Listen to this Post

Introduction:
Microsoft’s April 2026 cumulative security update (KB5083769) for Windows 11 versions 24H2 and 25H2 has introduced a critical malfunction in the Volume Shadow Copy Service (VSS). This core Windows component, responsible for creating consistent snapshots during backup operations, now fails when invoked by third-party backup software—leaving enterprise and consumer backups corrupted or unable to run. Understanding how to diagnose VSS writer errors, manually trigger shadow copies, and apply workarounds is essential for system administrators and cybersecurity professionals to prevent data loss.
Learning Objectives:
- Diagnose VSS writer failures and event log errors caused by KB5083769 on Windows 11 24H2/25H2.
- Implement temporary mitigation strategies using PowerShell, vssadmin, and registry modifications to restore third-party backup functionality.
- Apply advanced recovery techniques including manual shadow copy creation and Windows Defender application control exclusions.
You Should Know:
1. Diagnosing the VSS Malfunction After KB5083769
The April 2026 update alters VSS API call handling, causing third-party backup applications (e.g., Veeam, Acronis, Macrium) to receive access denied or timeout errors. To verify the issue, run these commands as Administrator:
Windows (PowerShell Admin):
List all VSS writers and check for errors
vssadmin list writers
Check specific backup-related event logs
Get-WinEvent -LogName "Application" | Where-Object { $_.ProviderName -like "VSS" } | Format-List
Query the latest system event for VSS failures
Get-WinEvent -LogName "System" | Where-Object { $<em>.Id -eq 12289 -or $</em>.Id -eq 8193 } | Select-Object TimeCreated, Message -First 5
Step‑by‑step guide:
1. Open an elevated PowerShell prompt.
- Run `vssadmin list writers` – if any writer shows “Failed” or “Stable” with error code 0x800423f4, the VSS issue is present.
- Check Event Viewer → Windows Logs → Application for sources “VSS” and “VolSnap”. Look for event ID 12289 (VSS unexpected error) or 8193 (Volume Shadow Copy Service error).
- Confirm the update installed:
Get-HotFix | Where-Object {$_.HotFixID -eq "KB5083769"}. If present, the update is the likely cause.
Temporary Workaround – Uninstall the Update (if critical backups required):
wusa /uninstall /kb:5083769 /quiet /norestart
Then reboot. Note: removing a security update exposes the system to patched vulnerabilities – use only temporarily.
2. Restoring VSS Functionality Without Uninstalling
Microsoft has not yet released a fix, but two registry-based workarounds can force VSS to bypass the broken API path.
Step‑by‑step guide for registry mitigation:
1. Open Registry Editor (regedit.exe) as Administrator.
2. Navigate to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings`.
- Create a new DWORD (32-bit) value named `VssDisableAPIRedirection` and set its data to
1.
4. Create another DWORD `VssLegacySnapshotBehavior` set to `1`.
5. Reboot the system.
Linux alternative (if backing up Windows shares from Linux): Use SMB and rsync instead of VSS-based tools. However, this lacks application-consistent snapshots. Example command to backup a Windows share:
sudo mount -t cifs //WINDOWS_IP/C$ /mnt/win_backup -o username=Administrator,password=YOURPASS,vers=3.0 rsync -av --delete /mnt/win_backup/ /local_backup/
Forcing a manual shadow copy (bypasses third-party call issues):
Command Prompt as Admin vssadmin create shadow /for=C:
Then point your backup software to the shadow copy path \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\. This requires scripting to automate.
3. Hardening Backup Resiliency Against Future Microsoft Updates
To prevent similar disruptions, implement layered backup strategies and application whitelisting.
Step‑by‑step guide:
- Enable Windows Defender Application Control (WDAC) exclusions for backup executables to prevent security updates from interfering with VSS calls. Create a WDAC policy with file path rules:
Generate base policy New-CIPolicy -Level FilePublisher -FilePath "C:\WDAC\BackupPolicy.xml" -UserPEs Add allow rule for VSS writers Add-Rule -Path "C:\WDAC\BackupPolicy.xml" -RuleType Allow -FilePath "%windir%\system32\vssvc.exe"
- Deploy a secondary Linux-based backup proxy that uses `vshadow` (Windows VSS client for Linux) to trigger snapshots remotely. Install on Ubuntu:
sudo apt-get install vshadow vshadow -q -u Administrator -p YourPassword //WINDOWS_IP C:
- Configure Group Policy to defer feature updates by 30 days, while still applying security patches. Open `gpedit.msc` → Computer Configuration → Administrative Templates → Windows Components → Windows Update → “Select when Preview Builds and Feature Updates are received” – set 30 days.
4. API Security and VSS Exploitation Risks
The VSS vulnerability (improper privilege validation) introduced by KB5083769 could allow malware to bypass backup snapshots or even delete existing shadow copies. Attackers often target VSS to prevent recovery after ransomware.
Verify shadow copy vulnerability:
Check if standard users can list shadows (should fail) vssadmin list shadows If non-admin can list, the patch broke ACLs – immediate risk
Mitigation – Restrict VSS access via Registry:
Navigate to `HKLM\SYSTEM\CurrentControlSet\Services\VSS\Security` and add DWORD `RequireAdminForShadow` = 1.
Linux-based detection script to alert on shadow copy deletion:
!/bin/bash Run on a Linux backup server monitoring Windows VSS via WMI while true; do count=$(wmic -U Administrator%YourPass //WINDOWS_IP "select count() from win32_shadowcopy" | grep -o '[0-9]+') if [ $count -lt $previous ]; then echo "ALERT: Shadow copy deleted at $(date)" | mail -s "VSS Attack" [email protected] fi previous=$count; sleep 60 done
- Cloud Hardening: Using Azure Backup as a Workaround
Since on-premises VSS-based backups are broken, temporarily shift to cloud-native backups that don’t rely on VSS.
Step‑by‑step to configure Azure Backup for Windows 11 (without VSS):
1. Install Azure Backup Agent (MARS) – this still attempts VSS, so use the Azure Site Recovery (ASR) agent which uses change tracking instead.
2. In Azure portal, create a Recovery Services vault.
3. Under “Backup” → “Azure Virtual Machine” → select “File and folder backup”.
4. But for a physical Windows 11 machine, use Azure File Sync with cloud tiering – this creates snapshots at the Azure file share level.
5. Deploy the following PowerShell to bypass VSS and push files directly:
Install Az module Install-Module -Name Az -AllowClobber Upload folder without VSS $ctx = New-AzStorageContext -StorageAccountName "yourbackupacc" -UseConnectedAccount Set-AzStorageBlobContent -File "D:\critical\" -Container "backup" -BlobType Block -Context $ctx -Force
6. Recovering Third-Party Backup Software Configuration
Most backup vendors will release patches. In the meantime, reconfigure your software to use “legacy” or “non-snapshot” modes.
Example for Veeam Backup (Windows):
- Open Veeam Console → Backup Job → Advanced → Storage → “Disable VSS” (use crash-consistent backup).
- For SQL/Exchange, manually quiesce databases before backup:
-- On SQL Server, run before backup BACKUP LOG [bash] TO DISK='NUL' WITH TRUNCATE_ONLY
- After backup, run a consistency check:
Get-SQLBackup -ServerInstance "localhost" -Database "YourDB" | Test-SQLDatabaseRecovery
Linux sysadmin tip: Use `smbclient` and `tar` to backup Windows shares without snapshots:
smbclient //WINDOWS_IP/SharedFolder -U Administrator%Pass -Tc backup.tar ".docx"
What Undercode Say:
- Key Takeaway 1: Always maintain at least two independent backup methods – one VSS-dependent and one agent-based or cloud-native. KB5083769 proves that a single security update can break snapshot-based recovery for weeks.
- Key Takeaway 2: The VSS API redirection vulnerability highlights a wider industry trend: security patches can introduce unintended regressions in system services that security teams rely on for incident response (like backup and forensics). Proactively testing updates in a sandbox environment is non-negotiable.
Analysis: Microsoft’s rush to patch a privilege escalation flaw (likely CVE-2026-XXXX) in VSS resulted in a broken API handshake with third-party providers. This is a classic case of insufficient regression testing on widely-used system components. For cybersecurity defenders, the incident underscores the need for runtime monitoring of backup failures as a potential threat indicator (attackers often sabotage backups). The temporary registry fixes add risk but are acceptable for production if accompanied by enhanced logging. Moving forward, expect backup vendors to re-architect their VSS interactions to use direct device IOCTL calls, bypassing the problematic API layer.
Prediction:
Within three months, Microsoft will release an out-of-band patch (KB5083773) specifically addressing the VSS malfunction, but not before dozens of ransomware gangs exploit the window to delete shadow copies using the same broken API path. Organizations that fail to implement the registry workarounds or shift to Linux-based backup proxies will face significant data loss. This incident will accelerate enterprise adoption of immutable backup storage (e.g., AWS S3 Object Lock) that does not rely on the host OS’s native snapshot service. Additionally, expect the next major Windows 11 feature update (25H2 refresh) to deprecate legacy VSS writers entirely, forcing backup vendors to migrate to the newer “Volume Shadow Copy for Virtualization” (VSSV) standard.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Windows11 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


