VSS EventID 8193 is logged when you restart the Cryptographic Services service after you install the DHCP role on a computer that is running Windows Server 2008 R2

Applies to: Windows Server 2008 R2 StandardWindows Server 2008 R2 EnterpriseWindows Server 2012 Standard More

Symptoms

You install the DHCP role on a computer that is running Windows Server 2008 R2. When you restart the Cryptographic Services service, the following event is logged in the Application log:

Log Name: Application
Source: VSS
Date: x/x/xxxx x:x:x
Event ID: 8193
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: xxxxx
Description:
Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.

Operation:
Initializing Writer

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {7bb41431-3960-44bc-a29c-3b42d2301fc3}

Note Although this event is recorded, Volume Shadow Copy and DHCP Server continue to function as expected. Although this event is logged as an error, the event should not be considered a critical failure that affects the correct functioning of VSS. The registry key is mentioned for diagnostic purposes.

Cause

When the DHCP server role is installed, the permissions of the following registry key (and all subkeys) are overwritten when the DHCP Service account is added:
HKLM\CurrentControlSet\Services\VSS\Diag
When this occurs, the Network Service account is removed.

Every time that the Cryptographic Services service is started, it initializes "System Writer" under the Network Service account and verifies read/write permission for the following registry key:
HKLM\CurrentControlSet\Services\VSS\Diag
Because the Network Service account is used to obtain access to this key, there is no permission for the Network Service. Therefore, VSS logs an "Access denied" event.

Resolution

To resolve this issue, follow these steps:
  1. Download the SubInACL.exe tool from the following Microsoft website:

    http://www.microsoft.com/downloads/en/confirmation.aspx?familyId=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displayLang=en
  2. Restore the old permissions together with permissions for the DHCP Server:

    Windows Server 2008 
    C:\subinacl.exe /Subkeyreg System\CurrentControlSet\Services\VSS\Diag /sddl=O:SYG:SYD:PAI(A;;KA;;;BA)(A;;KA;;;SY)(A;;SDGRGW;;;BO)(A;;SDGRGW;;;LS)(A;;SDGRGW;;;NS)(A;CIIO;RC;;;S-1-3-4)(A;;KR;;;BU)(A;CIIO;GR;;;BU)(A;CIIO;GA;;;BA)(A;CIIO;GA;;;BO)(A;CIIO;GA;;;LS)(A;CIIO;GA;;;NS)(A;CIIO;GA;;;SY)(A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)
    Note DHCP Server sddl: 
    (A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)
    Windows Server 2012
      
    C:\subinacl.exe /Subkeyreg System\CurrentControlSet\Services\VSS\Diag /sddl=D:PAI(A;;KA;;;BA)(A;;KA;;;SY)(A;;CCDCLCSWRPSDRC;;;BO)(A;;CCDCLCSWRPSDRC;;;LS)(A;;CCDCLCSWRPSDRC;;;NS)(A;CIIO;RC;;;OW)(A;;KR;;;BU)(A;CIIO;GR;;;BU)(A;CIIO;GA;;;BA)(A;CIIO;GA;;;BO)(A;CIIO;GA;;;LS)(A;CIIO;GA;;;NS)(A;CIIO;GA;;;SY)(A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)S:ARAI

More Information

The following is the original SDDL[{17944DF6-4CA9-4C98-98D7-03952B59E82C}:
O:SYG:SYD:PAI(A;;KA;;;BA)(A;;KA;;;SY)(A;;SDGRGW;;;BO)(A;;SDGRGW;;;LS)(A;;SDGRGW;;;NS)(A;CIIO;RC;;;S-1-3-4)(A;;KR;;;BU)(A;CIIO;GR;;;BU)(A;CIIO;GA;;;BA)(A;CIIO;GA;;;BO)(A;CIIO;GA;;;LS)(A;CIIO;GA;;;NS)(A;CIIO;GA;;;SY)

The following is the DHCP Server ACL for the existing registry key SDDL=D:

(A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)