VSS Error 8194 in Event Log when using Advanced Open File Support

When using VSS, you may encounter multiple instances of the VSS error 8194 being logged into the Application Event Log. These errors do not have an impact on the ability of SureSync to perform an open file copy of a file using VSS. However, these messages will often trigger questions from systems administrators due to the error being logged in the Event Viewer.

The 8194 events can be generated by the following services: System Write (Cryptographic) service, NPS VSS Writer Server, TS Gatway Writer service and (Windows) SP Search VSS Writer. This error can occur from other services.

The error produced will look similar to the error below (taken from a Windows 2008 R2 server):

Log Name: Application
Source: VSS
Date: 4/23/2014 4:38:55 AM
Event ID: 8194
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: server.domain.com
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Gathering Writer Data

Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {4075e894-0cbd-4627-bb82-552b457d9ecd}

The error code 8194 "Access denied" is caused by the inability of one or more VSS system writers to communicate with the Software Pursuits VSS Manager (v6 and older) or Software Pursuits Communications Agent service process via the "COM" calls exposed in the IVssWriterCallback interface. This is the programming interface Microsoft provides for the Volume Shadow Service.

This is not a functional error in SureSync but rather is a security issue caused by select VSS writer(s) running as a service under the "Network Service" or "Local Service" accounts instead of the Local System or Administrator account. By default, in order for a Windows service to perform a COM activation it must be running as Local System or as a member of the Administrators group.

There are three different methods of addressing this problem:

  1. Locate the VSS writers using the Services MMC (services.msc) that are erring out and change the account they are running under from Network Service to Local System. Then, restart the service(s) or reboot the machine. This will cause the VSS writer to run with max privileges and will eliminate the IVssWriter callback errors. The possible security issue with this method is that the service will be running with a higher level of access than Microsoft intended. Should the VSS writer process in question be "hacked," this could be a security weakness. But if you’re not overly concerned about that issue, repeat this process for each VSS writer that generates a 8194 error and the errors should stop being logged in normal operation.
  2. You can ignore the errors because they are not harmful.
  3. The final (and preferred) way to work around this issue is to make an adjustment to the default COM service activation permissions. This allows the Network Service (and possibly Local Service) user accounts permission to activate the IVssWriter callback interface. This method allows you to permanently fix the issue by making a single change that allows the VSS Writer service(s) to run at the privilege level that Microsoft intended. Any COM object access by a process running as Network Service still has the ability to enforce security restrictions if it so chooses. To make this change, go to a Run dialog box and enter dcomcnfg. This will launch the Component Services application. On the left pane, go to Component Services | Computer | My Computer. Right click on My Computer and select Properties. Select the COM Security tab and select the Edit Default button under Access Permissions. Use the "Add..." button to add the "Network Service" account to the permissions list. Verify that only the "Local Access" box is checked and click OK. Close Component Services and reboot the machine to make the COM security change.