This project has moved and is read-only. For the latest updates, please go here.

veracrypt causing multiple VSS errors in Event Viewer???

Topics: Technical Issues
Apr 21, 2015 at 6:49 PM
I just converted my Truecrypt volume to Veracrypt and have noticed hundreds of VSS errors happening each day now.
As a quick test, if I do not mount the container, I am not seeing the VSS errors in Event Viewer, but once the container is decrypted, (it shows up as Drive J:) I am seeing many VSS errors in event viewer throughout the day.
It may be a coincidence but has anyone else see the error below:

Volume Shadow Copy Service error: Error calling a routine on a Shadow Copy Provider {b5946137-7b9f-4925-af80-51abd60b20d5}. Routine details Cannot ask provider {b5946137-7b9f-4925-af80-51abd60b20d5} if volume is supported. [0x8000ffff] [hr = 0x8000ffff, Catastrophic failure
].

Operation:
Check If Volume Is Supported by Provider
Add a Volume to a Shadow Copy Set

Context:
Execution Context: Coordinator
Provider ID: {00000000-0000-0000-0000-000000000000}
Volume Name: \?\Volume{46efd553-e2a0-11e4-b156-f46d04484749}\
Execution Context: Coordinator
Apr 22, 2015 at 11:36 PM
This is documented in this page: https://veracrypt.codeplex.com/wikipage?title=Issues%20and%20Limitations

This issue has existed since TrueCrypt: http://www.techrepublic.com/blog/data-center/resolving-truecrypt-and-volume-shadow-copy-conflicts/
You can follow the recommendation of this link to see if it helps


Apr 23, 2015 at 3:06 AM
Idrassi:
I read your link but it applies to Servers. I do not have the Shadow Copy tab (shown in the article) on my Win 7 Ultimate 64bit machine and when I mount my container, I usually leave it on all day till I turn the computer off at night.
Although this issue may have existed in Truecrypt, I have never seen this error in all the years that I have used Truecrypt.
Now that I am using Veracrypt it is happening repeatedly hundreds of times, all day long, as long as Veracrypt is mounted.
Could it be that all that is needed is another VSS provider entry be added to the VSS list in HKEY local machine\system\currentcontrolset\services\vss\provider list that points to Veracrypt?
And if so, what would the parameters be?
Apr 27, 2015 at 6:13 PM
I think I found a solution and want confirmation that this is OK.
When I mount my encrypted Veracrypt drive, if I first change my preference to have the drive volume mounted as a removable media, then the VSS error messages go away.
Apparently VSS doesn't play nice with encrypted volumes that are considered a hard drive.
Do you see any reason why mounting the volume (container) this way might be detrimental?
Is there a way to make this option permanent each time I go to mount the volume?
Jul 14, 2015 at 12:05 PM
Any updates on this?

bigdawg1, can you confirm exactly what is working? Can you use VSS to create temporary copies of files on the VeraCrypt drive to make backups of open files, for example?

My concern with marking the drive as external is that VSS will store the shadow copies on some other drive, which may not be encrypted. With BitLocker drives the system knows not to do that, but I don't think VeraCrypt communicates that information because the API is undocumented. So there is a possibility of data leakage.
Jul 14, 2015 at 3:06 PM
mojo_chan:
Since switching VeraCrypt to mount as a removable media, there have been no further issues. When I make my daily backup image of Drive C:\, there appears to be no problem with my backup program making a backup of the container file saved in the Veracrypt directory in C:\program files\Veracrypt, even when the container file is decrypted to Drive J:\
As far as VSS making shadow copies on other drives, I am not aware of that. How would I check?
Thanks,
BD1
Jul 14, 2015 at 3:32 PM
Hi bigdawg1.

Thanks for the update. What I really meant was can you back up files on the mounted Veracrypt drive (J:) with VSS? For me it always fails, but it's okay with a Bitlocker drive.

You can check what VSS is up to with the vssadmin tool. Open an administrator command prompt and type vssadmin list shadowstorage
Jul 14, 2015 at 7:25 PM
Yes I can backup the files on my J: drive to my cloud backup program with no apparent issues.
As far as checking what VSS is doing. I just typed in vssadmin list shadowstorage and goT info that I have no idea what it is trying to tell me.
This is what it said:

Shadow copy storage association:
For volume: (C:)\?\volume {a long string of numbers and letters}\
Shadow Copy Storage volume: (C:)\?\Volume{the same long string of numbers and letters}
Used Shadow Copy Storage space: 0 B (0%)
Allocated Shadow Copy Storage space: 0 B (0%)
Maximum Shadow Copy Storage space: UNBOUNDED (100%)
Jul 15, 2015 at 10:35 AM
That looks good. Permanent shadow copies are available on drive C: only. Your encrypted drive can have temporary shadow copies, and doesn't ever store data on other non-encrypted drives. It looks like you have found a working solution. I'll give it a try now.
Jul 15, 2015 at 10:45 AM
Confirmed, mounting as an external volume makes VSS work.

I'm still worried though... My understanding is that the shadow copies are stored on the "external" drive, but I'm not 100% sure of that. I don't know if switching to BitLocker would be a better option, as Windows understands that it needs to enforce secure storage of temporary shadow copies with BL drives.
Jul 15, 2015 at 1:56 PM
I'm glad that Veracrypt is working with my work around. If you find out anything that makes this option not secure, please let me know. In addition, even though I was told earlier that this was a Trucrypt issue, (I never had a problem till moving to Veracrypt) I hope that the Veracrypt programers can solve this VSS error issue so that we don't have to select "mount as a removable drive" and run the risk that you have concerns about.
Jul 15, 2015 at 2:56 PM
Well, it kinda works. When I tried it I was unable to backup open files on the drive. There was no VSS error, but the application was unable to make a shadow copy.

I tried the same thing on a BitLocker drive and it was able to make a shadow copy without any problem. I would be great if VeraCrypt could fix this, but since the API is apparently undocumented I'm not sure it is possible.