Issue
System Writer missing
Symptoms
- System State backup fails with error ” The Volume Shadow Copy service entered the stopped state“
- In “vssadmin list writers” output, System Writer missing
Error in System Logs
Log Name: System
Source: Service Control Manager
Event ID: 7036
Task Category: None
Level: Information
Keywords: Classic
Description:
The Volume Shadow Copy service entered the stopped state.
Observation
- Started the Procmon capture
- Run “vssadmin list writers” command
- Stop Procmon capture, select Filter icon
- Filter current Procmon traces with “Path | Contains | vss\diag | Include” and select “Apply/OK“
- Select “HKLM\System\CurrentControlSet\Services\VSS\Diag\System Writer\IDENTIFY (Enter)” -> Right Click on “PID: 1348” -> Select ‘Include 1348‘
- Select “HKLM\System\CurrentControlSet\Services\VSS\Diag\System Writer\IDENTIFY (Leave)“
- Select Filter icon and uncheck “Path -> Contains -> vss\diag” and select “Apply/OK“
- Few entries above, notice “File Locked with only Readers” status for following files
| 43:20.8 | svchost.exe | 1348 | CreateFile | C:\Windows\inf\setupapi.ev1 | SUCCESS | Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened |
| 43:20.8 | svchost.exe | 1348 | QueryStandardInformationFile | C:\Windows\inf\setupapi.ev1 | SUCCESS | AllocationSize: 20,480, EndOfFile: 19,904, NumberOfLinks: 1, DeletePending: False, Directory: False |
| 43:20.8 | svchost.exe | 1348 | CreateFileMapping | C:\Windows\inf\setupapi.ev1 | FILE LOCKED WITH ONLY READERS | SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY |
| 43:20.8 | svchost.exe | 1348 | CreateFile | C:\Windows\inf\setupapi.ev2 | SUCCESS | Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened |
| 43:20.8 | svchost.exe | 1348 | QueryStandardInformationFile | C:\Windows\inf\setupapi.ev2 | SUCCESS | AllocationSize: 16,384, EndOfFile: 14,040, NumberOfLinks: 1, DeletePending: False, Directory: False |
| 43:20.8 | svchost.exe | 1348 | CreateFileMapping | C:\Windows\inf\setupapi.ev2 | FILE LOCKED WITH ONLY READERS | SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY |
| 43:20.8 | svchost.exe | 1348 | CreateFile | C:\Windows\inf\setupapi.ev3 | SUCCESS | Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened |
| 43:20.8 | svchost.exe | 1348 | QueryStandardInformationFile | C:\Windows\inf\setupapi.ev3 | SUCCESS | AllocationSize: 86,016, EndOfFile: 86,016, NumberOfLinks: 1, DeletePending: False, Directory: False |
| 43:20.8 | svchost.exe | 1348 | CreateFileMapping | C:\Windows\inf\setupapi.ev3 | FILE LOCKED WITH ONLY READERS | SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY |
Cause:
System Writer metadata file contains files from location: C:\Windows\inf. If any of these files are locker or corrupt, System writer will not able to compile metadata files, hence System Writer will be missing in “vssadmin list writers” output
Solution:
- Copy these three files from a working system (same Operating System and Build) and replaced corrupted files at location: C:\Windows\inf\
C:\Windows\inf\setupapi.ev1
C:\Windows\inf\setupapi.ev2
C:\Windows\inf\setupapi.ev3
- Verify “Network Service” account has ‘Read‘ permissions on these files
