Microsoft Windows 10 comes with a backup program that will allow you to create a system image for backups. You can get to it by right-clicking on the Windows Start button and choosing "Settings" then "Backup," which is under "Update & Security," and then selecting "Go to Backup and Restore (Windows 7)." That program was being used to backup a Windows 10 system every weekend, but when I checked the status of backups for the system, I saw a message stating "The last backup did not complete successfully."
I clicked on the "More information" button and saw a "Check your backup" message stating that the "Operation did not complete successfully because the file contains a virus or potentially unwanted software."
When I clicked on "Show Details," I saw the time of the failed backup and "Error code: 0x800700E1."
The system was running Microsoft
Windows
Defender as the antivirus software, so I opened that program by typing
Windows Security in the "Type here to search" field at the
bottom of the screen and then selecting the Windows Security app when it was
shown as a result.
I then selected "Virus & threat protection." Under "Current threats," it showed "no current threats" from the last quick scan 5 days ago.
When I clicked on "Protection history," I saw a "Remediation incomplete" entry for 2/9/200 at 2:29 AM, which would have been the time of the last backup attempt.
When I clicked on the downard-pointing arrowhead next to that entry, I saw the location of the file that had been detected. The threat detected was listed as TrojanDownloader:Java/OpenStream.BD with the category for the threat listed as "Trojan Downloader."
It was in a Shadow Copy, since the file listed under "affected items" was the following:
file: \Device\HarddiskVolumeShadowCopy28\Users\Jeanne.mayberry\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\762b846-171d6daa
The only action I could select under "Actions," though was "Allow," which I didn't want to do. There was a "Remediation incomplete" entry for the prior week's backup as well. The only difference was that it showed a different shadow copy, i.e., "HarddiskVolumeShadowCopy25," instead of "HarddiskVolumeShadowCopy28."
You can see a list of the shadow copies for a drive by opening a command
prompt window with administrator privileges as explained at
Obtaining a command prompt in Windows
10. When you have opened the command prompt window with administrator
privileges, issue the command vssadmin list shadows. You can
see a list of the options for the vssadmin command by issuing the command
vssadmin /?.
C:\WINDOWS\system32>vssadmin /? vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. ---- Commands Supported ---- Delete Shadows - Delete volume shadow copies List Providers - List registered volume shadow copy providers List Shadows - List existing volume shadow copies List ShadowStorage - List volume shadow copy storage associations List Volumes - List volumes eligible for shadow copies List Writers - List subscribed volume shadow copy writers Resize ShadowStorage - Resize a volume shadow copy storage association C:\WINDOWS\system32
There were quite a few shadow copies shown when I listed them.
The earliest was dated November 11, 2019. Since I didn't know when
the problem first appeared, but the backups had started failing
before that date as the last backup date shown in the Windows 7 Backup
utility was August 25, 2019, I suspected that all of the shadow copies had the
same issue, so I attempted to delete all of them with the command
vssadmin delete shadows /all.
C:\WINDOWS\system32>vssadmin delete shadows /all vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Do you really want to delete 3 shadow copies (Y/N): [N]? y Successfully deleted 3 shadow copies. C:\WINDOWS\system32>
The command result was "Successfully deleted 3 shadow copies," but I had
seen more than 3 copies when I issued the vssadmin list shadows
command previously and when I issued it again, I saw all of the shadow copies
that had been listed when I previously issued the command to list them.
C:\WINDOWS\system32>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Contents of shadow copy set ID: {b0a9a6d4-cc8c-47a0-ada1-62382a83ce19}
Contained 1 shadow copies at creation time: 11/11/2019 12:39:01 AM
Shadow Copy ID: {5d80606d-f075-4ffb-811b-c44ad52d423c}
Original Volume: (K:)\\?\Volume{fa3e93ea-0000-0000-0000-500600000000}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8
Originating Machine: THELMA-LOU.mayberry.lan
Service Machine: THELMA-LOU.mayberry.lan
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: DataVolumeRollback
Attributes: Persistent, No auto release, No writers, Differential
Contents of shadow copy set ID: {e4b63b9f-6714-4d38-bd3e-8ce4f8bf151b}
Contained 1 shadow copies at creation time: 11/17/2019 3:19:34 AM
Shadow Copy ID: {52306fb4-3441-49e1-bd79-09fa1fc2c3ca}
Original Volume: (K:)\\?\Volume{fa3e93ea-0000-0000-0000-500600000000}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy9
Originating Machine: THELMA-LOU.mayberry.lan
Service Machine: THELMA-LOU.mayberry.lan
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: DataVolumeRollback
Attributes: Persistent, No auto release, No writers, Differential
Contents of shadow copy set ID: {a9f593b4-7d8d-426f-abce-5117c406b961}
Contained 1 shadow copies at creation time: 11/24/2019 11:09:08 PM
Shadow Copy ID: {00e0db7b-3224-407d-8f92-ebced426508a}
Original Volume: (K:)\\?\Volume{fa3e93ea-0000-0000-0000-500600000000}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy10
Originating Machine: THELMA-LOU.mayberry.lan
Service Machine: THELMA-LOU.mayberry.lan
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: DataVolumeRollback
Attributes: Persistent, No auto release, No writers, Differential
<text snipped>
Contents of shadow copy set ID: {4729db17-6293-4ed5-ae8d-1c33397eb955}
Contained 1 shadow copies at creation time: 1/26/2020 3:03:42 AM
Shadow Copy ID: {2dbf78fe-eaa9-41bd-a128-9ca6b0022881}
Original Volume: (K:)\\?\Volume{fa3e93ea-0000-0000-0000-500600000000}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy23
Originating Machine: THELMA-LOU.mayberry.lan
Service Machine: THELMA-LOU.mayberry.lan
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: DataVolumeRollback
Attributes: Persistent, No auto release, No writers, Differential
Contents of shadow copy set ID: {4d81e742-906b-4bc0-8f50-a774a8ca2129}
Contained 1 shadow copies at creation time: 2/2/2020 6:57:15 AM
Shadow Copy ID: {99887758-3567-4435-87cf-5613d97136b6}
Original Volume: (K:)\\?\Volume{fa3e93ea-0000-0000-0000-500600000000}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy26
Originating Machine: THELMA-LOU.mayberry.lan
Service Machine: THELMA-LOU.mayberry.lan
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: DataVolumeRollback
Attributes: Persistent, No auto release, No writers, Differential
Contents of shadow copy set ID: {25acf9be-3962-4047-9dae-d4ce04318c0d}
Contained 1 shadow copies at creation time: 2/9/2020 3:14:02 AM
Shadow Copy ID: {2e76592d-eb1e-4064-8ffc-f55a660c0978}
Original Volume: (K:)\\?\Volume{fa3e93ea-0000-0000-0000-500600000000}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy29
Originating Machine: THELMA-LOU.mayberry.lan
Service Machine: THELMA-LOU.mayberry.lan
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: DataVolumeRollback
Attributes: Persistent, No auto release, No writers, Differential
C:\WINDOWS\system32>When I tried the delete command again, I saw the following message:
C:\WINDOWS\system32>vssadmin delete shadows /all vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Error: Snapshots were found, but they were outside of your allowed context. Try removing them with the backup application which created them. C:\WINDOWS\system32>
To deal with that issue, I followed the instructions I found at Obtaining a command prompt in Windows 10. The first step was to inform the Volume Snapshot Service (VSS) to limit the storage size for shadow copies to 401 MB.
C:\WINDOWS\system32>vssadmin resize shadowstorage /for=K: /on=K: /maxsize=401MB vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Successfully resized the shadow copy storage association C:\WINDOWS\system32>
I used the drive letter of "K:" for the /for and /on
options because that was the drive letter shown for "Original Volume"
in the output of the vssadmin list shadows command - you would
need to use the relevant drive letter for your system. In this case, drive
K: is the external USB hard disk drive (HDD) where the Windows 7 backup
program stores the backups. With a successful result for the above step,
I could then increase the storage limit again to the recommended "unbounded"
setting (the instructions I found stated you can set it to a specific limit
value if you are using shadow copies for other purposes). Again, you would
replace K: in the /for and /on
options with the appropriate drive letter for your system.
C:\WINDOWS\system32>vssadmin resize shadowstorage /for=K: /on=K: /maxsize=unbounded vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Successfully resized the shadow copy storage association C:\WINDOWS\system32>
Then, when I issued the vssadmin list shadows command,
I did not see any shadow copies listed.
C:\WINDOWS\system32>vssadmin list shadows vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. No items found that satisfy the query. C:\WINDOWS\system32>
I then returned to the Windows 7 Backup application "Windows Backup: Troubleshooting Options" window and clicked on "Try to run backup again" to produce a good current backup.
Related articles:
References: