Eliminating VSS Error 8194 from Event Log

Situation

When you start the Backup program (in our case it's CloudBerry Backup) you may experience multiple instances of VSS Error 8194 in the Application event log. Sometimes it might be a root of the other issues that might, in its turn, cause the backup failure.

Below we will explain how to eliminate this error.

Solution

Error code 8194 is an "Access is Denied" error caused by the inability of one or more VSS system writers to communicate with the Remote Backup VSS requestor process via the "COM" calls exposed in the IVssWriterCallback interface (Microsoft programming interface to the Volume Shadow Service).

This is not a functional error in the Remote Backup program, but rather a security issue caused by select VSS writer(s) running as a service under the "Network Service" (or "Local Service") account(s) and not the Local System or Administrator account. By default, in order for a Windows service to perform a COM activation it must be running as Local System or as a member of the Administrators group.

In general, Remote Backup is not used to backup the files managed by these VSS system writers - so the errors have no impact on the success of the backup. However, Managed Service providers are typically concerned by these recurring error messages and often question whether the backups are actually running properly - since the event is listed as a serious error.

There are two ways to clear the problem:

Please note that reboot might be required

  • The first is to locate the VSS writers (Start | Run | services.msc) that are erring out and change the account they are running under from Network Service to Local System. Then, restart the service process (or reboot the computer) and the VSS Writer will run with max privileges - thereby eliminating the IVssWriter callback errors.

The possible security issue with this method is that the service will be running with a higher level of access than Microsoft intended. Should the VSS Writer process be "hacked", this could be a security weakness. But, if you're not overly concerned about that, repeat this process for each VSS Writer that generates an 8194 error and you should not experience any more error events in normal operation.

  • The second (preferred) way to work around the issue is to make an adjustment to the default COM service activation permissions - allowing Network Service (and possibly Local Service) user account(s) to activate the IVssWriter callback interface. This method has the benefit of permanently fixing the issue in one place and allowing the VSS Writer service(s) to run at the privilege level that Microsoft intended. Any COM object accessed (by a process running as Network Service) still has the ability to enforce security restrictions it so chooses.

Make this fix by doing the follow:

  • Start | Run | dcomcnfg. This brings up the Component Services application.

  • On the left pane navigate to Component Services | Computer | MyComputer.

  • Right click on MyComputer and select properties.

  • Select the COM Security tab and select the Edit Default button under Access Permissions.

  • Use the Add... button to add the "Network Service" account to the permission list.

  • Verify that ONLY the Local Access box is checked and click OK.

  • Close Component Services.

  • A reboot is then required to make the requested changes to COM Security.

Contact Us

https://git.cloudberrylab.com/egor.m/doc-help-kb.git