VSS System Writer is missing
System State cannot be backed up and found that the System Writer is missing after runthe command "VSSAdmin list writers". The event log is "513 CPI2 Error" with contents: "Cryptographic Dervices failed while processing the OnIdentity() call in the System Writer Object." The server is 2008 standard 64bit edition and installed Exchange 2007 standard edition with SP1. It worked fine until2 weeks ago applied some patches from Microsoft which includs .NET 3.5 SP1, Echange2007 Rollp7, and a couple of security patches fro server 2008. Is this the reason? Please advice!ThanksRoger
April 13th, 2009 12:40pm
Hello Roger,
Based on the research, the VSS System Writer runs in the context of CryptSvc service on Windows Server 2008. To make the system writer works normally, please open services console to verify that the Cryptographic Services logon as the credentials of the "Network Service" account.
The VSS system writer can be missing due to several reasons, to isolate this issue, please refer to the following steps to boot the problematic server with clean boot mode to perform the test.
Steps: Clean Boot
1. On a problematic server perform a clean boot and check if the issue still exists
2. Click Start->Run...->type msconfig and press Enter
3. Click Services tab and select Hide All Microsoft Services and Disable All third party Services.
4. Click Startup tab and Disable All startup items
5. Click OK and choose Restart
After the server reboot, please run "vssadmin list writers" to check if the "System Writer" can be displayed.
If the issue still exists, please open a CMD prompt as Run As Administrator and type the following commands to see if it the system writer will be occure.
CD c:\windows\system32
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.* /grant "BUILTIN\Users:(RX)"
Moreover, based on the experience, it has been reported that there is some permissions issue which can cause this kind of issue. Please follow the steps below and check if it can be helpful.
On domain controller
1. Open Active Directory Users and Computers
2. Click View and then "Advanced features"
3. Right Click built and click properties.
4. Click security tab.
5. Grant read permission to 'Authenticated Users'
6. Click Apply and OK.
7. Restart Cryptographic Services.
Note: By Default, it should have read permission for the system to take system state backup.
Hope this can be helpful.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 13th, 2009 11:48pm
Thanks!If clean reboot, the System Writer shows up, what shoud I do?The server is running Server 2008 OS and Exchange 2007 and is not a domain controller, should I do the "rant permission" on any of the domain controllers?
Is there any risk doing this? Because the server is in productive.
Thanks,
Roger
April 14th, 2009 10:29am
Hi Roger,
As "System Writer" shows in the clean boot mode, can you take system state backup in the clean boot mode? If yes, I guess the issue could be caused by other third party services that is running on the problematic server. Thus, you can enable the third party services one-by-one to isolate the root cause.
It won't cause any risk to grant the 'Authenticated Users' with "Read" permission on Builtin node in Active Directory Users and Computers because with this permission all the authenticated users can only query the security objects in Builtin container. Please note: the "Certificate Service DCOM Access" security group is a security object in Builtin container.
As the permission is needed for domain users to access the domain resource, please verify it on the domain controller.
Hope it helps.
This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2009 2:51am
David,Thank you very much for the help you provided. 2 more questions:1. CERTSVC_DCOM_ACCESS group is not in the domain system because I didn't install CA. But I am still wondering that the group CERTSVC_DCOM_ACCESS should be created by installing SP1, why our servers running 2003 R2 without the group created. Do I need to install it?
2. Twoweeks ago I installed updates from Microsoft and then the System State can not be backed up. Does this mean that the updates installation removed some granted permssions?Thanks,Roger
April 15th, 2009 4:07pm
Hi Roger,
Q: 1. CERTSVC_DCOM_ACCESS group is not in the domain system because I didn't install CA. But I am still wondering that the group CERTSVC_DCOM_ACCESS should be created by installing SP1, why our servers running 2003 R2 without the group created. Do I need to install it?
A1: Roger, could you please check if you have install Windows Server 2003 SP1 on that server? If not, I suggest that you install it on that server. Because when you upgrade to Windows Server 2003 SP1, security configuration changes are made to the global DCOM interface and to the CertSrv Request DCOM interface. These changes are made to enable certificate services to work correctly.
During Windows Server 2003 SP1 Setup, certificate services automatically updates the DCOM security and the new security group (CERTSVC_DCOM_ACCESS) will be automatically created.
Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1http://support.microsoft.com/default.aspx/kb/903220
Q2. Twoweeks ago I installed updates from Microsoft and then the System State cannot be backed up. Does this mean that the updates installation removed some granted permissions?
A: Actually, it's hard to say that. To solid isolate the root cause of the issue why the system state cannot be backed up, we may need to check the event viewer to see what the error messages are when the issue occurs.
Besides, please check the following KB article to see if the hotfix can be helpful to that issue.
You cannot perform a system state backup on a domain controller that is running Windows Server 2003 SP1
http://support.microsoft.com/kb/913642
Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 16th, 2009 3:22am
The solution is refered is this post
http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/4458947a-623e-45c1-b8e4-868aad1e93b0/
the problem is related to temporary files of .net asp files created em framework directories.
July 18th, 2012 10:53am