L
LonchikB
Guest
Hi,
I've been trying to figure this one out for over couple of months, and can't seem to nail it.
I have a scheduled Windows Backup [a.k.a. Backup and Restore (Windows 7)], configured as backing up to a NAS (Synology), With specified areas to back up (instead of Win's let-me-choose option) consisting of some users' subdirectories like pictures and documents, as well as couple of folders outside the users directory. It's configured not to include system image of drives, EFI/C:/WRE. I had it since Win8 and it working fine, and then it stopped working. I had upgraded to Win10 hoping it would kick it and recover it, but it hasn't.
It fails with the generic 0x80070005 "Access is denied." error, but nowhere can I find what target/object that it was denied access to. It varies when it happens, but typically seems to be a little over 3 hours from the time backup starts. It also seems to vary how much of backup gets written before it fails, ranging from around 250GB to 450GB, with full backup size being around 630GB.
EventViewer seems very skimpy, and here's everything that I found related to it:
Start of scheduled backup record
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Windows Backup" />
<EventID Qualifiers="0">4097</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-12-07T07:00:01.9329878Z" />
<EventRecordID>11667</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Garbage</Computer>
<Security />
</System>
- <EventData>
<Data>\\B-NAS\Backups\Garbage\</Data>
<Binary>00000000B80500006C08000000000000420ED1665C2BEE174B64529CB14610EA71000000</Binary>
</EventData>
</Event>
.... then a bit over 3 hours later:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Windows Backup" />
<EventID Qualifiers="0">4104</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-12-07T10:16:07.2099937Z" />
<EventRecordID>11677</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Garbage</Computer>
<Security />
</System>
- <EventData>
<Data>Access is denied. (0x80070005)</Data>
<Binary>05000780E20500004409000060090000420ED1665C2BEE174B64529CB14610EA71000000</Binary>
</EventData>
</Event>
... then, 9 seconds later final entry:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-12-07T10:16:16.2447111Z" />
<EventRecordID>11678</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Garbage</Computer>
<Security />
</System>
- <EventData>
<Data>1898156943779859625</Data>
<Data>5</Data>
<Data>WindowsBackupFailure</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>Backup</Data>
<Data>10.0.19041</Data>
<Data>0x80070005</Data>
<Data>7</Data>
<Data />
<Data />
<Data />
<Data />
<Data />
<Data />
<Data>\\?\C:\WINDOWS\Logs\WindowsBackup\WindowsBackup.1.etl \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF208.tmp.WERInternalMetadata.xml \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF238.tmp.xml \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF38E.tmp.csv \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF43B.tmp.txt</Data>
<Data>\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Backup_c948e1cf249df9246f13cdb22976ef84ffd52a25_00000000_3411c23f-f173-4789-a63d-33cf620ecb4e</Data>
<Data />
<Data>0</Data>
<Data>3411c23f-f173-4789-a63d-33cf620ecb4e</Data>
<Data>268435456</Data>
<Data>7c8397aa17a3f01d7a579baef9f08ca9</Data>
<Data>0</Data>
</EventData>
</Event>
And for this one I'll post with formatted text:
Fault bucket 1898156943779859625, type 5
Event Name: WindowsBackupFailure
Response: Not available
Cab Id: 0
Problem signature:
P1: Backup
P2: 10.0.19041
P3: 0x80070005
P4: 7
P5:
P6:
P7:
P8:
P9:
P10:
Attached files:
\\?\C:\WINDOWS\Logs\WindowsBackup\WindowsBackup.1.etl
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF208.tmp.WERInternalMetadata.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF238.tmp.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF38E.tmp.csv
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF43B.tmp.txt
These files may be available here:
\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Backup_c948e1cf249df9246f13cdb22976ef84ffd52a25_00000000_3411c23f-f173-4789-a63d-33cf620ecb4e
Analysis symbol:
Rechecking for solution: 0
Report Id: 3411c23f-f173-4789-a63d-33cf620ecb4e
Report Status: 268435456
Hashed bucket: 7c8397aa17a3f01d7a579baef9f08ca9
Cab Guid: 0
Needless to say, referenced files in "WER\Temp" directory are long gone by the time I get to examine the failure. There is, however, Report.wer in that NonCritical_Backup_.... directory which contains the following:
Version=1
EventType=WindowsBackupFailure
EventTime=132518097745565158
Consent=1
UploadTime=132518097752129230
ReportStatus=268435456
ReportIdentifier=3411c23f-f173-4789-a63d-33cf620ecb4e
Wow64Host=34404
OriginalFilename=RUNDLL32.EXE
AppSessionGuid=00000ea4-0000-0013-e8a7-4b9566ccd601
TargetAppId=W:0000f519feec486de87ed73cb92d3cac802400000000!000084ddb2b3d1158485b2b66867ca9452930a258edd!rundll32.exe
TargetAppVer=2031//05//02:06:41:35!12386!rundll32.exe
BootId=4294967295
TargetAsId=425
IsFatal=4294967295
EtwNonCollectReason=1
Response.BucketId=7c8397aa17a3f01d7a579baef9f08ca9
Response.BucketTable=5
Response.LegacyBucketId=1898156943779859625
Response.type=4
Sig[0].Name=Operation
Sig[0].Value=Backup
Sig[1].Name=AppVer
Sig[1].Value=10.0.19041
Sig[2].Name=HRESULT
Sig[2].Value=0x80070005
Sig[3].Name=TargetType
Sig[3].Value=7
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.19042.2.0.0.256.48
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
State[0].Key=Transport.DoneStage1
State[0].Value=1
OsInfo[0].Key=vermaj
OsInfo[0].Value=10
OsInfo[1].Key=vermin
OsInfo[1].Value=0
OsInfo[2].Key=verbld
OsInfo[2].Value=19042
OsInfo[3].Key=ubr
OsInfo[3].Value=630
OsInfo[4].Key=versp
OsInfo[4].Value=0
OsInfo[5].Key=arch
OsInfo[5].Value=9
OsInfo[6].Key=lcid
OsInfo[6].Value=1033
OsInfo[7].Key=geoid
OsInfo[7].Value=244
OsInfo[8].Key=sku
OsInfo[8].Value=48
OsInfo[9].Key=domain
OsInfo[9].Value=0
OsInfo[10].Key=prodsuite
OsInfo[10].Value=256
OsInfo[11].Key=ntprodtype
OsInfo[11].Value=1
OsInfo[12].Key=platid
OsInfo[12].Value=10
OsInfo[13].Key=sr
OsInfo[13].Value=0
OsInfo[14].Key=tmsi
OsInfo[14].Value=220860817
OsInfo[15].Key=osinsty
OsInfo[15].Value=3
OsInfo[16].Key=iever
OsInfo[16].Value=11.630.19041.0-11.0.220
OsInfo[17].Key=portos
OsInfo[17].Value=0
OsInfo[18].Key=ram
OsInfo[18].Value=12248
OsInfo[19].Key=svolsz
OsInfo[19].Value=918
OsInfo[20].Key=wimbt
OsInfo[20].Value=0
OsInfo[21].Key=blddt
OsInfo[21].Value=191206
OsInfo[22].Key=bldtm
OsInfo[22].Value=1406
OsInfo[23].Key=bldbrch
OsInfo[23].Value=vb_release
OsInfo[24].Key=bldchk
OsInfo[24].Value=0
OsInfo[25].Key=wpvermaj
OsInfo[25].Value=0
OsInfo[26].Key=wpvermin
OsInfo[26].Value=0
OsInfo[27].Key=wpbuildmaj
OsInfo[27].Value=0
OsInfo[28].Key=wpbuildmin
OsInfo[28].Value=0
OsInfo[29].Key=osver
OsInfo[29].Value=10.0.19041.630.amd64fre.vb_release.191206-1406
OsInfo[30].Key=buildflightid
OsInfo[30].Value=f39c5c3f-90fd-40de-9171-e7fd8b92049d
OsInfo[31].Key=edition
OsInfo[31].Value=Professional
OsInfo[32].Key=ring
OsInfo[32].Value=Retail
OsInfo[33].Key=expid
OsInfo[33].Value=FX:1183210E,FX:19E26AD
OsInfo[34].Key=fconid
OsInfo[35].Key=containerid
OsInfo[36].Key=containertype
OsInfo[37].Key=edu
OsInfo[37].Value=0
FriendlyEventName=WindowsBackupFailure
ConsentKey=WindowsBackupFailure
AppName=Windows host process (Rundll32)
AppPath=C:\Windows\System32\rundll32.exe
ReportDescription=Windows Backup failure
ApplicationIdentity=00000000000000000000000000000000
MetadataHash=601300682
I believe from the above you can find the exact windows version.
At this point I'm lost as to how to troubleshoot it. I can't even tell if the access is denied in reading source files, or writing backup files? Or is it something in registry? Or something else??? Help would be much appreciated.
Continue reading...
I've been trying to figure this one out for over couple of months, and can't seem to nail it.
I have a scheduled Windows Backup [a.k.a. Backup and Restore (Windows 7)], configured as backing up to a NAS (Synology), With specified areas to back up (instead of Win's let-me-choose option) consisting of some users' subdirectories like pictures and documents, as well as couple of folders outside the users directory. It's configured not to include system image of drives, EFI/C:/WRE. I had it since Win8 and it working fine, and then it stopped working. I had upgraded to Win10 hoping it would kick it and recover it, but it hasn't.
It fails with the generic 0x80070005 "Access is denied." error, but nowhere can I find what target/object that it was denied access to. It varies when it happens, but typically seems to be a little over 3 hours from the time backup starts. It also seems to vary how much of backup gets written before it fails, ranging from around 250GB to 450GB, with full backup size being around 630GB.
EventViewer seems very skimpy, and here's everything that I found related to it:
Start of scheduled backup record
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Windows Backup" />
<EventID Qualifiers="0">4097</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-12-07T07:00:01.9329878Z" />
<EventRecordID>11667</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Garbage</Computer>
<Security />
</System>
- <EventData>
<Data>\\B-NAS\Backups\Garbage\</Data>
<Binary>00000000B80500006C08000000000000420ED1665C2BEE174B64529CB14610EA71000000</Binary>
</EventData>
</Event>
.... then a bit over 3 hours later:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Windows Backup" />
<EventID Qualifiers="0">4104</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-12-07T10:16:07.2099937Z" />
<EventRecordID>11677</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Garbage</Computer>
<Security />
</System>
- <EventData>
<Data>Access is denied. (0x80070005)</Data>
<Binary>05000780E20500004409000060090000420ED1665C2BEE174B64529CB14610EA71000000</Binary>
</EventData>
</Event>
... then, 9 seconds later final entry:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-12-07T10:16:16.2447111Z" />
<EventRecordID>11678</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Garbage</Computer>
<Security />
</System>
- <EventData>
<Data>1898156943779859625</Data>
<Data>5</Data>
<Data>WindowsBackupFailure</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>Backup</Data>
<Data>10.0.19041</Data>
<Data>0x80070005</Data>
<Data>7</Data>
<Data />
<Data />
<Data />
<Data />
<Data />
<Data />
<Data>\\?\C:\WINDOWS\Logs\WindowsBackup\WindowsBackup.1.etl \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF208.tmp.WERInternalMetadata.xml \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF238.tmp.xml \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF38E.tmp.csv \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF43B.tmp.txt</Data>
<Data>\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Backup_c948e1cf249df9246f13cdb22976ef84ffd52a25_00000000_3411c23f-f173-4789-a63d-33cf620ecb4e</Data>
<Data />
<Data>0</Data>
<Data>3411c23f-f173-4789-a63d-33cf620ecb4e</Data>
<Data>268435456</Data>
<Data>7c8397aa17a3f01d7a579baef9f08ca9</Data>
<Data>0</Data>
</EventData>
</Event>
And for this one I'll post with formatted text:
Fault bucket 1898156943779859625, type 5
Event Name: WindowsBackupFailure
Response: Not available
Cab Id: 0
Problem signature:
P1: Backup
P2: 10.0.19041
P3: 0x80070005
P4: 7
P5:
P6:
P7:
P8:
P9:
P10:
Attached files:
\\?\C:\WINDOWS\Logs\WindowsBackup\WindowsBackup.1.etl
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF208.tmp.WERInternalMetadata.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF238.tmp.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF38E.tmp.csv
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF43B.tmp.txt
These files may be available here:
\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_Backup_c948e1cf249df9246f13cdb22976ef84ffd52a25_00000000_3411c23f-f173-4789-a63d-33cf620ecb4e
Analysis symbol:
Rechecking for solution: 0
Report Id: 3411c23f-f173-4789-a63d-33cf620ecb4e
Report Status: 268435456
Hashed bucket: 7c8397aa17a3f01d7a579baef9f08ca9
Cab Guid: 0
Needless to say, referenced files in "WER\Temp" directory are long gone by the time I get to examine the failure. There is, however, Report.wer in that NonCritical_Backup_.... directory which contains the following:
Version=1
EventType=WindowsBackupFailure
EventTime=132518097745565158
Consent=1
UploadTime=132518097752129230
ReportStatus=268435456
ReportIdentifier=3411c23f-f173-4789-a63d-33cf620ecb4e
Wow64Host=34404
OriginalFilename=RUNDLL32.EXE
AppSessionGuid=00000ea4-0000-0013-e8a7-4b9566ccd601
TargetAppId=W:0000f519feec486de87ed73cb92d3cac802400000000!000084ddb2b3d1158485b2b66867ca9452930a258edd!rundll32.exe
TargetAppVer=2031//05//02:06:41:35!12386!rundll32.exe
BootId=4294967295
TargetAsId=425
IsFatal=4294967295
EtwNonCollectReason=1
Response.BucketId=7c8397aa17a3f01d7a579baef9f08ca9
Response.BucketTable=5
Response.LegacyBucketId=1898156943779859625
Response.type=4
Sig[0].Name=Operation
Sig[0].Value=Backup
Sig[1].Name=AppVer
Sig[1].Value=10.0.19041
Sig[2].Name=HRESULT
Sig[2].Value=0x80070005
Sig[3].Name=TargetType
Sig[3].Value=7
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.19042.2.0.0.256.48
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
State[0].Key=Transport.DoneStage1
State[0].Value=1
OsInfo[0].Key=vermaj
OsInfo[0].Value=10
OsInfo[1].Key=vermin
OsInfo[1].Value=0
OsInfo[2].Key=verbld
OsInfo[2].Value=19042
OsInfo[3].Key=ubr
OsInfo[3].Value=630
OsInfo[4].Key=versp
OsInfo[4].Value=0
OsInfo[5].Key=arch
OsInfo[5].Value=9
OsInfo[6].Key=lcid
OsInfo[6].Value=1033
OsInfo[7].Key=geoid
OsInfo[7].Value=244
OsInfo[8].Key=sku
OsInfo[8].Value=48
OsInfo[9].Key=domain
OsInfo[9].Value=0
OsInfo[10].Key=prodsuite
OsInfo[10].Value=256
OsInfo[11].Key=ntprodtype
OsInfo[11].Value=1
OsInfo[12].Key=platid
OsInfo[12].Value=10
OsInfo[13].Key=sr
OsInfo[13].Value=0
OsInfo[14].Key=tmsi
OsInfo[14].Value=220860817
OsInfo[15].Key=osinsty
OsInfo[15].Value=3
OsInfo[16].Key=iever
OsInfo[16].Value=11.630.19041.0-11.0.220
OsInfo[17].Key=portos
OsInfo[17].Value=0
OsInfo[18].Key=ram
OsInfo[18].Value=12248
OsInfo[19].Key=svolsz
OsInfo[19].Value=918
OsInfo[20].Key=wimbt
OsInfo[20].Value=0
OsInfo[21].Key=blddt
OsInfo[21].Value=191206
OsInfo[22].Key=bldtm
OsInfo[22].Value=1406
OsInfo[23].Key=bldbrch
OsInfo[23].Value=vb_release
OsInfo[24].Key=bldchk
OsInfo[24].Value=0
OsInfo[25].Key=wpvermaj
OsInfo[25].Value=0
OsInfo[26].Key=wpvermin
OsInfo[26].Value=0
OsInfo[27].Key=wpbuildmaj
OsInfo[27].Value=0
OsInfo[28].Key=wpbuildmin
OsInfo[28].Value=0
OsInfo[29].Key=osver
OsInfo[29].Value=10.0.19041.630.amd64fre.vb_release.191206-1406
OsInfo[30].Key=buildflightid
OsInfo[30].Value=f39c5c3f-90fd-40de-9171-e7fd8b92049d
OsInfo[31].Key=edition
OsInfo[31].Value=Professional
OsInfo[32].Key=ring
OsInfo[32].Value=Retail
OsInfo[33].Key=expid
OsInfo[33].Value=FX:1183210E,FX:19E26AD
OsInfo[34].Key=fconid
OsInfo[35].Key=containerid
OsInfo[36].Key=containertype
OsInfo[37].Key=edu
OsInfo[37].Value=0
FriendlyEventName=WindowsBackupFailure
ConsentKey=WindowsBackupFailure
AppName=Windows host process (Rundll32)
AppPath=C:\Windows\System32\rundll32.exe
ReportDescription=Windows Backup failure
ApplicationIdentity=00000000000000000000000000000000
MetadataHash=601300682
I believe from the above you can find the exact windows version.
At this point I'm lost as to how to troubleshoot it. I can't even tell if the access is denied in reading source files, or writing backup files? Or is it something in registry? Or something else??? Help would be much appreciated.
Continue reading...