Windows 7 VSS errors [Resolved]

For some while I have had many many VSS related errors reported in the events viewer.

The bug/issue

  1. What you did:It can be triggered by creating a restore point.
  2. What actually happened or you actually saw:
    The event viewer shows a string of errors. The first report is this;

Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x000001bc,(null),0,REG_BINARY,0000000000D5CD50.72). hr = 0x80070005, Access is denied.
Operation: Gathering Writer Data
Context:
Writer Class Id: {542da469-d3e1-473c-9f4f-7847f01fc64f}
Writer Name: COM+ REGDB Writer
Writer Instance ID: {7c3768e2-575e-478b-ae16-f7b46d808476}

Many other errors of a similar nature follow with “Access is denied”.
The restore point is created though and I haven’t found anything not actually working.
3. What you expected to happen or see: no errors
4. How you tried to fix it & what happened:

I have discovered that if I put COMODO DEFENCE+ into disabled mode then I do not get the errors.
If I put it into training mode then VSS errors result. There is no COMODO warning message.
I then unticked the box in Monitoring Settings/Protected Registry Keys and again there were no errors.

C:\windows\system\vssvc.exe is listed as a trusted file and set to custom policy. Other policy settings are greyed out.

  1. Details (exact version) of any software involved with download link: windows 7 & CIS
  2. Any other information (eg your guess regarding the cause, with reasons): A bug or a bad setting in Comodo

Files appended
2. Screenshots of related event logs or the active processes list: … Event Viewer Report.xml attached
3. A CIS config. report or file: CIS config.xml Appended
Your set-up

  1. CIS version, AV database version & configuration used: … 5.0.163652.1142, Proactive security
  2. Whether you imported a configuration, I updated from the previous version of COMODO CIS. I did not import a config.
  3. Defense+ and Sandbox OR Firewall security level: Defenseplus=training mode, Sandbox=enabled
  4. OS version, service pack, bits, UAC setting, & account type: Windows 7 home premium, 64 bit, UAC default, all updates have been installed, normal user account
  5. Other security and utility software running: Windows Defender
  6. Virtual machine used: Not applicable

Is that OK ?

Thanks

[attachment deleted by admin]

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

WHY WE ASK YOU TO FOLLOW THESE GUIDELINES
Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation

Dennis

Do you see the blocking in View Defense + Events? If so can you post a screenshot?

the View Defense + Events screenshot is attached

[attachment deleted by admin]

Please note you should not run in Training mode, only for short periods.

Dennis

Yes but training mode should correct this type of problem.

Anyway…

As no-one else seems to be having this problem and there were no suggestions as to what might be happening. I started looking further into the settings.

The exe that seems to be causing the problem is; C:\Windows\system32\VSSVC.exe

Which is(may be) trying to write to the registry at one or more of these locations;

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\VSS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS

Under Comodo/Defence+/Computer Security Policy there is a protected registry key;

HKLM\SYSTEM\ControlSet???\Services*

As you can see the first two locations are protected and this I believe is what is causing the errors.

So Defence+ is working as it should and all Win7 users should be getting the same errors.

If this is correct then the question is now whether this registry key SHOULD be protected.

Maybe someone can comment on this analysis.

I have moved it to Verified, but I would suggest a clean install possible problems with upgrade.

I run in Paranoid Mode and do not receive alerts for VSSVC.exe as it is part of Windows System Applications in CIS so you should not have any entries in the log for this.

Could you please post a screenshot of Defense+ \ Computer Security Policy or checked if you have a entry for Windows System Applications.

Will post screenshot example.(Have include all default rules one change Explorer.exe should be Trusted for default rules)

Dennis

[attachment deleted by admin]

Yes VSSVC.exe is in the list with “custom policy”. When I try to edit it there is no other policy setting (predefined option is greyed out).

screenshot of Defense+ \ Computer Security Policy\Rules is attached

screenshot of Defense+ \ Computer Security Policy\Protected registry keys is attached

I will now try a manual uninstall / reinstall

[attachment deleted by admin]

I tried to add that my screenshot is completely different to yours.

There are no subfolders.

Predefined Policy is empty.

I’m also having trouble finding this thread on the forum. I had to use the back button. Has it disappeared ?

I have now done a manual uninstall/reinstall and I can now create a restore point without errors.

Also my screenshot of Defense+ \ Computer Security Policy\Rules is now very similar to yours.

Apparently something went wrong with the automatic update.

Are config settings reused from earlier ? Maybe that’s where the problem came from.

Yes configurations are used from the previous version so problems like this can occur.

I have seen a few others like disappearing rules after making them Trusted Applications, that are solved by doing a clean install.

Of posts reported about 50/50 as most members do not report a no problem upgrade, I should think about 2% to 5% of members are having problems with the upgrade.

Thank you for reporting a clean install has worked for you :slight_smile:

Some members have had to also use a registry cleaner to achieve this.

Thank you

Dennis

I had this problem in the earlier version of CIS. Not sure at what point the problem started tho.

The registry entries (listed above) have changed since June 2010 (quite a few new keys). Maybe Microsoft did something in an update that triggered the original problem.

I did use a registry cleaner after this uninstall but it found nothing related to Comodo.

Thanks for your help.