Event VSS 8194 access denied querying IVssWriterCallback during jobs managed by server

[hpadm]

I have added a backup job (managed by VBR server) to two hyper-v hosts, one also hosting the main VBR server & console. I have also switched a third database server's backup job from 'managed by agent' to 'managed by server'.

In all 3 cases, when the backup job starts, this error is logged in the application event log. However, the backup completes fine. From the text below, I am worried that the system state is not being captured properly.

Our file server is still using 'managed by agent' mode, and is not logging any VSS errors. Only those that use 'managed by server' type backup jobs are getting this. You can also see that the interacting components are the VSS "System Writer" and "CryptSvc" service.

Source: VSS
Event ID: 8194
Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {325f1613-7240-49af-865e-82927f406f7a}

Binary data:
- Code: WRTWRTIC 00001287
- Call: WRTWRTIC 00001241
- PID: 00003164
- TID: 00003720
- CMD: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
- User: Name: NT AUTHORITY\NETWORK SERVICE, SID:S-1-5-20

I'm curious to know what the deal is here. Case #05688029 unfortunately timed out.

[PetrM]

Hello,

You may follow the steps recommended in this KB for the diskshadow tool and probably collect and examine vsstrace output to get detailed information about VSS activity. Anyway, I suggest contacting our support once again. We provide e-mail support on a best-effort basis for customers using Free products, every single attempt to open a new case increases your chances to get in touch with our engineers.

Thanks!

[Mike.Powell]

Good morning, as these events do not impact backup in any way, they are considered non-relevant or "red herrings" by support when presented. Microsoft documentation may be more helpful if a fully clean event viewer log is required.

They're present in almost every set of logs we see, and have never impacted a backup that I'm aware of, hope this sets the worry to rest a bit.

[hpadm]

My apologies, it seems I did not get subscribed to my topic when I created it.
I have run the diskshadow test. It does not reproduce the logged application error when run locally as administrator.

I am giving this more attention because it is flagged as an Error, not just a Warning. Furthermore, it happens when executing the job in server-managed mode, but not in agent-managed mode. These should work in a similar fashion and produce the same result, yet they don't. The fact that agent mode succeeds without error and server mode doesn't suggests that it's VBR's fault.

I would not dismiss this so easily, btw. For example, a similarly looking error is logged when running a VBR backup on a host with a Symantec mssql database without the proper credentials inserted into it. That causes VBR to not be able to negotiate a database freeze with the mssql vss writer, and thus unable to guarantee a consistent volume snapshot.

[PetrM]

Hello,

It's an interesting observation that the error occurs in server mode only, it can be very helpful for troubleshooting but still does not prove that the issue comes from our code. The backup application is the VSS-requestor and does not create or delete shadow copies. I think you should work with our support team, it does not seem to be a widely known issue and additional testing, debug logs analysis and examination of your infrastructure are needed.

Thanks!

[hpadm]

My original case was #05688029.
I reproduced the logged error message using the following steps:

• Install a standalone windows server 2019 into a hyper-v vm.
• Enable file sharing (if needed).
• Opent Event Viewer, Application log.
• Create VBR backup job, Windows computer, Managed by server. Add vm's IP as individual host. Add credentials for the vm's Administrator account. Backup mode doesn't matter (can be file-level targeting a nonexistent path, or an empty second volume).
• Start job, wait for rescan and agent install to finish, and then watch the backup progress.
• Observe that the error event is logged very early, before "Required backup infrastructure resources have been assigned".

Through trial and error I've narrowed it down to the "Enable application-aware processing" part. Even with "transactional logs: copy only" it still happens. If I disable application-aware processing, the error is not logged. But this did not help to locate the cause.
Using Process Monitor, I was unable to capture the place where the 'access denied' happens. There were no such events. This made me think that it is DCOM-related.

This time, instead of typing the full error message into web search, I only typed 'IVssWriterCallback', intending to check microsoft documentation on what component it belongs to. Surprisingly, the top results were all old articles describing exactly what I posted. They said that it happens with third party backup software, and that it is a dcom permission issue. Specifically, the Local Access permission for NETWORK SERVICE. The articles were sloppy and just instructed to add it to the default setting for all dcom processes, which I found excessive. However, it does work, which helps narrow things down. Note that a system reboot was always required to apply dcom permission changes, at least during my testing.

I dug deeper, and found that CallFailureLoggingLevel's default setting causes all dcom call errors to be hidden. Setting it to 1 reveals

The machine-default permission settings do not grant Local access permission to the COM Server application C:\Program Files\Veeam\Endpoint Backup\Veeam.Endpoint.Service.exe with APPID Unavailable to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable).

Putting the two together, it seems that Veeam.Endpoint.Service.exe registers a COM callback in VSS, presumably for all the vss writers to report back. When the "System Writer" (provided by CryptSvc) tries to call back, it gets denied and the callback doesn't happen.
According to CoInitializeSecurity, a client or server application is able to declare its own custom security rules. If it doesn't, the default system-wide ones are used.

I examined the programming of all Veeam executables that reference CoInitializeSecurity, and found that every single one of them uses the lazy defaults with a NULL security descriptor. The Microsoft article Calling CoInitializeSecurity in a Secure Manner demonstrates how to declare access to builtin groups, if the Veeam devs want to do this properly, and not ask of the user to expose the entire DCOM system to Network Service. I do not know what the exact list of SIDs to declare is, but at most it's Self, System, Administrators and Network Service.

(I still do not know why running the job in Managed by Agent mode doesn't run into this error. Presumably, the agent launches its worker process with the credentials configured in the job, which in my case is a member of the Administrators group and hence already covered by the default setting.)

[hpadm]

To summarize: There is a programming mistake in Veeam.Endpoint.Service, in the component that interacts with the VSS service via COM. It sets up a callback but doesn't configure an ACL for all possible kinds of callers, and one of them ends up getting denied.

Early in the backup process, the Veeam service sends some sort of asynchronous request that involves VSS Writers (perhaps enumeration?), and provides a callback that should be used by each writer. But before that, it is supposed to set up an ACL that grants access permission to all expected DCOM callers. This step is not done properly - it just uses a default system-wide list, containing System and Administrators. This works by coincidence because most VSS writers are hosted by services that run as Local System.

However, 'System Writer' is hosted by CryptSvc and runs as Network Service, which is not in the default ACL (for obvious security reasons!). This results in Access Denied, and System Writer is unable to provide its response to the request. Depending on how COM handles errors, the overall operation may be treated as successful (with an incomplete result), or as having failed. I do not know what the consequence of this is - depends on what the operation is. I was unable to determine this, that's up to the devs.

The fix is to programatically define the ACL using the instructions in my previous post. It might also be worth looking into why backup in agent-managed mode does not run into this error. It may reveal that it's doing something weird, is forgetting to send this VSS request, or it may turn out that it is not needed in the first place.

[hpadm]

I have re-submitted this with full details as case #05741172 but unfortunately it timed out without anyone reading it. If possible, I would appreciate if it was given attention at some point.

[PetrM]

Hello,

For some reason, I overlooked your last 2 posts on this topic so my apologies for not answering earlier. Many thanks for your very interesting technical research, your efforts are much appreciated! Without a doubt, it will be helpful for us so that our Devs can look deeper into it and fix it accordingly in one of our future releases.

Thanks!