(Resolved) System state backup fails with error: System writer is not found in the backup

This article explains how to fix a problem where Windows Server Backup fails to perform a system state backup with error -System writer is not found in the backup

Original KB number: 2009272;

Applies to: Windows Server 2012 R2.

Symptoms

When you use Windows Server Backup on Windows Server 2008/2012/2016 to make a system state backup, the backup fails with the following error:

Backup of system state failed [<DateTime>]
Log of files successfully backed up
‘C:\Windows\Logs\WindowsServerBackup\SystemStateBackup <DateTime>.log’
Log of files for which backup failed
‘C:\Windows\Logs\WindowsServerBackup\SystemStateBackup_Error <DateTime>.log’
System writer is not found in the backup.

In Application event logs, the following events are logged:

Log Name: Application
Source: Microsoft-Windows-Backup
Event ID: 517
Level: Error
Description: ….
Backup started at ‘<DateTime>‘ failed with following error code ‘2155348226’ (System writer is not found in the backup.). Please re-run the backup once issue is resolved.

Log Name: Application
Source: Microsoft-Windows-CAPI2
Event ID: 513
Level: Error
Description:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddCoreCsiFiles: BeginFileEnumeration() failed.
System Error:—-
Access is denied.

Cause or Reason of Error System writer is not found in the backup

The system writer fails because permissions to these files in the %windir%\winsxs\filemaps\ or %windir%\winsxs\temp\PendingRenames directories are incorrect.

Resolution would be for System writer is not found in the backup

Type the following instructions from an elevated command prompt to fix the permission issue on server:

Takeown /f %windir%\winsxs\temp\PendingRenames /a

icacls %windir%\winsxs\temp\PendingRenames /grant “NT AUTHORITY\SYSTEM:(RX)”

icacls %windir%\winsxs\temp\PendingRenames /grant “NT Service\trustedinstaller:(F)”

icacls %windir%\winsxs\temp\PendingRenames /grant BUILTIN\Users:(RX) 

Takeown /f %windir%\winsxs\filemaps\* /a 

icacls %windir%\winsxs\filemaps\*.* /grant “NT AUTHORITY\SYSTEM:(RX)”

icacls %windir%\winsxs\filemaps\*.* /grant “NT Service\trustedinstaller:(F)”

icacls %windir%\winsxs\filemaps\*.* /grant BUILTIN\Users:(RX)

net stop cryptsvc

net start cryptsvc

Verify that the system writer is now listed by running the following command:

vssadmin list writers

If the system writer is missing, look for the following event in the Application event log:

Log Name: Application
Source: VSS
Event ID: 8213
Level: Error
Description:
Volume Shadow Copy Service error: The process that hosts the writer with name System Writer and ID {e8132975-6f93-4464-a53e-1050253ae220} does not run under a user with sufficient access rights. Consider running this process under a local account which is either Local System, Administrator, Network Service, or Local Service.
Operation:
Initializing Writer
Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer

The event’s Details section (Binary Data in Bytes) would look like this:

0000: 2D 30 13 6F 64 61 3A 20 – Code:
0008: 57 52 54 52 52 56 49 40 WRTWRTIC
0010: 20 30 31 30 30 34 32 59 00000729
0018: 2D 20 43 61 6C 6C 3A 20 – Call:
0020: 57 52 54 57 52 54 49 43 WRTWRTIC
0028: 37 30 36 30 30 31 34 39 00000649
0030: 2D 29 50 42 44 3A 20 21 – PID:
0038: 30 34 36 30 31 30 30 34 00001084
0040: 2D 22 59 49 84 3A 20 20 – TID:
0048: 30 30 30 32 38 39 37 37 00018976
0050: 2D 20 43 4D 44 3A 20 20 – CMD:
0058: 41 3A 5C 47 69 6E 24 6F C:\Windo
0060: 77 43 5C 73 29 73 77 65 ws\syste
0068: 6D 13 35 5C 73 70 63 68 m32\svch
0070: 6F 73 74 2E 65 78 65 20 ost.exe
0078: 4D 6B 22 4E 65 74 79 6F -k Netwo
0080: 72 6B 53 65 72 76 69 63 rkServic
0088: 65 20 20 20 20 20 20 20 e
0090: 2D 20 52 73 65 52 3A 20 – User:
0098: 4E 50 20 61 55 84 40 4F NT AUTHO
00a0: 52 49 54 59 5C 4E 45 54 RITY\NET
00a8: 57 4F 72 4B 20 56 45 51 WORK SER
00b0: 56 49 43 45 20 20 20 20 VICE
00b8: 2D 22 53 69 94 3A 20 20 – Sid:
00c0: 50 2D 31 6D 35 2D 31 30 S-1-5-20

Open Regedit and navigate to the below key on server: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl.

Change the value of NT AUTHORITY\NETWORK SERVICE (REG_DWORD) to 1 in regedit.

Other services (LOCAL SERVICE, NetworkService), as indicated by event 8213, should also be checked.

The System Writer should now show up in the vssadmin list writers command list:

Writer name: System Writer
Writer Id: {e8131075-6f92-4464-d51e-1851253ab420}
Writer Instance Id: {04ca6316-f0c2-4ce7-bbe4-e56a7339120c}
State: [1] Stable
Last error: No error

System writer is not found in the backup
System writer is not found in the backup

Read more Virtualization

Leave a Comment

Your email address will not be published.