Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 12289 Source: VSS

Volume Shadow Copy Service error: <error>.
This event can be recorded in various conditions, not always related to each other. The relevant information is the description of the error included in the event and the error code recorded there. The error code itself may narrow down the problem (i.e. Error code 0x80070005 means "Access denied" so one can start looking some permission problems related to various volumes used by VSS).

- Error: "Unexpected error GetInterfaceFromGlobal({da9f41d4-1a5d-41d0-a614-6dfd78df5d05}, 256). hr = 0x80070057" - See ME910260 for a hotfix applicable to Microsoft Windows Server 2003. Error code 0x80070057 (Parameter is incorrect) usually indicates a bug in the software.
Error: Unexpected error DeviceIoControl(\\?\Volume{aaaa0d20-019c-11e0-9a6d-806e6f6e6963} - 000000000000013C, 0x0053c008, 000000000027C060, 0, 000000000027D070, 4096, [0]).  hr = 0x80070057, The parameter is incorrect. - I had this problem when I tried to do backup with the Windows 2008 built in backup program. Fixed this by disabling and enabling the Shadow Copy on the volume that I wanted to backup. Note that all the old shadow copies will be deleted.
Since installing Carbonite (, an online backup software), I have been plagued with Event ID 12289 from VSS. Running the Windows MOUNTVOL command shows two mount points as "The system cannot find the file specified." This is because these mount points belong to two TrueCrypt disks that I do not have mounted all of the time. Mounting the disks, or disabling Carbonite, prevents these VSS error from occurring. I wish there was a solution to this situation.
Error: Unexpected error IOCTL_DISK_GET_DRIVE_LAYOUT_EX(\\\scsi#disk...) - BuildLunInfoForDrive.  hr = 0x80070015. - This may indicate a hardware problem as the Error code 0x80070015 means "Device is not ready". However, there can be other factors affecting the perceived readiness of the devices used by VSS.
I was getting VSS errors on my ntbackups whether I selected system state or not. "Unexpected error DeviceIoControl" followed by Event ID 1 Source VolSnap errors.

NTBACKUP would not even start copying files, just stick on the contacting Volume Shadow Copy service message, then exit, having stopped the vss service too. Whenever I ran "vssadmin list writers" the results were fine.

The server (2003 std R2) had sharepoint and Desktop Search 4 installed. I suspected it was one of these causing it. When I uninstalled Desktop Search the backups started to work again. Whether this was causing it or not I don't know but, my server only had 3 GB of free space on the system drive, and uninstalling desktop search took it to 7 GB, so maybe it was desktop search, maybe it was the lack of free disk space.

Error: "Unexpected error RegOpenKeyExW(-2147483646, SYSTEM\CurrentControlSet\Services\VSS\Diag, ...).  hr = 0x80070005."

Error code 0x80070005 means access denied so this seemed to be a permission error after seeing that the RegOpenKeyExW call failed and HKLM\SYSTEM\currentControlSet\SErvices\VSS\Diag did exist in the registry.

After I gave full permission to the WSS Search Service account and the Farm Search Service account, the VSS error went away.
- Error: "Unexpected error OpenService (shSCManager, "VSS", SERVICE_QUERY_STATUS). hr = 0x80070005" - I got this error while doing system state backup with NTBackup in the security context of a user from the Backup Operators group. This happened because the Backup Operators group cannot read information about the VSS service. Assign the Backup Operators group read permission to the VSS service through GPO (or any other way).
I got this error while doing backup with ntbackup.exe. Backup was configured to run in context of user from Backup Operators group. Adding this user to Administrators fixed the problem.
- Error: "Unexpected error OpenService (shSCManager, "VSS", SERVICE_QUERY_STATUS). hr = 0x80070005" - This is a bug with VSS and the SCM changes that are in SP1. This error is benign and it indicates no actual issues. The backups should work as expected without any problems. This may be fixed in SP2. But till then you can update your VSS using Hotfix ME891957. This update fixes various Volume Shadow Copy Service issues in Windows Server 2003.
- Error: "Unexpected error DeviceIoControl" - In one case, on Windows XP SP2, this Event ID appeared with Event ID 1 Source VolSnap immediately after a NTBACKUP of the System State data was started. NTBACKUP finished normally. The computer was restarted, NTBACKUP was run again and this Event ID did not appear again.
- Error: "Unexpected error NetGroupGetUsers(Administrators). hr = 0x80070005" or "Unexpected error NetGroupGetUsers(). hr = 0x80070005" – This behavior is most likely caused by a "hidden group membership", typically of the "Administrators" group. To resolve this issue, open Active Directory Users and Computers, find the Administrators group (or the group in question), select Exchange Tasks, then select Unhide Membership. Give this action a few minutes to make sure this replication takes place or force replication in Active Directory Sites and Services. To test, open a command prompt and type "vssadmin list writers". Hope this helps.
Make sure that VSS shadow copies are enabled for each of the drives that you are trying to backup. Go to My Computer, right click on the drive(s) you are backing up from and choose properties. Click the Shadow Copies tab and check that for each of the drives you want to backup from, shadow copy is enabled. If it is not, select the drive in the Shadow Copies tab and click the Enable button.
- Error: "Cannot find diff areas for creating shadow copies. Please add at least one NTFS drive to the system with enough free space.  The free space needed is at least 100 Mb for each volume to be shadow copied" - See "Veritas Support Document ID: 259326" to fix this problem.

From a newsgroup post: "This issue may appear if the capacity of the tape is too small to store the backup files. So, please check if the tape has enough space to hold the backup file. For more information, please refer to ME840754".

- Error: "Unexpected error NetGroupGetUsers(Administrators). hr = 0x80070005" - This error means "Access denied" - see Error code 0x80070005 for more information.
From newsgroup posts, this error seems to be related to BackupExec.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.