Volume shadow copy errors

[Bill Jones]

I've been using the built-in WinXP backup app to auto backup files every
evening. The volume shadow service allows for backup of open files, so you
don't have to shut everything down to get a full backup. It has been
working fine for quite a while. Today I was looking through the event logs
and noticed that starting on 11/13, I began to get VSS errors like this:

Volume Shadow Copy Service error: Shadow Copy writer EventLogs called
routine RegQueryValueExW which failed with status 0x80070002 (converted to
0x800423f4).

Apparently, VSS has got corrupted or something.

Now this problem is happening everyday and my backups are not working
correctly because open files are being ignored. This message is in the
logfile:

Error returned while creating the volume shadow copy:800423f4
Reverting to non-shadow copy backup mode.

I wasn't able to get a hit on this in the KB. Anyone know what might be
going on and how to fix it?

 

[Adi Oltean [MSFT]]

Hi Bill,

This is a problem with the Event Log writer - you migth end up with an
invalid event log.

I have two questions:

1) Did you install/uninstall any applications right before 11/13?

2) To narrow down the problem, can you run the three commands below
and cut & paste its output in your reply?

set KEYNAME=HKLM\SYSTEM\CurrentControlSet\Services\Eventlog
reg.exe query %KEYNAME%
reg.exe query %KEYNAME% /s /v File /t REG_EXPAND_SZ

Thanks, Adi

P.S. This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Bill Jones]

Nobody able to offer any help on this problem?

Bill

I've been using the built-in WinXP backup app to auto backup files every
evening. The volume shadow service allows for backup of open files, so you
don't have to shut everything down to get a full backup. It has been
working fine for quite a while. Today I was looking through the event logs
and noticed that starting on 11/13, I began to get VSS errors like this:

Volume Shadow Copy Service error: Shadow Copy writer EventLogs called
routine RegQueryValueExW which failed with status 0x80070002 (converted to
0x800423f4).

Apparently, VSS has got corrupted or something.

Now this problem is happening everyday and my backups are not working
correctly because open files are being ignored. This message is in the
logfile:

Error returned while creating the volume shadow copy:800423f4
Reverting to non-shadow copy backup mode.

I wasn't able to get a hit on this in the KB. Anyone know what might be
going on and how to fix it?

 

[Doug]

Try reinstalling the backup app
: Nobody able to offer any help on this problem?
:
: Bill
:
: : I've been using the built-in WinXP backup app to auto backup files
every
: evening. The volume shadow service allows for backup of open files,
so you
: don't have to shut everything down to get a full backup. It has been
: working fine for quite a while. Today I was looking through the event
logs
: and noticed that starting on 11/13, I began to get VSS errors like
this:
:
: Volume Shadow Copy Service error: Shadow Copy writer EventLogs called
: routine RegQueryValueExW which failed with status 0x80070002
(converted to
: 0x800423f4).
:
: Apparently, VSS has got corrupted or something.
:
: Now this problem is happening everyday and my backups are not working
: correctly because open files are being ignored. This message is in
the
: logfile:
:
: Error returned while creating the volume shadow copy:800423f4
: Reverting to non-shadow copy backup mode.
:
: I wasn't able to get a hit on this in the KB. Anyone know what might
be
: going on and how to fix it?
:

 

[=?Windows-1252?B?1L/UIE13cw==?=]

Search your registry for this entry in:
HKLM\System\CurrentControlSet\Services\COMSysApp\ImagePath

C:\WINDOWS\System32\dllhost.exe
/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

Morris

 

[=?iso-8859-1?B?1L/UIE13cw==?=]

Check for this entry in your registry at this section:
HKLM\System\CurrentControlSet\Services\COMSysApp\ImagePath =

C:\WINDOWS\System32\dllhost.exe
/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}


Morris

 

[Bill Jones]

Yes, that entry is there.

Bill

Check for this entry in your registry at this section:
HKLM\System\CurrentControlSet\Services\COMSysApp\ImagePath =

C:\WINDOWS\System32\dllhost.exe
/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}


Morris

 

[Bill Jones]

What is the backup app name? There's nothing named "backup.ex_" in I386 on
the CD.

Bill

Try reinstalling the backup app
: Nobody able to offer any help on this problem?
:
: Bill
:
: : I've been using the built-in WinXP backup app to auto backup files
every
: evening. The volume shadow service allows for backup of open files,
so you
: don't have to shut everything down to get a full backup. It has been
: working fine for quite a while. Today I was looking through the event
logs
: and noticed that starting on 11/13, I began to get VSS errors like
this:
:
: Volume Shadow Copy Service error: Shadow Copy writer EventLogs called
: routine RegQueryValueExW which failed with status 0x80070002
(converted to
: 0x800423f4).
:
: Apparently, VSS has got corrupted or something.
:
: Now this problem is happening everyday and my backups are not working
: correctly because open files are being ignored. This message is in
the
: logfile:
:
: Error returned while creating the volume shadow copy:800423f4
: Reverting to non-shadow copy backup mode.
:
: I wasn't able to get a hit on this in the KB. Anyone know what might
be
: going on and how to fix it?
:

 

[David Candy]

NTBackup.

 

[David Candy]

On home has to be installed seperately from the valueadd folder. Installed auto on pro. Type ntbackup in Start Run to see if installed or not..

 

[Adi Oltean [MSFT]]

[Reposting...]
called: routine RegQueryValueExW which failed with status 0x80070002
(converted to 0x800423f4).

This is a problem with the registry keys of the Event Log - namely
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog. The VSS error that
you are getting will appear whenever you have an invalid Event Log
type.

To determine which is the invalid event log key (and how to fix it),
can you run the three commands below and cut & paste its output in
your reply?

set KEYNAME=HKLM\SYSTEM\CurrentControlSet\Services\Eventlog
reg.exe query %KEYNAME%
reg.exe query %KEYNAME% /s /v File /t REG_EXPAND_SZ


Thanks, Adi

P.S. This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[=?iso-8859-1?B?1L/UIE13cw==?=]

How about this key:

HKLM\System\CurrentControlSet\Services\SwPrv\ImagePath =
C:\WINDOWS\System32\dllhost.exe
/Processid:{D07C7E60-AA73-4F72-82F1-52841400616F}

 

[Bill Jones]

Yes, it's there also. But I have a different processid:
C:\WINDOWS\System32\dllhost.exe
/Processid:{97DA727E-0422-4627-9849-35A8825C09C0}

How about this key:

HKLM\System\CurrentControlSet\Services\SwPrv\ImagePath =
C:\WINDOWS\System32\dllhost.exe
/Processid:{D07C7E60-AA73-4F72-82F1-52841400616F}

 

[Bill Jones]

A problem with Eventlog? Are you sure? It seems like Eventlog is just
reporting the error that occurs in VSS (and open files not getting copied by
VSS).

Here is the output you requested. The last command didn't work. Since I
wasn't sure what you are looking for, I didn't try to make any changes to
it.
*******************************************
C:\>set KEYNAME=HKLM\SYSTEM\CurrentControlSet\Services\Eventlog

C:\>reg.exe query %KEYNAME%

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
Description REG_SZ Enables event log messages issued by Windows-based
programs and components to be viewed in Event Viewer. This service cannot be
stopped.

DisplayName REG_SZ Event Log
ErrorControl REG_DWORD 0x1
Group REG_SZ Event log
ImagePath REG_EXPAND_SZ %SystemRoot%\system32\services.exe
ObjectName REG_SZ LocalSystem
PlugPlayServiceType REG_DWORD 0x3
Start REG_DWORD 0x2
Type REG_DWORD 0x20
ComputerName REG_SZ ABCDEF

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

C:\>reg.exe query %KEYNAME% /s /v File /t REG_EXPAND_SZ

Error: Too many command-line parameters

C:\>
**************************************************

[Reposting...]
called: routine RegQueryValueExW which failed with status 0x80070002
(converted to 0x800423f4).

This is a problem with the registry keys of the Event Log - namely
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog. The VSS error that
you are getting will appear whenever you have an invalid Event Log
type.

To determine which is the invalid event log key (and how to fix it),
can you run the three commands below and cut & paste its output in
your reply?

set KEYNAME=HKLM\SYSTEM\CurrentControlSet\Services\Eventlog
reg.exe query %KEYNAME%
reg.exe query %KEYNAME% /s /v File /t REG_EXPAND_SZ

Thanks, Adi

P.S. This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Bill Jones]

Yes, NTBackup is installed. It works and runs every day. It is only the
VSS part of the system that appears not to be working for some reason.

On home has to be installed seperately from the valueadd folder. Installed
auto on pro. Type ntbackup in Start Run to see if installed or not..

 

[Adi Oltean [MSFT]]

Hi Bill,

Yes, this is a potential corruption of the Event Log registry keys.
My suspicion is the that the key
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus
is the problematic one.

To double-check, just list the key contents. If you do not see a
"File" registry value under this key, or if the "File" registry value
points to an invalid file, then you will have this VSS error.

Please you run this command and cut & paste the output in your reply:

REG.EXE QUERY HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus
/s


Thanks,
Adi

 

[Bill Jones]

Adi - Looks like you hit the bullseye!

On Nov. 12th, I installed Avast AV. The problem started on Nov 13th at the
next run of my backups. If this is an event log error, then are the backup
files correct (i.e were the open files actually backed up)? Is this
repairable by adding the file registry value? Can you tell me what that
value should be?

Here is the command output:
*****************************************
C:\>REG.EXE QUERY HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus
Sources REG_MULTI_SZ avast!\0Antivirus\0\0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus\avas
t!

C:\>
*****************************************
Bill

Hi Bill,

Yes, this is a potential corruption of the Event Log registry keys.
My suspicion is the that the key
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus
is the problematic one.

To double-check, just list the key contents. If you do not see a
"File" registry value under this key, or if the "File" registry value
points to an invalid file, then you will have this VSS error.

Please you run this command and cut & paste the output in your reply:

REG.EXE QUERY HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus
/s


Thanks,
Adi

 

[Adi Oltean [MSFT]]

Hi Bill,

One workaround would be to delete the Antivirus key completely, and
then retry the backup.

REG.EXE DELETE HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus


Thanks, Adi

P.S. This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Bill Jones]

I unistalled Avast and the problem has been cleared up. No more error
messages in the logs. I checked the registry and the Antivirus key is gone.
I had other problems with Avast such as spikes in CPU use and slow shutdowns
that have also gone away since uninstall.

Thanks for your help!

Bill

Hi Bill,

One workaround would be to delete the Antivirus key completely, and
then retry the backup.

REG.EXE DELETE HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Antivirus


Thanks, Adi

P.S. This posting is provided "AS IS" with no warranties, and confers
no rights.