Backup Service in Windows

Most of MSP360 (Cloudberry) Backup for Windows functionality is performed by the Backup service.

By default, this service is run under .\SYSTEM account that does not have access to many system files, user directories etc. Also, it may require to provide network credentials for connection to network shared resources (for example, CIFS resource).

In some cases, Backup service cannot act under a specific user while connecting to a network shared resource due to Windows security policies. In unusual cases, the Backup service is stopped by third-party software and/or its startup type can be changed from Automatic to Manual. Sometimes, the interaction with VSS fails by the same reason: Backup service is not granted with sufficient permissions for accessing files or their shadow copies.

Usually, these issues are resolved by running Backup service under a local or domain administrator account with providing network credentials for network shared resources (see the figure below).

It is recommended to use the local administrator's account name because the domain administrator is not always a local administrator on host machines.

To add domain administrator as a local administrator on a domain controller, open Windows command prompt and run following command:

net localgroup Administrators /add domain\user

Possible Errors

Files causing errors are encrypted

If Windows native encryption (EFS) is used, follow these recommendations. Note that Backup service account might be running under another account, not .\SYSTEM.

If a third-party encryption (for example, application internal encryption) is used, files must be decrypted first.

Reference articles:

• The Encyption File System: https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700811(v=technet.10)
• How EFS works https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc962103(v=technet.10)

Backup Service account does not have enough privileges to read files

To fix this issue, proceed as follows

1. Navigate to the parent folder of the object with an access error.
2. Right-click, then select Properties.
3. Switch to Security tab, then click Advanced.
4. Make sure the folder with an access error has an owner, even if it is not Backup service account.
5. Apply Full Control permissions for the folder with an access error for Backup service account.
6. Select Replace all child object permission entries with inheritable permission entries for this object check box.
7. Click Apply.