Discovered an issue that I can reproduce at will. Default full install of 2008 R2 build 7600, if I complete the server install and add the DHCP role, every server start results in the following Application Event Log:
event id: 8193
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.
In addition to the startup instance of the event, it will also recur at will by doing a net stop/start of cryptsvc resulting in the same event in the application log. If DHCP is not installed, it is completely happy. Uninstalling the DHCP role does not clear the error, though an "upgrade" install of Server after removing DHCP does clear it...I miss the old repair install capability :(
This error does not prevent the functioning of DHCP or any other component of the server that I have found in my brief testing, but I am concerned about putting it in to production to later find out what trouble might arise down the road.Wednesday, August 26, 2009 8:27 PM
Perhaps my mistake was I never really asked a question...I only stated my findings. I guess my question would be does anyone know how to eliminate the error without resorting to not running DHCP, or secondarily, any thoughts on if it is a serious issue and what problems could pop up later, and/or can it perhaps be safely ignored?Sunday, August 30, 2009 11:26 PM
Following another path...Are either of you gentlemen who are also experiencing the error seeing any impact as a result, or does the server and the DHCP service seem to be operating normally despite the event log error? Any concerns other than curiosity due to the error involving two seemingly unrelated services: DHCP and VSS?Friday, September 04, 2009 3:07 PM
Nice find on the jcarle site, I appreciate that. I would however consider that to be more of a workaround than a fix. If you extend that solution to a ridiculous level and gave "Everyone" full control to every registry key, it would also "fix" the VSS error, but you would clearly not want to do that.
I would still be interested in knowing what the relationship between DHCP and the VSS service are, if the install of DHCP is incorrectly applying some settings or creating an association somewhere in error, and is potentially known and being worked on for a fix. I would also like to know of any potential downside to modifying those permissions in the suggested workaround, and if there is any exceptional risk to taking that path. The other possibility would be a confirmation that there is no real problem and it is fine to just live with the error in the log vs. modifying security settings unnecessarily or taking any other action at all.Sunday, September 06, 2009 2:15 PM
It's always simple :).
When DHCP server is installed it incorrectly rewrites permissions on [...\CurrentControlSet\Services\VSS\Diag] key (and all subkeys).
Here are some details:
1)key permissions BEFORE dhcp installation (SDDL):
2)and now what happens after "DHCP Server Role" is installed (SDDL):
If you take a closer look - you'll notice that this SDs (security descriptors) are quite different. BTW, SID starting with S-1-5-80-... - this is NT SERVICE\DHCPServer.
Now let's get back to our "Access Denied" error.
On any 2008(R2) Server we always have service "Cryptographic Services" running and set to Autostart. And it runs under NetworkService account. Every time when this service is started it initializes it's "VSS Writer" (VSS provider used to backup local cert stores). And this VSS provider tries to get Read/Write access to our key (...\Diag). As it does that from inside CryptSvc service - it uses NetworkService account to get this access.
But inside the second SD there is no permission for NetworkService at all! So, we have our error messsage in event log every time CryptSvc starts.
Now how to revert that changes to system original? I used subinacl utility from 2003 resource kit tools (you have to download an updated version v5.2.3790.1180 from MS site) like this:
subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag /sddl=O:SYG:SYD:PARAI(A;;... here goes original SD - from 1) ... GA;;;SY)
But after that you have to open REGEDIT, navigate to [...\Diag] key, open it's permissions -> Advanced -> "Replace all child object permissions ...." -> Ok -> Ok.
Only after that you'll have system original permissions on that key and all subkeys.
Wednesday, February 24, 2010 4:54 AM
- Proposed as answer by AlexVD Wednesday, February 24, 2010 4:58 AM
From what I understand in the post, it wants you to allow full control to the user.
Writer Name is System Writer
From the binary dat
CMd is Windows\system32\svchost.exe -k networkservice
User Name NT AUTHORITY\NETWORK SERVICE S-1-5-20
When I navigate to the reg keys as shown in the blog, there is no user name as provided above
I am new to servers, how do I allow full control if the user provided above is not in the keys?
DavidThursday, June 24, 2010 2:57 PM