none
VSS System Writer is missing

    Question

  • System State cannot be backed up and found that the System Writer is missing after run the command "VSSAdmin list writers". The event log is "513 CPI2 Error" with contents: "Cryptographic Dervices failed while processing the OnIdentity() call in the System Writer Object." The server is 2008 standard 64bit edition and installed Exchange 2007 standard edition with SP1. It worked fine until 2 weeks ago applied some patches from Microsoft which includs .NET 3.5 SP1, Echange2007 Rollp7, and a couple of security patches fro server 2008. Is this the reason? Please advice!
    Thanks
    Roger
    Monday, April 13, 2009 4:40 PM

Answers

  • Hello Roger,

     

    Based on the research, the VSS System Writer runs in the context of CryptSvc service on Windows Server 2008. To make the system writer works normally, please open services console to verify that the Cryptographic Services logon as the credentials of the "Network Service" account.

     

    The VSS system writer can be missing due to several reasons,  to isolate this issue, please refer to the following steps to boot the problematic server with clean boot mode to perform the test.

     

    Steps: Clean Boot

     

    1. On a problematic server perform a clean boot and check if the issue still exists

     

    2. Click Start->Run...->type msconfig and press Enter

     

    3. Click Services tab and select Hide All Microsoft Services and Disable All third party Services.

     

    4. Click Startup tab and Disable All startup items

     

    5. Click OK and choose Restart

     

    After the server reboot, please run "vssadmin list writers" to check if the "System Writer" can be displayed.

     

    If the issue still exists, please open a CMD prompt as Run As Administrator and type the following commands to see if it the system writer will be occure.

     

    CD c:\windows\system32

     

    Takeown /f %windir%\winsxs\filemaps\* /a

     

    icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"

     

    icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"

     

    icacls %windir%\winsxs\filemaps\*.* /grant "BUILTIN\Users:(RX)"

     

    Moreover, based on the experience, it has been reported that there is some permissions issue which can cause this kind of issue. Please follow the steps below and check if it can be helpful.

     

    On domain controller

     

    1. Open Active Directory Users and Computers

     

    2. Click View and then "Advanced features"

     

    3. Right Click built and click properties.

     

    4. Click security tab.

     

    5. Grant read permission to 'Authenticated Users'

     

    6. Click Apply and OK.

     

    7. Restart Cryptographic Services.

     

    Note: By Default, it should have read permission for the system to take system state backup.

     

    Hope this can be helpful.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Friday, April 17, 2009 10:47 AM
    Tuesday, April 14, 2009 3:48 AM
  • Hi Roger,

    Q: 1. CERTSVC_DCOM_ACCESS group is not in the domain system because I didn't install CA. But I am still wondering that the group CERTSVC_DCOM_ACCESS should be created by installing SP1, why our servers running 2003 R2 without the group created. Do I need to install it?

    A1: Roger, could you please check if you have install Windows Server 2003 SP1 on that server? If not, I suggest that you install it on that server. Because when you upgrade to Windows Server 2003 SP1, security configuration changes are made to the global DCOM interface and to the CertSrv Request DCOM interface. These changes are made to enable certificate services to work correctly.

    During Windows Server 2003 SP1 Setup, certificate services automatically updates the DCOM security and the new security group (CERTSVC_DCOM_ACCESS) will be automatically created.

    Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1
    http://support.microsoft.com/default.aspx/kb/903220

    Q2. Two weeks ago I installed updates from Microsoft and then the System State cannot be backed up. Does this mean that the updates installation removed some granted permissions?

     

    A: Actually, it's hard to say that. To solid isolate the root cause of the issue why the system state cannot be backed up, we may need to check the event viewer to see what the error messages are when the issue occurs.

     

    Besides, please check the following KB article to see if the hotfix can be helpful to that issue.

     

    You cannot perform a system state backup on a domain controller that is running Windows Server 2003 SP1

    http://support.microsoft.com/kb/913642

     

    Hope it helps.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Friday, April 17, 2009 10:47 AM
    Thursday, April 16, 2009 7:22 AM

All replies

  • Hello Roger,

     

    Based on the research, the VSS System Writer runs in the context of CryptSvc service on Windows Server 2008. To make the system writer works normally, please open services console to verify that the Cryptographic Services logon as the credentials of the "Network Service" account.

     

    The VSS system writer can be missing due to several reasons,  to isolate this issue, please refer to the following steps to boot the problematic server with clean boot mode to perform the test.

     

    Steps: Clean Boot

     

    1. On a problematic server perform a clean boot and check if the issue still exists

     

    2. Click Start->Run...->type msconfig and press Enter

     

    3. Click Services tab and select Hide All Microsoft Services and Disable All third party Services.

     

    4. Click Startup tab and Disable All startup items

     

    5. Click OK and choose Restart

     

    After the server reboot, please run "vssadmin list writers" to check if the "System Writer" can be displayed.

     

    If the issue still exists, please open a CMD prompt as Run As Administrator and type the following commands to see if it the system writer will be occure.

     

    CD c:\windows\system32

     

    Takeown /f %windir%\winsxs\filemaps\* /a

     

    icacls %windir%\winsxs\filemaps\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"

     

    icacls %windir%\winsxs\filemaps\*.* /grant "NT Service\trustedinstaller:(F)"

     

    icacls %windir%\winsxs\filemaps\*.* /grant "BUILTIN\Users:(RX)"

     

    Moreover, based on the experience, it has been reported that there is some permissions issue which can cause this kind of issue. Please follow the steps below and check if it can be helpful.

     

    On domain controller

     

    1. Open Active Directory Users and Computers

     

    2. Click View and then "Advanced features"

     

    3. Right Click built and click properties.

     

    4. Click security tab.

     

    5. Grant read permission to 'Authenticated Users'

     

    6. Click Apply and OK.

     

    7. Restart Cryptographic Services.

     

    Note: By Default, it should have read permission for the system to take system state backup.

     

    Hope this can be helpful.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Friday, April 17, 2009 10:47 AM
    Tuesday, April 14, 2009 3:48 AM
  • Thanks!
    If clean reboot, the System Writer shows up, what shoud I do?
    The server is running Server 2008 OS and Exchange 2007 and is not a domain controller, should I do the "rant permission" on any of the domain controllers?

    Is there any risk doing this? Because the server is in productive.

    Thanks,

    Roger

     

    Tuesday, April 14, 2009 2:29 PM
  • Hi Roger,

     

    As "System Writer" shows in the clean boot mode, can you take system state backup in the clean boot mode? If yes, I guess the issue could be caused by other third party services that is running on the problematic server. Thus, you can enable the third party services one-by-one to isolate the root cause.

     

    It won't cause any risk to grant the 'Authenticated Users' with "Read" permission on Builtin node in Active Directory Users and Computers because with this permission all the authenticated users can only query the security objects in Builtin container.

    Please note: the "Certificate Service DCOM Access" security group is a security object in Builtin container.

     

    As the permission is needed for domain users to access the domain resource, please verify it on the domain controller.

     

    Hope it helps.



    This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, April 15, 2009 6:51 AM
  • David,
    Thank you very much for the help  you provided. 2 more questions:

    1. CERTSVC_DCOM_ACCESS group is not in the domain system because I didn't install CA. But I am still wondering that the group CERTSVC_DCOM_ACCESS should be created by installing SP1, why our servers running 2003 R2 without the group created. Do I need to install it?

    2. Two weeks ago I installed updates from Microsoft and then the System State can not be backed up. Does this mean that the updates installation removed some granted permssions?

    Thanks,
    Roger

    Wednesday, April 15, 2009 8:07 PM
  • Hi Roger,

    Q: 1. CERTSVC_DCOM_ACCESS group is not in the domain system because I didn't install CA. But I am still wondering that the group CERTSVC_DCOM_ACCESS should be created by installing SP1, why our servers running 2003 R2 without the group created. Do I need to install it?

    A1: Roger, could you please check if you have install Windows Server 2003 SP1 on that server? If not, I suggest that you install it on that server. Because when you upgrade to Windows Server 2003 SP1, security configuration changes are made to the global DCOM interface and to the CertSrv Request DCOM interface. These changes are made to enable certificate services to work correctly.

    During Windows Server 2003 SP1 Setup, certificate services automatically updates the DCOM security and the new security group (CERTSVC_DCOM_ACCESS) will be automatically created.

    Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1
    http://support.microsoft.com/default.aspx/kb/903220

    Q2. Two weeks ago I installed updates from Microsoft and then the System State cannot be backed up. Does this mean that the updates installation removed some granted permissions?

     

    A: Actually, it's hard to say that. To solid isolate the root cause of the issue why the system state cannot be backed up, we may need to check the event viewer to see what the error messages are when the issue occurs.

     

    Besides, please check the following KB article to see if the hotfix can be helpful to that issue.

     

    You cannot perform a system state backup on a domain controller that is running Windows Server 2003 SP1

    http://support.microsoft.com/kb/913642

     

    Hope it helps.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by David Shen Friday, April 17, 2009 10:47 AM
    Thursday, April 16, 2009 7:22 AM
  • The solution is refered is this post

    http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/4458947a-623e-45c1-b8e4-868aad1e93b0/

    the problem is related to temporary files of .net asp files created em framework directories.

    Wednesday, July 18, 2012 2:53 PM
  • You May also check this link for VSS issue or missing vss system writers or WMI Writer missing or ISS Metabase Writers missing

    http://aikitsupport.com/fix-vss-errors-windows-server-2003/

    Regards

    Joy Banerjee

    Thursday, January 02, 2014 4:25 PM
  • This resolved the issue in my case :

    http://www.peerwisdom.org/2013/05/09/disappearing-vss-system-writer-and-asp-net/

    • Proposed as answer by tgirard33 Saturday, August 23, 2014 4:43 PM
    Sunday, March 23, 2014 4:35 AM
  • Hi,

    there is a hotfix now: http://support.microsoft.com/kb/2807849

    This helped me solve my issue 'System Writer' missing and CAPI2 error in Application logs.


    If this helped you resolve your issue, please mark it Answered, thanks! Kind regards

    Monday, June 23, 2014 11:32 AM
  • The hotfix http://support.microsoft.com/kb/2807849 solved the problem for me. (Win7 x64)
    Tried every suggestion I found (ASP.Net temp folders, folder permissions, regsvr32...) before installing this hotfix. Nothing helped to solve the problem. Finally the hotfix did! (y)
    Is there any release date for Win7 SP2 yet? ;)
    Wednesday, July 16, 2014 6:27 AM