asked on

Does Volume Shadow Copy need Admin Rights (Win7 onwards) ?

Is it true that Volume Shadow Copy needs Admin Rights (Win7 onwards).
Several of my customers have given Standard Rights to their users and I have a backup package to which I have just added VSS feature (VSCSC.exe).
Is there a way to perform shadow copy without daily UAC Prompts.
I have created Exe with 'Manifest' but then it prompts always at startup.
Ideally the Passwords should only be asked during Application Setup.

Regards
Allan

Rich Rumble

You can mess with UAC settings, but depending on how you call the VSS service, you don't need admin rights if you make some changes: You can add them to the backup operators and I believe they get the rights they need. Shadow Copies however should not be restricted to the users OWN files... but if they have to enable the service, and they are not admins, then they won't be able to use the VSS.

http://technet.microsoft.com/en-us/library/cc875808.aspx

Backup Permissions

Certain permissions and user rights are required to back up files and folders. As part of scheduling backups, you will be asked for information about who is running the backup. If you are a member of the Administrators or Backup Operators group on the local computer, you can back up any file and folder on the local computer to which the local group applies. Likewise, if you are a member of the Administrators or Backup Operators group on a domain controller, you can back up any file and folder locally on any computer in the domain with which you have a two-way trust relationship. However, if you are not a member of either the Administrator or Backup Operators group for the domain, and you want to back up files, then you must be the owner of the files and folders that you want to back up, or you must have one or more of the following permissions for the files and folders you want to back up: Read, Read & Execute, Modify, or Full Control.

-rich

Allan_Fernandes

ASKER

I have started the Service yet I get below message for Standard User.

(Option: Create shadow copy set)
ERROR: COM call "CreateVssBackupComponents(&m_pVssObject)" failed.
- Returned HRESULT = 0x80070005
- Error text: Access is denied.

Rich Rumble

This error occurs when you try to start the service? It may not need to be running, but just make sure it is not disabled. Again you should be able to make copies of the files inside the User's profile and most folders that are owned or created by that same user. Other files/folders will be off limits. If that fails, perhaps move the User to the backup operators and see?
-rich

Allan_Fernandes

ASKER

>> make sure it is not disabled.

When I load Services.msc and right click on any line 'Stop/Start/Pause/Resume/Restart' all are disabled. Does this mean the standard user does not have access to any of the services ? This is in my personal PC Win 7. Is there a way I can enable the service ? Via Admin login all is fine.

Rich Rumble

Try this command in a CMD window
sc query vss
It should look something like this:

SERVICE_NAME: vss
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

STOPPED is OK, DISABLED is not OK. If it's disabled then no one should be able to take any snapshot's using the shadow copy service.
-rich

Allan_Fernandes

ASKER

This is the output

SERVICE_NAME: vss
TYPE : 10 WIN32_OWN_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

ASKER CERTIFIED SOLUTION

Rich Rumble

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Allan_Fernandes

ASKER

I use
VSCSC c:
or
VShadow c:

Vssadmin create shadow /For=c:

gives 'Error: Invalid command.