed
- Other values can be set in terms of MB (minimum 300), GB, TB or UNBOUNDED to allow full space
- If you receive an error when running resize command, you can try adding space instead:
- vssadmin add shadowstorage /for=?: /on=?: /maxsize=25%
- Restart services
- Cryptographic Services
- Volume Shadow Copy
- Backup Service Controller
- Run these commands in an elevated command prompt:
- Ensure writer system permissions are correct:
- Run commands to grant permissions to writer:
- takeown /f C:\WINDOWS\winsxs\ /a /r
icacls C:\WINDOWS\winsxs\ /grant "NT AUTHORITY\SYSTEM:(RX)" /t /c
icacls C:\WINDOWS\winsxs\ /grant "NT Service\trustedinstaller:(F)" /t /c
icacls C:\WINDOWS\winsxs\ /grant BUILTIN\Users:(RX) /t /c
- takeown /f C:\WINDOWS\winsxs\ /a /r
- Open regedit
- Start > type regedit > Enter
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl key
- Change value of NT AUTHORITY\NETWORK SERVICE (REG_DWORD) to 1
- Restart services
- Cryptographic Services
- Volume Shadow Copy
- Backup Service Controller
- Run commands to grant permissions to writer:
- Check temporary ASP.NET files
- Standard location is C:\Windows\Microsoft.NET
- Relocate temporary ASP.NET files to new location
- Restart services
- Cryptographic Services
- Volume Shadow Copy
- Backup Service Controller
- There is also a known issue that Microsoft has fixed via the following Microsoft hotfix
- (Server 2008 only) Uninstall Windows update KB4019276, reboot and see if System Writer has appeared
- Modify COM Security config
- Start > type dcomcnfg > Enter
- On the left pane navigate to Component Services > Computer > My Computer
- Right-click My Computer > Properties
- Select COM Security tab > Access Permissions > Edit Default
- Select Add... button > Add Network Service account to permission list
- Verify that only Local Access box is checked > OK
- Close Component Services
- Reboot device