60611: Acronis Cyber Protect Cloud: Event 513 in Windows Application Log during backup

use Google Translate

Last update: Fri, 2020-05-01 06:16

Symptoms

While backup runs, you notice this error to be written to Windows Application Event Log:

Event ID 513

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.

Cause

During backup, a VSS process running under NETWORK_SERVICE account calls cryptcatsvc!CSystemWriter::AddLegacyDriverFiles(), which enumerates all the drivers records in Service Control Manager database and tries to open each one of them. MSLLDP record cannot be openend, because the security permissions of the MSLLDP driver do not allow a service account to access the driver record.

Solution

1. Download AccessChk from microsoft.com.

2. Open the Command Prompt as administrator: Start -> in search, type cmd -> right-click cmd.exe and select Run as administrator.

3. Issue:
accesschk.exe -c mslldp

The output is similar to the following:
mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549
  R  NT SERVICE\NlaSvc

NETWORK_SERVICE is not listed, meaning the service account is not allowed to access the MSLLDP driver.

4. Get the security descriptor for MSLLDP by issuing:
sc sdshow MSLLDP

The output is similar to the following:
D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

5. Copy this output to an editor, for example, Notepad.

6. Issue:
sc sdshow MUP

The output is similar to the following:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

6. From the output of step 6, copy the line ending with SU:
(A;;CCLCSWLOCRRC;;;SU)

The first letter "A" stands for "Allow". Each pair of letters represents a specific permission. The last two letters define the security principal assigned with these permissions (a SID or well known aliases): SU means Service logon user. All together this entry holds necessary permissions for the service account.

7. Paste this line to the output of step 4:
D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

8. Now you can set a new security descriptor (containing service account) for the MSLLDP. Issue:
sc sdset MSLLDP D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

9. Verify the result:
accesschk.exe -c mslldp

Now the output contains the service account:
mslldp
  RW NT AUTHORITY\SYSTEM
  RW BUILTIN\Administrators
  RW S-1-5-32-549
  R  NT SERVICE\NlaSvc
  R  NT AUTHORITY\SERVICE