Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Filtering VSS snapshot devices question

Jamey_KirbyJamey_Kirby Member - All Emails Posts: 429

Each time a VSS snapshot device is created, I attach a filter to that device object. When VSS snapshot is deleted, the remove device is called, and I am able to teardown my filter.

Now, if I enable System Recovery snapshots on a volume (C: for example), I see some strange behavior. I do not know if this is normal, or I need to address the issue. When our softwares VSS snapshot is created, everything seems to work as expected. However, after the IOCTL_VOLSNAP_DELETE_SNAPSHOT is detected, i never see the remove device for the snapshot device. I see the IOCTL_VOLUME_OFFLINE sent to the snapshot device, but the remove device is never recieved. Eventually, I can have hundreds of these device objects being filtered. What is even more strange, let's say I have 200 filters attached on a volumes snapshot chain because they are not deleted, when the system is rebooted, these 200 filter device objects are once again created and I attache. If I use various VSS tools after boot to peek into VSS via the APIs, I only see the snapshot created by System Recovery, so there are not 200 snapshots, only the two. But my filter attached to 200 device objects.

If I delete the system recovery snapshot, I will see all 200 device objects get their remove device calls.

Has anyone encounter this? I know there is a default of 512 snapshots. My may run up to the 512 and see what happens.

-- Jamey

Comments

  • Jamey_KirbyJamey_Kirby Member - All Emails Posts: 429
    edited February 9

    Ooops. Should have been IOCTL_VOLUME_DELETE_SNAPSHOT in my post, not IOCTL_VOLSNAP_DELETE_SNAPSHOT.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,258

    I’ll hope @Scott_Noone_(OSR) answers, because he’s the definitive VOLSNAP guy.

    But... don’t those intermediate snapshots need to hang around, though they are inaccessible, because the form the basis for the following snapshots?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Jamey_KirbyJamey_Kirby Member - All Emails Posts: 429

    But... don’t those intermediate snapshots need to hang around, though they are inaccessible, because the form the basis for the following snapshots?

    I guess that depends on how the volsnap driver is implemented. If I am the last snapshot in the chain, you would think it could delete. We take a snapshot, do some stuff with the snapshot, and then delete the snapshot. If a snapshot came after us, then I can imagine a scenario where it could need to keep the data store.

    What happens when VSS reaches the 512 limit (I have a test in progress now)? Suppose I take a snapshot every hour for the next six months? Do the device objects just keep stacking up? Maybe there is a bug in my filter? Guess what I am doing this weekend?

  • Anand_AAnand_A Member - All Emails Posts: 66

    Some questions :
    1) OS Version ? Non-server edition ?
    2) Do you see the non-deleted ones in vssadmin list shadows ?
    3) Any difference in the attributes between the snapshot volumes created with a System Restore Point being there before the VSS snapshot is taken vs when its not there ? https://docs.microsoft.com/en-us/windows/desktop/api/vss/ne-vss-_vss_volume_snapshot_attributes
    4) You have a Volume and Snapshot Volume Class Filter ?

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,135

    I'd check to see if you get the same behavior without your filters. Even if the utilities don't show the device objects then the debugger will.

    Answers to Anand's questions would also be good (e.g. persistent snapshots survive reboots so that would explain why you see them on subsequent reboots).

    -scott
    OSR

  • Jamey_KirbyJamey_Kirby Member - All Emails Posts: 429
    via Email
    I'll answer more later (after dinner), but for sure we do not create
    persistent snapshots. Just long enough to do a "backup" and then delete.


    On Wed, Feb 13, 2019 at 4:38 PM Scott_Noone_(OSR)
    wrote:

    > OSR https://community.osr.com/
    > Scott_Noone_(OSR) commented on Filtering VSS snapshot devices question
    >
    > I'd check to see if you get the same behavior without your filters. Even
    > if the utilities don't show the device objects then the debugger will.
    >
    > Answers to Anand's questions would also be good (e.g. persistent
    > snapshots survive reboots so that would explain why you see them on
    > subsequent reboots).
    >
    > --
    > Reply to this email directly or follow the link below to check it out:
    > https://community.osr.com/discussion/comment/292543#Comment_292543
    >
    > Check it out:
    > https://community.osr.com/discussion/comment/292543#Comment_292543
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA