Personal computing discussed

Moderators: renee, Flying Fox, Ryu Connor

 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Who is opening Volume Shadow Copies?!

Sun Mar 13, 2016 1:55 pm

Okay, this is driving me insane.

Something in my system is opening Volume Shadow Copies (disk snapshots) and not releasing them for days on end. The snapshots are opened at random times during the day—they don't match up any scheduled tasks.

I've downloaded several utilities and even went as far as making a custom Powershell script to try and track down the culprit, but apparently you can get all sorts of information about a disk snapshot, except what the f*** opened it. So the question is, how do I do this? Is there any way at all?

Some of you may be thinking "just let it be," but that don't work. Disk space slowly goes down, and the other day I had a very "fun" crash. I was firing up some VMs for updates, so the PC started paging a little. With the disk snapshots going on, the pagefile suddenly couldn't grow, so I ran out of disk and RAM at the same time. I saw error messages and behaviors that would have been funny if they weren't so scary. Luckily my system survived.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
Dposcorp
Minister of Gerbil Affairs
Posts: 2771
Joined: Thu Dec 27, 2001 7:00 pm
Location: Detroit, Michigan

Re: Who is opening Volume Shadow Copies?!

Sun Mar 13, 2016 2:30 pm

What OS is it and what hardware?

I found a lot of info on the net of people having errors with various tools and solutions.
Seems like a lot of different software can hook in and use the volume shadow service, so it may be a piece of non-MS software.
I am sure you searched as well, but just in case you missed it, these look like good links to look at.

http://kb.macrium.com/knowledgebasearticle50010.aspx

https://support.software.dell.com/kb/117647

https://www.storagecraft.com/support/kb/article/32

http://support.wdc.com/KnowledgeBase/an ... x?ID=10039

http://auapps.american.edu/jpnolan/www/ ... oblem.html
 
Deanjo
Graphmaster Gerbil
Posts: 1212
Joined: Tue Mar 03, 2009 11:31 am

Re: Who is opening Volume Shadow Copies?!

Sun Mar 13, 2016 2:39 pm

Could be a backup program, your VM software or Windows own file history.
Last edited by Deanjo on Sun Mar 13, 2016 2:42 pm, edited 1 time in total.
 
DancinJack
Maximum Gerbil
Posts: 4494
Joined: Sat Nov 25, 2006 3:21 pm
Location: Kansas

Re: Who is opening Volume Shadow Copies?!

Sun Mar 13, 2016 2:41 pm

Before I even opened this thread i thought it was VM related.
i7 6700K - Z170 - 16GiB DDR4 - GTX 1080 - 512GB SSD - 256GB SSD - 500GB SSD - 3TB HDD- 27" IPS G-sync - Win10 Pro x64 - Ubuntu/Mint x64 :: 2015 13" rMBP Sierra :: Canon EOS 80D/Sony RX100
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Who is opening Volume Shadow Copies?!

Sun Mar 13, 2016 8:04 pm

Dposcorp wrote:
What OS is it and what hardware?

WIndows 10, regular hardware. SATA SSD (840 EVO), Core i5-2500K, 16GB RAM, GTX 970.

Deanjo wrote:
Could be a backup program, your VM software or Windows own file history.

1) Backup program = I have FBackup and Macrium Reflect, both set to trigger at around 6-7am. Unfortunately, the snapshots open at random times of the day.

2) As for VM software, I'm currently using VMWare Workstation, but it's off until I bring it up specifically. I don't keep VMs running in the background except for the odd occasion.

3) Windows' own file history - I have a gut feeling this may be related to System Restore just deciding it can't finish its operations for some reason, but that sends me back to square one: what opened the snapshot in the first place?


I'd already checked out most of Dposcorp's links, but one of them mentioned a "vshadow.exe" utility that's contained in the Windows SDK. I'm installing it as we speak, perhaps that may shed some more light on the subject.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Who is opening Volume Shadow Copies?!

Sun Mar 13, 2016 8:07 pm

Addendum: the shadow copy provider is "Microsoft Shadow Copy Service", which tells me nothing either :s
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
MarkG509
Gerbil Elite
Posts: 744
Joined: Thu Feb 21, 2013 6:51 pm

Re: Who is opening Volume Shadow Copies?!

Sun Mar 13, 2016 8:15 pm

Have you tried: Sysinternals File and Disk Utilities? Particularly: AccessChk, AccesEnum, PsFile and especially Handle.
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Who is opening Volume Shadow Copies?!

Sun Mar 13, 2016 8:20 pm

MarkG509 wrote:
Have you tried: Sysinternals File and Disk Utilities? Particularly: AccessChk, AccesEnum, PsFile and especially Handle.

I've tried Process Explorer (which is the GUI version of Handle), but as far as I know it doesn't have any section meant to deal with VSCs specifically. Or does the VSC service create some file on disk that refers to an existing shadow copy, that I can then inspect to see who owns it?

In the meantime, I used vshadow.exe to list all VSC writers' states. I disabled Windows Search and will see if that's the culprit. If it is, then it'll show that ever since Windows XP, MS could never get that thing working right.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Who is opening Volume Shadow Copies?!

Thu Mar 17, 2016 5:20 pm

Alas, it was not Windows Search.

Crap. Don't know how to deal with this.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Who is opening Volume Shadow Copies?!

Sat Mar 19, 2016 11:35 am

All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
Flatland_Spider
Graphmaster Gerbil
Posts: 1324
Joined: Mon Sep 13, 2004 8:33 pm

Re: Who is opening Volume Shadow Copies?!

Sat Mar 19, 2016 12:04 pm

 
BIF
Minister of Gerbil Affairs
Posts: 2458
Joined: Tue May 25, 2004 7:41 pm

Re: Who is opening Volume Shadow Copies?!

Sun Mar 20, 2016 6:23 pm

I'd be interested to learn if it happens with all accounts or your everyday account. Can you log on with a new Admin account and see if the behavior still happens? Try again with a new Standard User account and see if the behavior still happens.

This alternative is tongue-in cheek. A little bit.

0. Backup everything.
1. Protect the VSS services or assets as needed from EVERYTHING and EVERYBODY except for your admin id.
2. See who crashes.
3. If you get bluescreens, restore from backup in 0 above.
 
DragonDaddyBear
Gerbil Elite
Posts: 985
Joined: Fri Jan 30, 2009 8:01 am

Re: Who is opening Volume Shadow Copies?!

Sun Mar 20, 2016 6:36 pm

Crank up auditing for user activity and check Event Viewer Security logs.
 
MarkG509
Gerbil Elite
Posts: 744
Joined: Thu Feb 21, 2013 6:51 pm

Re: Who is opening Volume Shadow Copies?!

Sun Mar 20, 2016 6:48 pm

Losergamer04 wrote:
Crank up auditing for user activity and check Event Viewer Security logs.
Have things like malware scanning for personal/exploitable info been excluded? Hooking VSS would be a rather sophisticated vector, but if it goes that far, hiding its own tracks wouldn't be out of the question.
 
BIF
Minister of Gerbil Affairs
Posts: 2458
Joined: Tue May 25, 2004 7:41 pm

Re: Who is opening Volume Shadow Copies?!

Sun Mar 20, 2016 6:52 pm

MarkG509 wrote:
Losergamer04 wrote:
Crank up auditing for user activity and check Event Viewer Security logs.
Have things like malware scanning for personal/exploitable info been excluded? Hooking VSS would be a rather sophisticated vector, but if it goes that far, hiding its own tracks wouldn't be out of the question.


This! I was just thinking that.

I still vote for hard physical punishment for viruseers.
 
MarkG509
Gerbil Elite
Posts: 744
Joined: Thu Feb 21, 2013 6:51 pm

Re: Who is opening Volume Shadow Copies?!

Sun Mar 20, 2016 7:12 pm

BIF wrote:
I still vote for hard physical punishment for viruseers.
No O/S should make it this hard to completely understand what's going on and why, especially in this age of malware.
[I was about to get graphic/disgusting in support of the physical-punishment comment, but thought better.]
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Who is opening Volume Shadow Copies?!

Sun Mar 20, 2016 7:17 pm

MarkG509 wrote:
No O/S should make it this hard to completely understand what's going on and why, especially in this age of malware.

Unfortunately, all modern OSes are complicated enough that having a hard time understanding what's going on when strange things happen is a fact of life.
Nostalgia isn't what it used to be.
 
DragonDaddyBear
Gerbil Elite
Posts: 985
Joined: Fri Jan 30, 2009 8:01 am

Re: Who is opening Volume Shadow Copies?!

Mon Mar 21, 2016 7:15 am

MarkG509 wrote:
Losergamer04 wrote:
Crank up auditing for user activity and check Event Viewer Security logs.
Have things like malware scanning for personal/exploitable info been excluded? Hooking VSS would be a rather sophisticated vector, but if it goes that far, hiding its own tracks wouldn't be out of the question.


I didn't want to sound alarmist and suggest malware. It's possible, but I don't think it's likely. It's true that malware can use shadow copies. I've used it to get by my own AV to get to the .dit and sam files for offline password cracking. To the point, though, if it were malware sophisticated enough to cover its tracks so well then it wouldn't give itself away so easily and fill up the disk.
 
Deanjo
Graphmaster Gerbil
Posts: 1212
Joined: Tue Mar 03, 2009 11:31 am

Re: Who is opening Volume Shadow Copies?!

Mon Mar 21, 2016 8:18 am

just brew it! wrote:
MarkG509 wrote:
No O/S should make it this hard to completely understand what's going on and why, especially in this age of malware.

Unfortunately, all modern OSes are complicated enough that having a hard time understanding what's going on when strange things happen is a fact of life.


Not really, pretty dang easy to get an idea what is going on in *nix land (linux, OS X, BSD, etc) with the logs they provide. Windows logging just sucks with cryptic and ambiguous messages.
 
SuperSpy
Minister of Gerbil Affairs
Posts: 2403
Joined: Thu Sep 12, 2002 9:34 pm
Location: TR Forums

Re: Who is opening Volume Shadow Copies?!

Mon Mar 21, 2016 8:28 am

Deanjo wrote:
just brew it! wrote:
MarkG509 wrote:
No O/S should make it this hard to completely understand what's going on and why, especially in this age of malware.

Unfortunately, all modern OSes are complicated enough that having a hard time understanding what's going on when strange things happen is a fact of life.


Not really, pretty dang easy to get an idea what is going on in *nix land (linux, OS X, BSD, etc) with the logs they provide. Windows logging just sucks with cryptic and ambiguous messages.

I don't know what you guys are talking about. HRESULT = 0x80131047 is all I need to figure out the answer to anything.
Desktop: i7-4790K @4.8 GHz | 32 GB | EVGA Gefore 1060 | Windows 10 x64
Laptop: MacBook Pro 2017 2.9GHz | 16 GB | Radeon Pro 560
 
Dposcorp
Minister of Gerbil Affairs
Posts: 2771
Joined: Thu Dec 27, 2001 7:00 pm
Location: Detroit, Michigan

Re: Who is opening Volume Shadow Copies?!

Mon Mar 21, 2016 10:21 am

Keep us updated on this........I am kinda curious in case this happens to me.
 
ThatStupidCat
Gerbil Team Leader
Posts: 272
Joined: Wed Jul 03, 2013 11:18 am
Location: your litterbox

Re: Who is opening Volume Shadow Copies?!

Mon Mar 21, 2016 11:05 am

You can test it by turning off System Protect/System Restore if you're comfortable with that and see what happens. But before doing that maybe check and see if OneDrive (SkyDrive) is active. I'm not familiar with the exact workings of Windows 10 (yet) so this is the best I can offer. Anyway, I had a Win 7 that kept grinding the hard drive and the system restore would grow 3-5 gigs within 2 hours. Turned system restore off and it stopped. Of course yours can be something else but just sharing what happened on my end.
I'm clueless about computers.
Smoking catnip in the litterbox.
 
MarkG509
Gerbil Elite
Posts: 744
Joined: Thu Feb 21, 2013 6:51 pm

Re: Who is opening Volume Shadow Copies?!

Tue Mar 22, 2016 12:49 am

From gHacks: Find out what happened recently on your Windows PC. Perhaps the first 2 may be of interest. I have not used/tried any of these myself, but have used other NirSoft stuff in the past.
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Who is opening Volume Shadow Copies?!

Wed Mar 23, 2016 8:23 pm

MarkG509, "LastActivityView" was a real good tip. :) It let me find the problem indirectly, because no matter which tools I used, "who is holding a VSC open" doesn't have an answer that I could find.

Here's what I found, after noticing another open disk snapshot: https://www.dropbox.com/s/h79kh6f6qt6tm ... g.png?dl=0

And now the culprit is more or lessfound, but I'm still looking for a motive. It seems to be a software installation (vcredist.exe) in this exact case, which triggers System Restore. Two questions now.

1) Who is exactly starting this whole deal? Windows Update would be my immediate guess. According to WU itself, last check was at 23:36, roughly five minutes before the restore point was created and a VSC was opened.
2) Why isn't the VSC closed after use?
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Who is opening Volume Shadow Copies?!

Wed Mar 23, 2016 8:37 pm

morphine wrote:
...
2) Why isn't the VSC closed after use?

Because Windows Update?

WU seems to be the very definition of "software train wreck".
Nostalgia isn't what it used to be.
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Who is opening Volume Shadow Copies?!

Wed Mar 23, 2016 8:44 pm

just brew it! wrote:
Because Windows Update?

Well yeah, but bear with me. Windows Update pulls whatever installer. Since installing software in Windows automatically triggers the creation of a restore point (and well it should), SR kicks in and snapshots the disk. Why doesn't it ever end (apparently)?
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Who is opening Volume Shadow Copies?!

Wed Mar 23, 2016 8:49 pm

vcredist is the Vistual Studio Redistributable.

While Windows Update can apply security updates to vcredist, the only reason it would keep doing it over and over again would presumably be a failed update.

Steam also would try to run VCRedist during the install of a game. If you run a game, get a UAC prompt, and then hit no. That might be cancelling a vcredist install.

Whole thing is weird. Based on the picture, it's VC 2012. Both the package cache and something in the softwaredist\downloads is kicking off.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
MarkG509
Gerbil Elite
Posts: 744
Joined: Thu Feb 21, 2013 6:51 pm

Re: Who is opening Volume Shadow Copies?!

Thu Mar 24, 2016 7:51 am

morphine wrote:
2) Why isn't the VSC closed after use?
Glad it helped! I may grab all those tools for future reference.
Oh, and Phew that it's not malware (unless you consider Windows itself to be malware, or more like not-as-good-as-it-used-to-be-ware :evil: ).

So, is WU leaking file handles when stuff like VCRedist updates fail? I wonder for how many years MSFT will ignore that bug?
Just thinking out loud (volume due to the mechanical keyboard), I wonder if turning off "Update other products from MSFT" in WU would reduce/eliminate the leak. Maybe try that temporarily?!?!
 
MarkG509
Gerbil Elite
Posts: 744
Joined: Thu Feb 21, 2013 6:51 pm

Re: Who is opening Volume Shadow Copies?!

Thu Mar 24, 2016 8:05 am

Ryu Connor wrote:
Based on the picture, it's VC 2012. Both the package cache and something in the softwaredist\downloads is kicking off.
I'm sure I'll never find it (perhaps you know off the top of your head), but there's a magic command line thing that can be run from an Admin command prompt that scans for broken or out-of-date installations and/or broken updates, clears some cache, and tries to decide if it wasn't really a problem anyway. I have had to run this in the past when WU was throwing cryptic error codes. As I recall, it took a long time (~15mins) to run, but worked (at least in so far as I stopped getting the annoying error codes and WU seemed less unhappy).

Edit: Maybe I was thinking about SFC /SCANNOW?
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Who is opening Volume Shadow Copies?!

Thu Mar 24, 2016 9:34 am

-You might also be thinking of the Readiness Tool.

https://support.microsoft.com/en-us/kb/947821

-As for a busted installer, couple of places to purge to clean out the installation files.

x:\users\<username>\local\appdata\temp
x:\windows\temp
x:\windows\softwaredistribution\downloads
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On