MirrorSave
/
restic
mirror of https://github.com/restic/restic.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: Windows VSS Event ID 8194 (#5170)

This commit is contained in:
Snshadow 2025-01-27 00:25:38 +09:00 committed by GitHub
parent ed3922ac82
commit 6301250d83
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
changelog/unreleased/pull-5170 Normal file
View File

@ -0,0 +1,21 @@
Bugfix: Prevent Windows VSS event log 8194 warnings for backup with fs snapshot
When running `restic backup` with `--use-fs-snapshot` flag in Windows with admin rights, event logs like
```
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
. This is often caused by incorrect security settings in either the writer or requestor process.
Operation:
Gathering Writer Data
Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {54b151ac-d27d-4628-9cb0-2bc40959f50f}
```
are created several times(the backup itself succeeds). Prevent this from occurring.
https://github.com/restic/restic/issues/5169
https://github.com/restic/restic/pull/5170
https://forum.restic.net/t/windows-shadow-copy-snapshot-vss-unexpected-provider-error/3674/2

20
internal/fs/vss_windows.go
View File

@ -810,6 +810,26 @@ func initializeVssCOMInterface() (*ole.IUnknown, error) {
}
}
// initialize COM security for VSS, this can't be called more then once
// Allowing all processes to perform incoming COM calls is not necessarily a security weakness.
// A requester acting as a COM server, like all other COM servers, always retains the option to authorize its clients on every COM method implemented in its process.
//
// Note that internal COM callbacks implemented by VSS are secured by default.
// Reference: https://learn.microsoft.com/en-us/windows/win32/vss/security-considerations-for-requestors#:~:text=Allowing%20all%20processes,secured%20by%20default.
if err = ole.CoInitializeSecurity(
-1, // Default COM authentication service
6, // RPC_C_AUTHN_LEVEL_PKT_PRIVACY
3, // RPC_C_IMP_LEVEL_IMPERSONATE
0x20, // EOAC_STATIC_CLOAKING
); err != nil {
// TODO warn for expected event logs for VSS IVssWriterCallback failure
return nil, newVssError(
"Failed to initialize security for VSS request",
HRESULT(err.(*ole.OleError).Code()))
}
var oleIUnknown *ole.IUnknown
result, _, _ := vssInstance.Call(uintptr(unsafe.Pointer(&oleIUnknown)))
hresult := HRESULT(result)