Endpoint Standard: Shadow Copy Service Hangs During Backup Process
search cancel

Endpoint Standard: Shadow Copy Service Hangs During Backup Process

book

Article ID: 288681

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

When Shadow Copy service is running may hang during backup

Environment

  • Carbon Black Cloud Sensor: Version 3.6.0.1897 and higher
  • Microsoft Windows: All Supported Versions
    • Shadow Copy Service

Cause

  • Sensor is hooking into VSS

Resolution

  • 3.6 fix released in sensor version 3.6.0.2127
  • The 3.7 version of the fix is in sensor version 3.7.0.1411

Additional Information

Workaround until sensor upgrade is possible:
  1. Open C:\Windows\System32
  2. Copy and Paste svchost.exe to the same folder, rename the copy version to svchostswprv.exe
  3. Open regedit.exe (Registry Editor)
  4. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swprv
  5. Edit the value of ImagePath to "%SystemRoot%\System32\svchostswprv.exe -k swprv"
  6. Log into the Carbon Black Cloud Console
  7. Navigate to the Policy in place for the affected Devices
  8. Add a Permission Rule with the following values 
    Process/Applications at Path: **\System32\svchostswprv.exe
Operation Attempt: Performs any API operation
Action: Bypass
  9. Reboot the Device and run backup process to test function
Powered by Wolken Software