Astazi va prezentam un caz mai rar intalnit, dar foarte interesant!

- Windows Server 2008 SSB (System State Backup) nu poate fi efectuat cu success
- Comanda ‘vssadmin list writers’ nu listeaza system writer
- In Application Eventlog observam ca este logata eroarea CAPI2 de fiecare data cand o operatiune de backup este incercata
- Daca executam ‘vssadmin list writers’ intr-un CMD, eroarea CAPI2 este logata din nou.


Log Name:      Application
Source:        Microsoft-Windows-Backup
Date:          1/19/2009 9:22:40 AM
Event ID:      517
Task Category: None
Level:         Error
Keywords:     
User:          SYSTEM
Computer:      example.ro
Description:
Backup started at '1/19/2009 7:22:20 AM' failed with following error code '2155348226' (System writer is not found in the backup.). Please rerun backup once issue is resolved.


Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          1/19/2009 9:22:39 AM
Event ID:      513
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      example.ro
Description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddCoreCsiFiles : BeginFileEnumeration() failed.


Informatii aditionale

Intr-un Procmon trace se poate observa un access denied la accesul pe C:\Windows\winsxs\FileMaps

6:00:00.4414783 PM          svchost.exe         1100      IRP_MJ_CREATE    C:\Windows\winsxs\FileMaps           SUCCESS           Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
6:00:00.4416639 PM          svchost.exe         1100      IRP_MJ_DIRECTORY_CONTROL         C:\Windows\winsxs\FileMaps           SUCCESS            Type: QueryDirectory, 1: .
6:00:00.4417860 PM          svchost.exe         1100      IRP_MJ_DIRECTORY_CONTROL         C:\Windows\winsxs\FileMaps           SUCCESS            Type: QueryDirectory, 1: ..
6:00:00.4418619 PM          svchost.exe         1100      IRP_MJ_DIRECTORY_CONTROL         C:\Windows\winsxs\FileMaps           SUCCESS            Type: QueryDirectory, 1: $$.cdf-ms
>> 6:00:00.4421635 PM          svchost.exe         1100      IRP_MJ_CREATE    C:\Windows\winsxs\FileMaps\$$.cdf-ms         ACCESS DENIED            Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
-> svchost.exe (PID 1100) este procesul care gazduieste serviciul ’Cryptographic Service‘ si executa in contextul Network Service-ului; Network Service nu are acces èCAPI2 (eroare de service de criptografie) este logat
6:00:00.4423713 PM          svchost.exe         1100      IRP_MJ_CLEANUP  C:\Windows\winsxs\FileMaps           SUCCESS           
6:00:00.4424520 PM          svchost.exe         1100      IRP_MJ_CLOSE     C:\Windows\winsxs\FileMaps           SUCCESS
6:00:00.4427127 PM          svchost.exe         1100      Thread Create                  SUCCESS            Thread ID: 6112
6:00:00.4447237 PM          svchost.exe         212        RegOpenKey        HKLM     SUCCESS            Desired Access: Maximum Allowed, Granted Access: Read
6:00:00.4448050 PM          svchost.exe         212        RegOpenKey            HKLM\SYSTEM\CurrentControlSet\Services\eventlog\Application\Microsoft-Windows-CAPI2      REPARSE Desired Access: Query Value
6:00:00.4448784 PM          svchost.exe         212        RegOpenKey            HKLM\System\CurrentControlSet\Services\eventlog\Application\Microsoft-Windows-CAPI2      SUCCESS            Desired Access: Query Value
6:00:00.4449652 PM          svchost.exe         212        RegCloseKey        HKLM     SUCCESS
6:00:00.4454629 PM          lsass.exe 584        RegOpenKey        HKLM\SECURITY\Policy       SUCCESS            Desired Access: Read/Write
6:00:00.4455197 PM          svchost.exe         212        RegQueryValue            HKLM\System\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-CAPI2\ProviderGuid            SUCCESS            Type: REG_SZ, Length: 78, Data: {5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}
6:00:00.4455348 PM          lsass.exe 584        RegOpenKey        HKLM\SECURITY\Policy\SecDesc       SUCCESS            Desired Access: Read
6:00:00.4456024 PM          lsass.exe 584        RegQueryValue     HKLM\SECURITY\Policy\SecDesc\(Default)      BUFFER OVERFLOW            Length: 12
6:00:00.4456184 PM          svchost.exe         212        RegOpenKey        HKLM     SUCCESS            Desired Access: Maximum Allowed, Granted Access: Read
6:00:00.4456615 PM          lsass.exe 584        RegCloseKey        HKLM\SECURITY\Policy\SecDesc       SUCCESS
6:00:00.4456896 PM          svchost.exe         212        RegOpenKey            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}        SUCCESS            Desired Access: Read

Intr-un IDNA trace pe serviciul de criptografie se observa ca la incercarea de citire a System writerului se acceseaza FileMaps, iar ‘vssadmin list writers’ sau Backup propriu-zis, esueaza cu Access Denied:

0210ea80 73d36efb sfc_os!CFilemapEnumerationLookupContext::OpenRelativeFile+0x49
0210eab0 73d372f2 sfc_os!CCiFileMapEnumContext::MoveToNextFileMapFile+0xa4
0210eae8 73d3699c sfc_os!BeginFileMapEnumerationInternal+0xae
0210eaf8 732916f3 sfc_os!BeginFileMapEnumeration+0x2b
0210eb4c 73293224 cryptsvc!CSystemWriter::AddCoreCsiFiles+0xf5
0210eb70 73293350 cryptsvc!CSystemWriter::AddCoreFiles+0x33
0210eb88 74fc5f45 cryptsvc!CSystemWriter::OnIdentify+0x7e         
0210ebc8 74fce400 vssapi!CVssWriterImpl::OnIdentifyGuard+0x24
0210ecfc 74fd32cb vssapi!CVssWriterImpl::RequestWriterInfoInternal+0x8ff
0210ed44 76d631eb vssapi!CVssWriterImpl::RequestWriterInfo+0x3a
0210ed6c 76dd184f rpcrt4!Invoke+0x2a
0210f198 76dd2006 rpcrt4!NdrStubCall2+0x27b
0210f1e8 76a427f7 rpcrt4!CStdStubBuffer_Invoke+0xa0
0210f20c 77479759 oleaut32!CUnivStubWrapper::Invoke+0xc7
0210f254 774796f3 ole32!SyncStubInvoke+0x3c
0210f2a0 77399d67 ole32!StubInvoke+0xb9
0210f37c 77399c5c ole32!CCtxComChnl::ContextInvoke+0xfa
0210f398 774787a4 ole32!MTAInvoke+0x1a
0210f3c8 77479498 ole32!AppInvoke+0xaa
0210f4a4 77478780 ole32!ComInvokeWithLockAndIPID+0x32c

Solutie

Permisiunile pe FileMaps au fost corupte intr-un fel sau altul…pentru a le reseta, cea mai simpla varianta ar fi fortarea inherit-ului:

takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\* /inheritance:e

Oni Sandru
- Support Engineer / Enterprise Platforms Support (Core)