Vssvc.exe
You might know that I regularly check all running processes as part of a cleanup process. It is also important from a security point of view. I spotted the file vssvc.exe today running on my computer and I was pretty sure that it was not running last time I checked. A quick check reveled that it was related to the Volume Shadow Copy Service in Windows XP.
This service is used by several backup applications to create backups of files that are currently in use, on the fly backups so to say. I knew that I did install two backup applications in the last week, Cobian Backup and MozyHome and I suspect that one of these was responsible for the change.
The real question however is if I need this service at all. It was using a little bit more than six Megabytes of RAM without any real benefit. I decided to stop the service and run a backup to see if it would go through and backup all the files selected. Since I'm not backing up any Windows system files I suspected that it would not make a difference.
I stopped the Volume Shadow Copy Service and the file vssvc.exe disappeared from the list of open processes. The backup completed without errors afterwards. Vssvc.exe has been set to disabled in Services.msc so that it does not get started accidentally if set to manually.
It would be different if you would backup system files regularly in Windows. Those files can't be processed if they are in use at the moment of the backup if the Volume Shadow Copy Service is not running in the background.
Advertisement
So someone above decided to get into a philosophical discussion about 6 MB of RAM.
VSSVC.exe was far worse on my PC. Under 64-bit windows 7 I am running VMWare and finishing up deployment testing in a clean VM. My sluggish but very usable computer started to develop multi-minute full stalls. Looking around in performance manager I found that VSSVC.exe was doubling all disk IO and just thrashing the hell out of my hard drive.
I have no idea if it is needed but I know that I can’t do my job with with it. I have a feeling I will only be able to take snapshots of powered down machines but that is OK with me or this is some interaction of a backup software with VMWare that I really don’t care about.
I forgot one more thing…….If you want to find out about what services can be turned off safely, and which ones are required, you should go check out a website called http://www.blackviper.com, and on the home page scroll down to “Popular Content,” then choose the “Service Configuration” that best suits your needs.
Ciao,
Michael C
I too was wondering about Vssvc.exe, and what I found out is, if you go into services and right click on the “Volume Shadow Copy” service, then click properties, you will open a dialogue with 4 tabs, one of which is “Dependencies.” Click on that tab and it shows that “vssvc.exe” is dependent upon “Remote Procedure Call,” but nothing is dependent upon vssvc.exe, and like me, I have disabled my “System Restore” on all drives because I use Symantec’s Norton Ghost for my recovery points. I disabled the “Volume Shadow Copy,” and I have no problems at all with my OS.
Hope this helps.
Ciao,
Michael C
Volume Shadow copy, while a good idea, has piss poor implementation. The fact is, it’s not only consuming 6mb of ram (must not have been running long) but it also eats up HUGE chunks of harddrive space. After researching a bit, i found almost 200gb of HDD space where this thing had made copies of some very very large applications / games that i use frequently.
On a business system, where the average application is 400mb or smaller, VSS isn’t a problem. Implementing it on a consumer user’s Desktop is quite possibly the most resource wasting scheme microsoft has come out with to date.
If you don’t use it, it is QUITE safe to disable VSS. The main thing to remember, is while this is supposed to be a ” backup ” scheme, it doesn’t actually back up your settings of files, it just clones installed applications into the windows folder.
My VSSVC.exe suddenly decided to contact the internet but was stopped by ZoneAlarm. I notice that all over the internet that whenever somebody identifies one of these odd little resource hogs with very mysterious functions (like VSSVC.exe) and he says “just turn it off, it doesn’t help” that suddenly he is hit with a bunch of trolls who tell him that it is vitally important and that he needs to keep it running. This strangely reminds me of the teams of trolls who show up whenever somebody questions 9/11 or asks why Obama has a fraudulent birth certificate. Why is that?
Just a little note on this service. It is set to manual as a default and it would be suggested to keep it this way. If you modify system files that require updates but cannot process them unless a reboot is performed, the OS uses this service in conjunction with. In other words, if your system is set to manual already and it’s running and using up memory: REBOOT
Alternatively, perhaps one thing that can be done is disable the programs that also run a dependency on this that you do not want to have running. (ex, Backup applications)
I spend 5 days trying to figure out why my PC was so slow.
Its been off for 9 days while i was away, and i get back, and my 4 year old C2D 1.8ghz laptop was twice as fast as this DV7 core i7.
Would lag videos, take about 25 sec to load task manager.
about 60 seconds to load computer manager.
This is windows 7 HP 64 bit.
After stopping every service, running every rootkit scanner i can find, running 3 diff virus and malware scans, finally i notice VSSVC.exe. and i killed the process and immediately pc went back to normal.
What lead me to this discovery was watching the CPU going from 25%-70% and the HDD light flashing constantly on idle.
Hope this saves someone else 5 days, just stop VSSVC, i dont even use system restore, so VSS is not required. Im old school, id rather repair the problem than just jump back to before the problem started.
Hope it helps
The fewer services running the smaller the attack surface for any system FYI, and I don’t think anyone even wanted to talk about is the fact that VSS compromises security in a number of ways.
What are the security implications of Volume Shadow Copy?
Suppose you decide to protect one of your documents from prying eyes. First, you create an encrypted copy using an encryption application. Then, you “wipe†(or “secure-deleteâ€) the original document, which consists of overwriting it several times and deleting it. (This is necessary, because if you just deleted the document without overwriting it, all the data that was in the file would physically remain on the disk until it got overwritten by other data. See question above for an explanation of how file deletion works.)
Ordinarily, this would render the original, unencrypted document irretrievable. However, if the original file was stored on a volume protected by the Volume Shadow Copy service and it was there when a restore point was created, the original file will be retrievable using Previous versions. All you need to do is right-click the containing folder, click Restore previous versions, open a snapshot, and, lo and behold, you’ll see the original file that you tried so hard to delete!
The reason wiping the file doesn’t help, of course, is that before the file’s blocks get overwritten, VSC will save them to the shadow copy. It doesn’t matter how many times you overwrite the file, the shadow copy will still be there, safely stored on a hidden volume.
Is there a way to securely delete a file on a volume protected by VSC?
No. Shadow copies are read-only, so there is no way to delete a file from all the shadow copies.
A partial solution is to delete all the shadow copies (by choosing Control Panel | System | System protection | Configure | Delete) before you wipe the file. This prevents VSC from making a copy of the file right before you overwrite it. However, it is quite possible that one of the shadow copies you just deleted already contained a copy of the file (for example, because it had recently been modified). Since deleting the shadow copies does not wipe the disk space that was occupied by them, the contents of the shadowed file will still be there on the disk.
So, if you really wanted to be secure, you would also have to wipe the blocks that used to contain the shadow copies. This would be very hard to do, as there is no direct access to that area of the disk.
Some other solutions to consider:
* You could make sure you never save any sensitive data on a volume that’s protected by VSC. Of course, you would need a separate VSC-free volume for such data.
* system_protectionYou could disable VSC altogether. (After disabling VSC, you may want to wipe the free space on your drive to overwrite the blocks previously occupied by VSC, which could contain shadow copies of your sensitive data.) However, if you disable VSC, you also lose System Restore functionality. Curiously, Windows offers no option to enable VSC only for system files. If you want to protect your system, you also have to enable Previous versions (see screenshot to the right).
* The most secure approach is to use an encrypted system volume. That way, no matter what temporary files, shadow copies, etc. Windows creates, it will all be encrypted.
Notice that VSC only VSC only lets you recover files that existed when a restore point was created. So if the sequence of events is as follows:
create file → create restore point → make encrypted copy → overwrite original file
the original file will be recoverable. But if the sequence is:
create restore point → create file → make encrypted copy → overwrite original file
you are safe. If you make sure to encrypt and wipe files as soon as you create them, so that no restore point gets created after they are saved on disk in unencrypted form, there will be no way to recover them with VSC. However, it is not easy to control when Windows creates a restore point; for example, it can do it at any time, just because your computer happens to be idle.
Can I prevent VSC from keeping snapshots of certain files and folders?
Yes, but you have to edit the registry to do that. Here are detailed instructions from MSDN.
What happens when VSC runs out of space?
Most of the time, most of the data on your disk stays unchanged. However, suppose you uninstall a 5 GB game and then install another 5 GB game in its place. This means that 5 GB worth of blocks got overwritten and had to be backed up by VSC.
In such “high-churn†scenarios, VSC can run out of space pretty quickly. What happens then? VSC deletes as many previous shadow copies as necessary, starting from the oldest, until it has enough space for the latest copy. In the rare event that there isn’t enough space even for the one most recent copy, all the shadow copies will be deleted. There are no partial copies.
I am also a stickler for having the least processes running I can get away with when I bring up taskmgr, however my experience of VSSVC.exe is that it only runs when Windows needs it(like when creating a restore point), it does not run all the time and is indeed needed for creating and restoring restore Points. It is set to Manual in Services and I think it’s best to leave it well enough alone, certaintly do not turn it off completly.
To Mary Jo: your restore points may be absent if you had set it to be off to begin with. Check your “Control Panel” “Systems” “Advanced system settings” “System Protection” tab. Some people set it to be off as it takes up a chunk of harddrive space – especially on laptops.
I do note that on multi-core CPUs that there is no performance hit on processing time in regards to Volume Shadow Copy Service.
All…
I am experiencing problems similar to Joe’s, system hanging up, running slow, especially when I open a new browser window and like Joe, found VSSVC.exe suspect. So I googled it, ended up on this thread, and now am really confused. Dante’s comment that the absence of restore points was a direct result of disabling VSSVC.exe is perplexing. I have discovered this same absence, yet VSSVC.exe is not now, nor has it ever been, disabled on my machine.
So, gentlemen, though I am very late to this discussion, any suggestions, I will appreciate greatly..
All,
The problem isn’t so much the lousy 6MB of memory it takes up, it’s the 35% of CPU processing it takes up at various times. I went to open an IE window, noticed something was hanging up my system making it run slow, and I noticed my CPU usage spike. So looked at the processes, and there was VSVX.exe running and causing my CPU to spike, which I DID notice and was a pain.
So, I googled it, and this is the thread I found.
So another major problem, which jojo mentioned earlier, is that Microsoft said what it does about the file…. but why the hell couldn’t they just have SAID it’s required for restore points?? MS either is lazy OR there is something else that caused the lack of restore points for the other person who posted.
That being said, what MS did say about the VSSVC.EXE process, you’ll notice is a canned description they give to a LOT of processes. I noticed this a while back when I decided to cull my start up processes and researched each one. What jojo quoted from MS about the VSSVC,exe is what they say about almost all their processes. It’s irresponsible and lazy of them. They should at least mention one or two major features that are dependent on it.. on second thought, they should mention every feature that is dependent on it.
“…and there was VSVX.exe running and causing my CPU to spike”
Typo… that should of course read “VSSVC.exe”.
Martin, you are very poor at making a meaningful point laddy! VSSVC.EXE is very important and disabling the service saves you nothing at all. As stated prior a major issue is the loss of Restore Points, bad indeed. Concentrate on something less obsessive compulsive in the future.
Just a late follow up to this. I’ve disabled Volume Shadow Copy service in Visata for a while now. Than today, I wanted to create a Restore Point before installing a driver. And guess what, I had no prior Restore Points. Apparently, Volume Shadow Copy service needs to be running in order to create Restore Points. Oh well, it’s now back on Automatic Startup.
Jojo, I think you fail to understand the power of stacking, 6MB here and 6MB there adds up to a lot of needless MB’s!
You can gain massive performance by culling out the needless processes but if you just “shrug” and shy away from it you will never realize those gains. Careful examination and removal of those tiny little leaches can save you a lot of memory, especially on an OS like Vista that sucks up so much already.
Kill it if you don’t need it.
IMO, the performance gain from disabling VSS is imperceptible, and it is better to leave it on. If I am not wrong, the ‘previous version’ option on Vista Business also works only if VSS is enabled
Also, when defragmenting VSS enabled volumes, the use of a VSS-compatible defragmenter can help preserve shadow copies. VSS incompatible defrag may be slightly faster, but can mess with the disk space and/or shadow copies. I know that Diskeeper 2008 has the VSS defrag option; don’t know if there are any others.
I understand your viewpoint Martin. But you are not doing a good job of explaining WHY you feel wasting time on things like this is important or useful for the average person who may be reading your blog.
In order to do so, you would have to quantify gains that you received or anticipate receiving. And I don’t think that you have done this or could show that you have actually gained anything from your efforts [shrug].
It might be meaningless for you but not for me and a lot of other users. If you want to waste resources do it, I prefer to save them for more important matters.
i think that is a perfectly fine reason–i do all i can to minimize background chatter when i can, as my cpu has some overheating problems and will shut off if used too heavily, which is a pain when playing high-performance games
–when i had xp on my old machine, you could even kill the main parts, like windows explorer, to the point were you could focus almost all of your cpu into one task (except for a few of those nosey ones that like to muddle in other processes stuff, in which your forced to leave, but don’t generally take all that much compared to what was already stripped down).
And WHY is that a benefit Martin?
I can tell you from much experience, turning stuff off that you THINK you don’t need will come back to bite you. Particularly Windows system programs.
This stuff does not matter when you are running Win/XP SP2 or Vista. Let Windows do the management and focus on more productive work that will provide a return on investment of time. Saving 6MB is meaningless.
Well the main benefit besides the 6 Megabytes of RAM is that you do not have something running in the background that you do not need.
The problem with mucking around with services is that a lot of services are dependent on others. Sometimes, disabling a service may cause other services not to work. And you will probably waste hours of time trying to figure out WHY the service you want to work is not doing so.
This is what MS says about the VSS service:
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
I fail to see why you are worried about a lousy 6MB of memory usage. Was this REAL memory that it was occupying or VIRTUAL (swapped out on the paging file)? Did you notice any increase in performance when you disabled this file? Show us what you gained.