SentinelOne Blocks VSS Shadow Deletion–Access is Denied

I had a Windows 10 to 11 upgrade fail today. SetupDiag makes it sound like the problem was removing System Restore (VSS) checkpoints:

<FailureData>0xc1900101-0x20017 Error: SetupDiag reports rollback failure found.Last Phase = FinalizeLast Operation = Remove System Restore checkpointsError = 0xC1900101-0x20017</FailureData>

System Restore was not active on any drive, vssadmin listshadowstorage shows 5GB in use on C:. I tried vssadmin resize shadowstorage /on=C: /for=C: /maxsize=1% to delete the drive C: shadow storage. That returned this message:  “Error: The shadow copy provider had an error. Please see the system and application event logs for more information.” The Application event log explained that it was an Access is Denied issue:

Log Name:      Application
Source:        VSS
Date:          11/6/2024 1:35:40 PM
Event ID:      12289
Level:         Error
Keywords:      Classic
User:          N/A
Description:
Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{1b5b594a-760b-435d-a67b-5bc358eedd82} – 00000000000002AC,0x0053c028,0000018FC9B1A340,0,0000018FC9B17040,4096,[0]).  hr = 0x80070005, Access is denied.

Operation:
Changing diff-area maximum size

Context:
Volume Name: C:\
Diff-area volume: C:\
Diff-area maximum size: 1073741783

SentintelOne Is Blocking the Shadow Storage

I think I saw this recently. Sure enough, one of the purple (visited) links in my Google results took me to this Reddit post explaining how to “unlock” Sentinel One’s VSS block before deleting the shadows. My slightly edited instructions:

In the SentinelOne dashboard, open Sentinels and the machine in question. Actions > Agent Actions > Show Passphrase. Copy the passphrase to the clipboard and paste in for “passphrase” below.

Start and administrative command prompt.
cd /d C:\Program Files\SentinelOne\Sentinel Agent <your version>
sentinelctl.exe unprotect -k “passphrase”
sentinelctl.exe unload -slam -k “passphrase”
vssadmin resize ShadowStorage /For=C: /On=C: /MaxSize=320MB [320MB is the minimum]
sentinelctl load -slam
sentinelctl.exe protect

This time, the resize showed success, and vssadmin list shadowstorage shows C: has 0 bytes of allocated shadow storage space.

After that, the Windows 11 upgrade got further before it failed for another reason.

P.S. If you want to use Shadow Copies, re-extend the available space either in the U.I. or through the command line, e.g.

vssadmin resize ShadowStorage /For=C: /On=C: /MaxSize=10%

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.