My remote management software was alerting me that a client’s SBS 2003 server was experiencing 100% CPU utilization and would randomly stop responding to input and even showing offline. I was eventually able to RDP in and started to look for a cause of the issue. Event viewer would not open and most input was not providing any results, I was able to open task manger though and found that 4 processes were consuming all CPU utilization between them. Canceling Svchost.exe did not free up any cycles and the other processes which are protected and just went up higher in utilization.

After waiting 20 minutes for the server to respond to a force reboot command and looking through the event log I found the likely culprit. Shortly after the backup started I noticed errors like “lsass (432) Shadow copy 371 time-out (70000 ms).” For the lsass.exe, ntfrs.exe and tcpsvcs.exe processes. This is due to some VSS issues in sever 2003, to be safe I reset the VSS writers using a batch file with the following commands:

cd /d %windir%\system32

Net stop vss

Net stop swprv

regsvr32 ole32.dll

regsvr32 oleaut32.dll

regsvr32 vss_ps.dll

vssvc /register

regsvr32 /i swprv.dll

regsvr32 /i eventcls.dll

regsvr32 es.dll

regsvr32 stdprov.dll

regsvr32 vssui.dll

regsvr32 msxml.dll

regsvr32 msxml3.dll

regsvr32 msxml4.dll

Net start vss

Net start swprv

After looking further into the issue there is a KB article http://support.microsoft.com/kb/826936 which provides a hotfix for time-out issues of essential services during VSS copies. Remember to make sure you have a good backup before installing any hotfixes as they are not always well tested. If you can try the hotfix in a test environment first to be safe.