Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 8193 Source: VSS

Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = <error code>.
After installing DHCP on Windows Server 2008 R2, you may start to see the following error message in the event logs :

Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646, SYSTEM\CurrentControlSet\Services\VSS\Diag, …). hr = 0×80070005, Access is denied.

Inspection of the detailed tab of the event log entry will show information about the process that generated the error. Take note of the user mentioned after the “- User: Name:” portion of the bytes. To resolve this error, simply give that user full permission to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS registry key.
In my case, this was caused because the Backup Exec 2010 remote agent user account was a member of the Backup Operators group but not of the Administrators group. Adding the Backup Exec service account to the local Administrators group resolved the issues. See also this discussion thread - EV100239 (Odd VSS errors on Windows Server 2008 R2).
In my case (Windows 2008 SP2) the recommended checks were all ok and just the Microsoft Shadow Copy provider installed. Other symptomps: event was preceeded by VSS Event Id:13, 12292 and 34.  hr = 0x80040154.

Solved by recreating the entire shadow copy space. Run the following commands:

vssadmin list shadowstorage
vssadmin Delete ShadowStorage /For=C: /On=D:
vssadmin Add ShadowStorage /For=C: /On=D: /MaxSize=1024MB

These commands will lists your current settings, delete the current shadow copy storage space (you'll loose all snapshots so modify the paramters to your needs!) and recreate the shadow copy space.
I ran into this problem on several different machines. Two were running Server 2003, and the other one running XP Professional. I finally came across something related to this for Server 2008 that finally led me in the right direction to finding a solution.

ME2009533 talks about recreating the "TypeLib" registry value (note that in Server 2008, this value is of type REG_EXPAND_SZ while in Server 2003 and XP it is REG_SZ).

After comparing the registry values on the machines that were having problems with the registry values of machines that were working fine, I found that the values were wrong for a couple of the registry keys. Also, there were a couple of extra unneeded keys that I could get rid of.

Basically, it is under the following section of the registry:


The values for OwnerSID and TypeLib are probably wrong.

Correct values are as follows:

OwnerSID (REG_SZ):  S-1-5-18

After you set these values as shown, you will need to reboot the system before VSS will work properly again.

- Error code 0x80070422 - This event can occur (with this error code) if the Volume Shadow Copy service has been disabled. In our case, it occurred with Event ID 11 from source VSS.
Re-registering the Shadow Copy dlls may help - see EV100108 ("Volume Shadow Copy Service and DLLs").
I was getting this error, alongside with others bound to COM+ subsystems, on a DC (W2K3 stand-alone), and even reinstalling COM+ did not help. The case became clear after checking the permissions on the %systemroot%\registration directory. Setting permissions to Administrators : Full and System : Full and re-registering COM+ set all the things right.
I was getting this error in conjunction with event IDs 7001, 7023, 10010, 12292, and 5013. All events were due to COM+ applications not being available. I followed the instructions in ME301919 to resolve the problem. When reinstalling COM+ I had to obtain es.dll from a similar machine and place it in C:\Windows\System32.
See Veritas Support Document ID: 272814 if VERITAS software is installed.
I fixed this problem by installing MSXML 3.0 and MSXML 4.0.
- Error code 0x8007043C - From a newsgroup post: "These events are benign and you can ignore them, unfortunately, they will always appear whenever you reboot the machine in Safe Mode. We plan to fix this bug for future versions of Windows (it is already fixed in Windows Server 2003)".
- Error code 0x80040154 - From a newsgroup post: "This error means that the COM+ Admin catalog was not installed correctly on your machine. This problem is unrelated with VSS. The only way to fix this would be either to re-register the COM+ infrastructure, or to re-run the Windows Setup. ME246499 mentions a method for re-registering COM+ on your machine. This is for Windows 2000".
- Error code 0x800700ea - See ME833167.
- Error code 0x80070057 - See ME833167.

As per Microsoft: "This informational event is logged when the system starts in Safe Mode on a computer running Windows XP because COM+ is not enabled in Safe Mode or, occasionally, when antivirus and indexing programs open temporary files used by backup programs during backup. This message also appears if there is a problem in the COM+ infrastructure, such as when the COM+ services are disabled or not registered correctly, or when a program such as FORMAT, CHKDSK, or Logical Disk Management opens a volume with an exclusive lock and the Volume Shadow Copy service cannot create a shadow copy". See MSW2KDB for more details.

From a newsgroup post: "It appears that the COM+ subsystem is not correctly installed on your machine. This causes failures in VSS. You might try the steps in ME315296 to reinstall COM+. Please do not disable the COM+ Event System or Volume Shadow Copy Service; this will not fix the real problem".
From a Microsoft support person (from a newsgroup post): "If the events occurred on a machine that was running in Safe Mode, these events are benign and you can ignore them - unfortunately they will always appear whenever you reboot the machine in Safe Mode. We plan to fix this bug for future versions of Windows (it is already fixed in Windows Server 2003)."

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.