We help IT Professionals succeed at work.

Have A Strange Volume Listed What Is It?

Siv
Siv asked
on
Hi,
I have a server running SBS 2008 and if I right click properties of the system drive C: and look at the "Shadow Copies" tab, there is a volume listed as:

\\?\Volume{d15ab5d8-7906-11de-a7d0-0024e851c5d5}\

If I look at the Details of this volume it says it is using 69,252 MB with free disk space of 1,243 MB and a total disk space of 152,607 MB.

These facts lead me to believe it is the external USB drive we use for backup. In the settings dialog it says that the storage area has "No limit" and in the shedule section there are two schedules at 07:00 and 12:00 each day of the working week.

In the Shadow Copies tab of the local disk C: properties dialog it says the "Next Run Time" is disabled. If that is the case why is the used space set to 69,252 MB. I have checked the backup and that produces no where near that amount of data.

If I look at the disk in "Share and Storage Management" which appears as "ThursdayBackup" it says its capacity is 149 GB and it has 1.21 GB free. So it smells to me like VSS is using teh drive for shadow copies. Also (and this is what kicked off this detective work) every day in teh logs at the time the end user ejects the backup drive and puts the next one in I get this entry in the event logs:

Ntfs      137      10/06/2010 08:28:34      1
Event Details:    
The default transaction resource manager on volume \\?\Volume{d15ab5be-7906-11de-a7d0-0024e851c5d5} encountered a non-retryable error and could not start. The data contains the error code.
volsnap      16      10/06/2010 08:28:07      1
Event Details:    
The shadow copies of volume \\?...06-11de-a7d0-0024e851c5d5} were aborted because volume \\?...06-11de-a7d0-0024e851c5d5}, which contains shadow copy storage for this shadow copy, was force dismounted.

Can anyone tell me how to stop this happening and whatever shadow copies is doing to swallow the disk space on the backup drive as I have to peridically format the backkup drives to recover the space as it fails the backup due to insufficient space.

Siv
Comment
Watch Question

Cris HannaSr IT Support Engineer

Commented:
If you remove your usb drive and check again is it still there?
Siv

Author

Commented:
Cris,
No when I remove teh disk teh entry disappears from teh shadow copies tab of C: Properties.
Cris HannaSr IT Support Engineer

Commented:
I have a USB drive plugged into mine..doesn't show up under shadow copies...that's odd.
Can you disable shadow copies on it or is it greyed out?
Does this drive show up as a drive letter?
Siv

Author

Commented:
Cris,
Got the end user to plug it back in again and it's there again.
Siv
Cris HannaSr IT Support Engineer

Commented:
Does this drive show up as Drive Letter in Windows Explorer?
 
Siv

Author

Commented:
Cris,
In fact it always has been marked as disabled when it's plugged in yet for some unknown reason a large swathe of it's capacity has disappeared and I can only assume it's because somehow either now or in the past the drive has been used for shadow copies.  

I have had to format a couple of these disks in the past to make enough room for the normal backups which are about 23 GB and I have the SBS backup program to allow 2 backups per disk and no more so the max it would be using is around 50GB and the disk is a 250GB 2.5" Toshiba USB drive. All 5 drives are the same make and model.

??
Siv
Cris HannaSr IT Support Engineer

Commented:
You might try this (of course you'd have to reset the backup destinations, etc. (and you losse any previous backups) so it's up to you
Put the drive in, go to Administrative Tools, Computer Management > Disk Management
Click on the portable drive > R Click and delete volumne
Don't do anything then, just run the backup wizard and add this "new" destination.
Does it still show up?
noxchoIT Product Manager
Top Expert 2009

Commented:
Start regedit via Start - run - regedit - enter.
There look in HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices for the given volume.
Remove all external devices and then clear up the device from registry which refers to your strange message.
Then reconnect your external HDD drive. See if you get this error again.
Siv

Author

Commented:
Cris,
This is the process I have done in the past when the drive has started failing the backups due to insufficient space, but inevitably it goes for a few months OK then the same problem occurs again when the (presumably) shadow copies build up again.
Siv
Siv

Author

Commented:
noxcho,
I can't do your procedure right now as the end users have left the office for teh day and I will need one of them to remove the drive for me. So I will give this a go in the morning and report back.
I am UK based so it's around 17:08 over here.

Siv
Siv

Author

Commented:
Noxcho,
I had a look at the registry key this morning and get this list:

I also took another screen grab of the individual item selected so you can see what the binary text represents:

MountedDevicesRegKey.png
BunaryValue.png
Siv

Author

Commented:
Noxcho,
Looking at the items with the very large stings of binary characters they are things like the CD ROM drive and the floppy drive.

What is the implication, if I remove all the keys that begin" \??\..." and "#{d15a..."?

Do these map to the 5 USB backup devices that the client uses?
Siv
noxchoIT Product Manager
Top Expert 2009

Commented:
You can delete them all except those that have drive letters in path like \DosDevices\C:
Reboot the machine and necessary once will be recreated again automatically.
Also backup the registry hive before deleting.
BTW, do you have any card reader device connected to machine?
Siv

Author

Commented:
Noxcho,
No there are no card readers attached to the server.
Will delete all the entries except the \Dos\Devices\C: after backing up the Registry.
Siv
noxchoIT Product Manager
Top Expert 2009

Commented:
By \Dos\Devices\C: I meant example. You have several of them with drive letter.
\Dos\Devices\A:
\Dos\Devices\C:
\Dos\Devices\D:
\Dos\Devices\E:
\Dos\Devices\F:
\Dos\Devices\G:
So leave these intact.
noxchoIT Product Manager
Top Expert 2009

Commented:
Also press Start - search field type cmd - enter - there type mountvol and see to which drive letter your guid in error message is referring.
Siv

Author

Commented:
Noxcho,
OK the following picture shows the state of the key after backing up and deleting the unnecessary stuff:

MountedDevicesNow.png
Siv

Author

Commented:
Noxcho,

Ran the MountVol command and get this:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Siv>mountvol
Creates, deletes, or lists a volume mount point.

MOUNTVOL [drive:]path VolumeName
MOUNTVOL [drive:]path /D
MOUNTVOL [drive:]path /L
MOUNTVOL [drive:]path /P
MOUNTVOL /R
MOUNTVOL /N
MOUNTVOL /E

    path        Specifies the existing NTFS directory where the mount
                point will reside.
    VolumeName  Specifies the volume name that is the target of the mount
                point.
    /D          Removes the volume mount point from the specified directory.
    /L          Lists the mounted volume name for the specified directory.
    /P          Removes the volume mount point from the specified directory,
                dismounts the volume, and makes the volume not mountable.
                You can make the volume mountable again by creating a volume
                mount point.
    /R          Removes volume mount point directories and registry settings
                for volumes that are no longer in the system.
    /N          Disables automatic mounting of new volumes.
    /E          Re-enables automatic mounting of new volumes.

Possible values for VolumeName along with current mount points are:

    \\?\Volume{6557999e-7896-11de-b9dc-806e6f6e6963}\
        D:\

    \\?\Volume{6557999f-7896-11de-b9dc-806e6f6e6963}\
        E:\

    \\?\Volume{655799a0-7896-11de-b9dc-806e6f6e6963}\
        C:\

    \\?\Volume{655799a1-7896-11de-b9dc-806e6f6e6963}\
        F:\

    \\?\Volume{655799a4-7896-11de-b9dc-806e6f6e6963}\
        G:\

    \\?\Volume{655799a5-7896-11de-b9dc-806e6f6e6963}\
        A:\

    \\?\Volume{d15ab5f5-7906-11de-a7d0-0024e851c5d5}\
        *** NO MOUNT POINTS ***
noxchoIT Product Manager
Top Expert 2009

Commented:
Ok did you restart it already? There is no volume referring to one that is reported in event log viewer. Possibly it is USB drive that was removed from system before the Volume Snapshot took place.
Connect the USB drives and then again run mountvol command to see where the guid is referring to. I mean guid in your error.
Siv

Author

Commented:
Noxcho,
In the logs this morning it's appearing as:


Ntfs      137      11/06/2010 08:30:07      1
Event Details:    
The default transaction resource manager on volume \\?\Volume{d15ab5d8-7906-11de-a7d0-0024e851c5d5} encountered a non-retryable error and could not start. The data contains the error code.
volsnap      16      11/06/2010 08:29:13      1
Event Details:    
The shadow copies of volume \\?...06-11de-a7d0-0024e851c5d5} were aborted because volume \\?...06-11de-a7d0-0024e851c5d5}, which contains shadow copy storage for this shadow copy, was force dismounted.

This is the USB drive that was in yesterday and has since been ejected and replaced with the Friday drive. The end user removes the drive at 08:30 when she comes in first thing.

Siv
noxchoIT Product Manager
Top Expert 2009

Commented:
Looks like shadow copying is going on at the moment of removal. Does she remove it via safe removal?
Also you can disable the shadow copies for this very time so to avoid the errors.

The shadow copies of volume \\?...06-11de-a7d0-0024e851c5d5} were aborted because volume
\\?...06-11de-a7d0-0024e851c5d5}, which contains shadow copy storage for this shadow copy, was force dismounted.

As for the size things:
1,243 MB = 1.21 GB free. It is the same. If you count the volume in megabytes it seems to be a bit bigger. In Gigabytes it looks a bit smaller.
Your external HDD is 152,000 MB which is 149GB. And used space on C: is 69GB. At the moment you have only 1.2GB free space left on external HDD. Time to get bigger drive and control the time of shadow copying work.
Siv

Author

Commented:
Noxcho,
That is really the nub of what  this question is all about. I know that the drive is a 160GB drive (I cocked up yesterday and said in one of my posts above that the drive capacity was 250GB in fact they are 160GB Toshiba 2.5" portable USB drives that use a Y socket to get all their juice from the USB ports) and after formatting has about 152GB available.

The backups (Windows Backup is set to put a max of two backups on the drive and no more) are about 23GB, so to my way of thinking I should have about 50GB used and about 100GB free at all times.  Particularly as to my knowledge I have never set the shadow copies to run on that drive?

When I looked at the device yesterday when it was in the drive it says there is 69GB used so to me there should be more than 1.21GB free?? I also checked id Shadow copies were enabled on that drive and it is definitely marked as "Disabled".

To be 100% sure I just contacted my client in the office and she has checked out the drives and confirmed they are all 160GB Toshiba 2.5" drives. She is also just about to restart the server so I will be able to see whether the registry changes you suggested have made any difference.

Siv
Siv

Author

Commented:
Noxcho,
She does always remove the drives using the safe removal mechanism.

I noticed yesterday that the drive is set up in "Quick Removal" mode so there should be no caching going on even if she did remove it with out using "Safely Remove".

Siv
noxchoIT Product Manager
Top Expert 2009

Commented:
Can she check when the drive is connected - how much free space is left on the drive?
Also can you reschedule the backup to earlier time so it could not be interrupted with removal? According to the errors message your system is still trying to make shadow copy to this drive when it is removed.
Siv

Author

Commented:
Noxcho,
Why is it doing any shadow copies to the drive, that's what bugs me I have shadow copies disabled for the drive letter associated with the backup drives (H:)??

As far as I am concerned the system should NOT be using this drive for shadow copies:

HdriveShadowCopiesStatus.png
HDrivePrevIousVersions.png
HdriveVolumes.png
Siv

Author

Commented:
Is there any way I can tell the system to stop using the H: drives as shadow copies destinations?
Siv

Author

Commented:
As you can see there is only 1.09GB free yet there should be 100GB !???!??!??!??
HDriveFreeSpace.png
IT Product Manager
Top Expert 2009
Commented:
Hmm, I think we lost the way here. Shadow copies are not taken off the external drive. One of your partitions are storing its shadow copies on this drive. Look the error message again:
"The shadow copies of volume \\?...06-11de-a7d0-0024e851c5d5} were aborted because volume \\?...06-11de-a7d0-0024e851c5d5}, which contains shadow copy storage for this shadow copy, was force dismounted."

!!!because volume \\?...06-11de-a7d0-0024e851c5d5}, which contains shadow copy storage for this shadow copy, was force dismounted!!!
noxchoIT Product Manager
Top Expert 2009

Commented:
Use Windirtstat to scan the drive. It will show how much space is left there.
Siv

Author

Commented:
Noxcho,

I know that and I can work out that clearly one of the other drives is using this device as its storage for shadow copies.  What I don't get is that if I say that shadow copies are disabled on this drive to me that should also mean I DO NOT WANT THIS DRIVE TO BE SHADOW COPIED ITSELF OR USED FOR SHADOW COPIES FOR ANY OTHER DRIVE.


Or are you telling me that disabling the drive for shadow copies only stops the system making shadow copies of the data on this drive and it is still available to all other drives as a storage target for their shadow copies.  

If that's the case I have misunderstood what Disabling shadow copies does, I thought it stopped the drive from taking part in shadow copying for itself and as a target for shadow copies of other drives!?

If that isn't so how do I stop it being used for shadow copies for any drives!??

Siv
Siv

Author

Commented:
Noxcho,
I don't seem to have a Windirstat or Windirtstat command?
I get this when I try it?

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\Siv>windirstat /?
'windirstat' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Siv>windirtstat /?
'windirtstat' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Siv>
noxchoIT Product Manager
Top Expert 2009

Commented:
that disabling the drive for shadow copies only stops the system making shadow copies of the data on this drive and it is still available to all other drives as a storage target for their shadow copies.  - Yes. Exactly. One of other drives are using this very one to store the shadow copies on. And this could explain why the free space is so small. Shadow copies from other drives took your space. IMHO.

As for Windirstat, sorry, this is third party tool for checking the used space: http://windirstat.info/
Siv

Author

Commented:
Noxcho,
OK then how do I tell the system to stop using this drive as a target for shadow copies, there must be something in the registry that can barr these drives from being used? I do not want to turn off all shadow copies. I have 4 HDDs in the server that have 232GB of space on each one so why does it use the bloody backup drive??

I frankly find this a ridiculous situation that the system would use a backup drive as a target for shadow copies thus using up its space and stopping it from doing its job!? And the system does know it's a backup drive because it's configured in the SBS backup wizard.

Madness!

Siv
noxchoIT Product Manager
Top Expert 2009

Commented:
Click Start. In the search box type cmd and press Ctrl+Shift+Enter to run command as an administrator. At the command prompt type: vssadmin /? to see the options.
vssadmin list shadowstorage - this command will show you what volume is associated with your external drive.
noxchoIT Product Manager
Top Expert 2009

Commented:
Siv

Author

Commented:
Re the vssadmin question:
C:\Users\Siv>vssadmin /?
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

---- Commands Supported ----

Add ShadowStorage     - Add a new volume shadow copy storage association
Create Shadow         - Create a new volume shadow copy
Delete Shadows        - Delete volume shadow copies
Delete ShadowStorage  - Delete volume shadow copy storage associations
List Providers        - List registered volume shadow copy providers
List Shadows          - List existing volume shadow copies
List ShadowStorage    - List volume shadow copy storage associations
List Volumes          - List volumes eligible for shadow copies
List Writers          - List subscribed volume shadow copy writers
Resize ShadowStorage  - Resize a volume shadow copy storage association
Revert Shadow         - Revert a volume to a shadow copy
Query Reverts         - Query the progress of in-progress revert operations.

C:\Users\Siv>vssadmin list shadowstorage
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

Shadow Copy Storage association
   For volume: (D:)\\?\Volume{6f7705f6-7551-11df-931a-806e6f6e6963}\
   Shadow Copy Storage volume: (D:)\\?\Volume{6f7705f6-7551-11df-931a-806e6f6e6963}\
   Used Shadow Copy Storage space: 1.152 GB
   Allocated Shadow Copy Storage space: 1.831 GB
   Maximum Shadow Copy Storage space: 23.279 GB

Shadow Copy Storage association
   For volume: (E:)\\?\Volume{6f7705f7-7551-11df-931a-806e6f6e6963}\
   Shadow Copy Storage volume: (E:)\\?\Volume{6f7705f7-7551-11df-931a-806e6f6e6963}\
   Used Shadow Copy Storage space: 12.859 MB
   Allocated Shadow Copy Storage space: 700 MB
   Maximum Shadow Copy Storage space: 23.283 GB

Shadow Copy Storage association
   For volume: (C:)\\?\Volume{6f7705f8-7551-11df-931a-806e6f6e6963}\
   Shadow Copy Storage volume: (C:)\\?\Volume{6f7705f8-7551-11df-931a-806e6f6e6963}\
   Used Shadow Copy Storage space: 22.531 GB
   Allocated Shadow Copy Storage space: 23.24 GB
   Maximum Shadow Copy Storage space: 23.283 GB

Shadow Copy Storage association
   For volume: (F:)\\?\Volume{6f7705f9-7551-11df-931a-806e6f6e6963}\
   Shadow Copy Storage volume: (F:)\\?\Volume{6f7705f9-7551-11df-931a-806e6f6e6963}\
   Used Shadow Copy Storage space: 212.906 MB
   Allocated Shadow Copy Storage space: 0.977 GB
   Maximum Shadow Copy Storage space: 23.283 GB

Shadow Copy Storage association
   For volume: (H:)\\?\Volume{6f770605-7551-11df-931a-806e6f6e6963}\
   Shadow Copy Storage volume: (H:)\\?\Volume{6f770605-7551-11df-931a-806e6f6e6963}\
   Used Shadow Copy Storage space: 66.99 GB
   Allocated Shadow Copy Storage space: 67.28 GB
   Maximum Shadow Copy Storage space: UNBOUNDED
noxchoIT Product Manager
Top Expert 2009

Commented:
Interesting. Either you have glitch in work of VSS or some of the drives are missing here. Is the external HDD connected at the moment when you run this command?
Siv

Author

Commented:
The H: drive is the Friday Backup drive, the one that was the cause of the original question was taken out and replaced with the Friday backup drive. This then gives the same errors but with a different volume name like this:

Ntfs      137      11/06/2010 08:30:07      1
Event Details:    
The default transaction resource manager on volume \\?\Volume{d15ab5d8-7906-11de-a7d0-0024e851c5d5} encountered a non-retryable error and could not start. The data contains the error code.
volsnap      16      11/06/2010 08:29:13      1
Event Details:    
The shadow copies of volume \\?...06-11de-a7d0-0024e851c5d5} were aborted because volume \\?...06-11de-a7d0-0024e851c5d5}, which contains shadow copy storage for this shadow copy, was force dismounted.
noxchoIT Product Manager
Top Expert 2009

Commented:
Is there any external drive connected at this time 08:29:13?? If not then why does your shadows run at this time?
Siv

Author

Commented:
noxcho,
The drives are always connected except at around 08:30 when the end user ejects the previous night's disk and puts on the next night's disk.  She does this at around 08:30 every day. When she does that I get the two errors in the logs at whatever time she swaps the disks round.

Looking at the results from the vssadmin command it would appear that the shadow copy on the H: drive is a shadow copy of the H: drive. Which begs the question, why is it doing that when I have shown you from the screen dumps that shadow copies are disabled on the H: drive!?

The only thing I can think of is that somehow the system treats each of the 5 USB HDDs as being separate disks that are all shadow copying to each other (even though I have told the system that shadow copying on H: is disabled) and the one going out is trying to shadow copy itself to another one that isn't currently plugged in?

Which sounds to me like a bug in Windows??

What do you think?
Siv

Author

Commented:
I am now turning  in for the evening as my head hurts! :)
Also, up to 20% of the drive may be used up by indexing.  I noticed on the properties page of post 32969917 that at the very bottom indexing is checked.  If this "FridayBackup" removable drive is just copies of content you already maintain on the main drive then you'd hardly need have it be indexed.  Turn that off and wait a little while for the indexes to update and hopefully that will free up unaccounted for space..
noxchoIT Product Manager
Top Expert 2009

Commented:
Yes, sounds like a bug or does every drive you connect have the same guid and drive letter?
Siv

Author

Commented:
ocanda
Good point about indexing, certaily worth removing that option whenever they are plugged in.
Siv
Siv

Author

Commented:
noxcho,
Each drive gets a different GUID but the same drive letter, there is noithing else using USB that is regularly plugged into the server that would alter the drive letters.

I just can't believe there is no built in part of the system where you can say "do not allow shadow copies to be made on this drive".

Also as I have said earlier I find it completely mad that MS would allow something that is designated a backup drive be used for shadow copies at all.

Siv
Siv

Author

Commented:
ocanda
This is the status of the drive now that indexing has been turned off:

FridayBackupAfterIndexingStopped.png
Siv

Author

Commented:
I then decided to drop the shadow copies setting to 300MB (it wouldn't let me set it to 0:

FridayBackupSCStorageSettings.png
FridayBackupDroppedto300MB.png
FridayBackupAfterShadowCopiesDro.png
Siv

Author

Commented:
I am now getting nearer to what I expect, the used space is about 30GB higher than I would expect but I may be wrong on my figure of 23GB per backup it may now be as high as 40GB, it's difficult to know.

I think at this point I am clear thanks to noxcho and ocanada techguy so I will alolocate the points accordingly. Thanks particualrly to noxcho for spending so much time getting me to a fix on this I really appreciate your efforts.

Siv
Siv

Author

Commented:
Although noxcho  led me to a solution that I am happy with as an explanation of why I am getting the error message in the logs relating to a force dismount, ocanada_techguy also answered the other part of my issue as to why the drive's capacity was being reported as much less than you'd expect and this was down to the indexing service swallowing a lot of its capacity.

The main learning I take away from this is from noxcho which is the fact that although I have marked a drive as disabled in Shadow Copies that only means the drive itself is not shadow copied, it can still be being used as the storage for other shadow copies.

Thanks to noxcho for that insite.
noxchoIT Product Manager
Top Expert 2009

Commented:
Thanks for feedbacl Siv,
Have a nice weekend
Nox
Siv

Author

Commented:
Nox,
Thanks for your help, I am a lot wiser thanks to you in relation to how Shadow Copies works.
All the best,
Siv