System State backup nu functioneaza – CAPI2 Event ID 513

Astazi va prezentam un caz mai rar intalnit, dar foarte interesant!

- Windows Server 2008 SSB (System State Backup) nu poate fi efectuat cu success
- Comanda ‘vssadmin list writers’ nu listeaza system writer
- In Application Eventlog observam ca este logata eroarea CAPI2 de fiecare data cand o operatiune de backup este incercata
- Daca executam ‘vssadmin list writers’ intr-un CMD, eroarea CAPI2 este logata din nou.

Log Name: Application
Source: Microsoft-Windows-Backup
Date: 1/19/2009 9:22:40 AM
Event ID: 517
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: example.ro
Description:
Backup started at '1/19/2009 7:22:20 AM' failed with following error code '2155348226' (System writer is not found in the backup.). Please rerun backup once issue is resolved.

Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: 1/19/2009 9:22:39 AM
Event ID: 513
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: example.ro
Description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddCoreCsiFiles : BeginFileEnumeration() failed.

Informatii aditionale

Intr-un Procmon trace se poate observa un access denied la accesul pe C:\Windows\winsxs\FileMaps

6:00:00.4414783 PM svchost.exe 1100 IRP_MJ_CREATE C:\Windows\winsxs\FileMaps SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
6:00:00.4416639 PM svchost.exe 1100 IRP_MJ_DIRECTORY_CONTROL C:\Windows\winsxs\FileMaps SUCCESS Type: QueryDirectory, 1: .
6:00:00.4417860 PM svchost.exe 1100 IRP_MJ_DIRECTORY_CONTROL C:\Windows\winsxs\FileMaps SUCCESS Type: QueryDirectory, 1: ..
6:00:00.4418619 PM svchost.exe 1100 IRP_MJ_DIRECTORY_CONTROL C:\Windows\winsxs\FileMaps SUCCESS Type: QueryDirectory, 1: $$.cdf-ms
>> 6:00:00.4421635 PM svchost.exe 1100 IRP_MJ_CREATE C:\Windows\winsxs\FileMaps\$$.cdf-ms ACCESS DENIED Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
-> svchost.exe (PID 1100) este procesul care gazduieste serviciul ’Cryptographic Service‘ si executa in contextul Network Service-ului; Network Service nu are acces èCAPI2 (eroare de service de criptografie) este logat
6:00:00.4423713 PM svchost.exe 1100 IRP_MJ_CLEANUP C:\Windows\winsxs\FileMaps SUCCESS
6:00:00.4424520 PM svchost.exe 1100 IRP_MJ_CLOSE C:\Windows\winsxs\FileMaps SUCCESS
6:00:00.4427127 PM svchost.exe 1100 Thread Create SUCCESS Thread ID: 6112
6:00:00.4447237 PM svchost.exe 212 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
6:00:00.4448050 PM svchost.exe 212 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Services\eventlog\Application\Microsoft-Windows-CAPI2 REPARSE Desired Access: Query Value
6:00:00.4448784 PM svchost.exe 212 RegOpenKey HKLM\System\CurrentControlSet\Services\eventlog\Application\Microsoft-Windows-CAPI2 SUCCESS Desired Access: Query Value
6:00:00.4449652 PM svchost.exe 212 RegCloseKey HKLM SUCCESS
6:00:00.4454629 PM lsass.exe 584 RegOpenKey HKLM\SECURITY\Policy SUCCESS Desired Access: Read/Write
6:00:00.4455197 PM svchost.exe 212 RegQueryValue HKLM\System\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-CAPI2\ProviderGuid SUCCESS Type: REG_SZ, Length: 78, Data: {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
6:00:00.4455348 PM lsass.exe 584 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Desired Access: Read
6:00:00.4456024 PM lsass.exe 584 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW Length: 12
6:00:00.4456184 PM svchost.exe 212 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
6:00:00.4456615 PM lsass.exe 584 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
6:00:00.4456896 PM svchost.exe 212 RegOpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb} SUCCESS Desired Access: Read

Intr-un IDNA trace pe serviciul de criptografie se observa ca la incercarea de citire a System writerului se acceseaza FileMaps, iar ‘vssadmin list writers’ sau Backup propriu-zis, esueaza cu Access Denied:

0210ea80 73d36efb sfc_os!CFilemapEnumerationLookupContext::OpenRelativeFile+0x49
0210eab0 73d372f2 sfc_os!CCiFileMapEnumContext::MoveToNextFileMapFile+0xa4
0210eae8 73d3699c sfc_os!BeginFileMapEnumerationInternal+0xae
0210eaf8 732916f3 sfc_os!BeginFileMapEnumeration+0x2b
0210eb4c 73293224 cryptsvc!CSystemWriter::AddCoreCsiFiles+0xf5
0210eb70 73293350 cryptsvc!CSystemWriter::AddCoreFiles+0x33
0210eb88 74fc5f45 cryptsvc!CSystemWriter::OnIdentify+0x7e
0210ebc8 74fce400 vssapi!CVssWriterImpl::OnIdentifyGuard+0x24
0210ecfc 74fd32cb vssapi!CVssWriterImpl::RequestWriterInfoInternal+0x8ff
0210ed44 76d631eb vssapi!CVssWriterImpl::RequestWriterInfo+0x3a
0210ed6c 76dd184f rpcrt4!Invoke+0x2a
0210f198 76dd2006 rpcrt4!NdrStubCall2+0x27b
0210f1e8 76a427f7 rpcrt4!CStdStubBuffer_Invoke+0xa0
0210f20c 77479759 oleaut32!CUnivStubWrapper::Invoke+0xc7
0210f254 774796f3 ole32!SyncStubInvoke+0x3c
0210f2a0 77399d67 ole32!StubInvoke+0xb9
0210f37c 77399c5c ole32!CCtxComChnl::ContextInvoke+0xfa
0210f398 774787a4 ole32!MTAInvoke+0x1a
0210f3c8 77479498 ole32!AppInvoke+0xaa
0210f4a4 77478780 ole32!ComInvokeWithLockAndIPID+0x32c

Solutie

Permisiunile pe FileMaps au fost corupte intr-un fel sau altul…pentru a le reseta, cea mai simpla varianta ar fi fortarea inherit-ului:

takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\* /inheritance:e

Oni Sandru
- Support Engineer / Enterprise Platforms Support (Core)