Mystery Solved — 103 Devices, 5 Volumes

This looked just plain weird to me. When I checked Reliability Monitor and the installation of the generic volume shadow copy devices I couldn’t make out a pattern even though it was there to be found. I even posted queries about this to vistaforums.com, techsupportforum.com, and to Microsoft Tech Support, but it took a Facebook email to one of the demiurges in the Windows pantheon–namely, Mark Russinovich–to get to the bottom of the matter (more on this to follow at the end of this story).

Thinking that forensics might help to enlighten me, I dug into the Reliability Monitor and recorded the following driver install pattern, starting on August 7, the day I reinstalled Vista Ultimate SP1 on my production PC. For compactness, I initialize Generic volume shadow copy as Gvsc and Generic storage volume as Gv below, and omit dates where neither driver was installed.

 

    Gvsc        Gv
Date    Installs    Installs

  8/07         42         2
  8/11          2         0
  8/12          0         1
  8/15          3         0
  8/16          2         0
  8/17          2         0
  8/18          2         0
  8/21         13         0
  8/26          5         2
  8/28          0         2
  9/07          1         0
  9/08          2         0
  9/09          4         0
  9/10          1         0
  9/11          1         0
  9/12          2         0
  9/13          2         0
  9/14          2         0
  9/15          2         0

On 9/16 I uninstalled all of them, then ran the “Scan for hardware changes” Activity in Device Manager. After that, I wound up with 97 Generic Volume Shadow Copy device instances, where I’d had 98 before conducting this remove/regenerate sequence. Today (9/18/2008) I’m up to 103 instances. The total of all installs from the preceding table data is 88. You’d think this would at least add up so that what’s in Device Manager matches the number of installs in the Reliability Monitor trace. But right now, this does not appear to be the case. Nor does the number of Generic Volume installs from the table (7) match the number in Device Manager, either (5). Also the total number Generic Volume Shady Copy device instances in Device Manager seems too high to me, based on what I see in Reliability Monitor, while the number of Generic storage volume instances seems too low. But of course this being Windows Vista, it is what it is…

In fact, I couldn’t really see any kind of meaningful pattern to this behavior. I was flabbergasted that the initial number of such devices installed was 42: shades of Douglas Adams to be sure, but why so many? I also didn’t understand why that number spiked to 5 and 13 on 8/21 and 8/26, either. With at most two USB Flash drives in my system on any given day, plus an occasional CF card reader (which probably registers as another such device), three would seem to be the natural limit on any given day to me, but it’s not! That’s because it turns out not to be flash drive related, after all.

According to Russinovich (and confirmed by the Vista help files) there’s an entry for each snapshot that the Volume Shadow Copy Service (VSS) takes at least daily to retain access to previous versions of files. The reason why the number doesn’t track the number of driver installations over time is that this is part of Restore Point activity where disk space allocations for Restore Points are capped. Once that storage cap is hit (usually 15% of total space), older snapshots get deleted as new ones are made. Sometimes, a big new snapshot might cause several smaller older ones to get deleted at once: there’s no one-for-one guarantee here by any means.

The large number of snapshots on “install day” reflects the number of security and other updates applied to the system immediately following install, many of usually include capturing a restore point as part of their installation processes. Other spikes in the count correspond to installations or updates performed on the system for which a restore point was taken. Thus, the total number of devices corresponds to the number of snapshots that VSS currently knows about: nothing more, nothing less. The number of generic volume entries in the Storage Volumes item in Device Manager corresponds to the number of unique storage volumes for which snapshots might be taken at one time or another as the system is up and running, including all direct- and USB-attached hard disks. On this system, in fact, that number is indeed 5.

Mystery solved. Case closed! Thanks to Mark Russinovich for his quick and accurate answer, and to colleague and partner in grime Rebekkah Hilgraves for observing this potential correspondence before Mark confirmed the cause.

facebookgoogle_pluslinkedin
facebookgoogle_pluslinkedin
This entry was posted in ViztaView.com Archive and tagged , by Ed Tittel. Bookmark the permalink.

About Ed Tittel

Full-time freelance writer, researcher and occasional expert witness, I specialize in Windows operating systems, information security, markup languages, and Web development tools and environments. I blog for numerous Websites, still write (or revise) the occasional book, and write lots of articles, white papers, tech briefs, and so forth.

Comments

Mystery Solved — 103 Devices, 5 Volumes — 1 Comment

  1. Pingback: Windows Server 2016 – DeviceSetupManager Event ID 121 | audministrator

Leave a Reply

Your email address will not be published. Required fields are marked *