NetWorker: Windows Client System BugCheck Event Causes System Reboot During Backup

Summary: Windows client machine gets rebooted whenever file system backup is initiated. Custer environment. Both the nodes having same problem.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

A NetWorker file system backup of a Windows host fails. 
There are no obvious errors indicating cause in the NetWorker logs:

181407:save: Step (1 of 5) for PID-10948: Save has been started on the client '<client-name>'.
174412:save: Step (2 of 5) for PID-10948: Running the backup on the client '<client-name>' for the save set 'pseudo_saveset'.
174424:save: Step (3 of 5) for PID-10948: Creating the snapshot for the selected save sets.
--- Job Indications ---
<client-name>:pseudo_saveset: retried 1 times.
184008 08/16/2023 02:30:58 AM  1 5 0 999192384 50244 0 <NetWorker-Server> savegrp NSR notice Client '<client-name>' is being skipped because no savesets of this client have been backed up as part of the backup action.
148758 08/16/2023 02:31:03 AM  1 5 0 999192384 50244 0 <NetWorker-Server> savegrp NSR notice Action backup traditional 'Backup' with job id 33079478 is exiting with status 'failed', exit code 1

On the Windows client, the System Event Logs show a BugCheck event occurred simultaneously when a backup is scheduled. That event caused the client machine to reboot.
BugCheck event in event viewer 

This only appears during Volume Shadow copy Service (VSS) enabled backups (default). If the Windows client is configured in NetWorker with save operations VSS:*=off, the backup succeeds.

NOTE: Performing a Windows client backup without VSS is not advised. The host's file system is still protected; however, it would be impossible to perform a Bare Metal Recovery (BMR) of the host.

Cause

During VSS snapshot creation, kernel-mode file system filter drivers from multiple security products can stack together (for example, Antivirus (AV), HIPS, DLP, disk encryption, EDR). Concurrent real-time filters from two AV products increase kernel stack usage during complex I/O paths. This can exhaust the stack and trigger a BugCheck.

NOTE: Kernel stack size is fixed; the only practical mitigation is reducing simultaneous driver depth or complexity during high-filter I/O operations (like VSS snapshot creation). This typically surfaces when VSS touches large or complex volumes, many writers, or heavy real-time scanning hooks. 

Resolution

Diagnostic Checklist (Collect before choosing a resolution path)

  1. Capture BugCheck details:

Event Viewer → System → Event ID 1001 (BugCheck). Record the STOP code and faulting the driver (for example, xxx.sys) if available.
Collect minidumps (%SystemRoot%\Minidump).

NOTE: Engage with Microsoft Support for analysis of the BuckCheck and minidump. This article can be referenced while engaging with Microsoft support.

 

  1. VSS health:

vssadmin list writers (look for Stable with No error)
vssadmin list providers
Check Event Viewer → Application for VSS (IDs 8193, 12293), VolSnap (for example, 25), and defender/mcafee operational logs at the incident time.

For more details, see: NetWorker: Troubleshooting Backup Failures Due to VSS Issues

 

  1. Filter driver stack inventory:

fltmc (list file system filter drivers and order)

NOTE: Identify any additional filters (DLP, HIPS, encryption, endpoint agents).

 

  1. Repro control: Confirm that backup completes consistently with VSS:*=Off (establishes that the crash is VSS-path-specific).

example of VSS OFF settings

NOTE: This should only be used as a diagnostic step. NetWorker does not recommend Windows backups without VSS. Use this only when no alternative exists or when protecting host file data exclusively. Without VSS, the DISASTER_RECOVERY:\ save set is not backed up. A backup without VSS would not be BMR consistent.

Resolution (Tiered—prefer minimal disruption)

NOTE: The solutions outlined in this article are not within the NetWorker product. They involve potential actions within the client host's operating system and security tools. Any changes required must be discussed with the host's system administrator and security team. An agreement must be made on the most appropriate course of action. Any changes required must be performed by the site's system or administration teams.

A. Make VSS and NetWorker "AV-friendly" (recommended first)

  • Real-time scanning exclusions (both AV products):
    • Processes:
      nsrexecd.exe, save.exe, savefs.exe, nsrsvc.exe (if present), and any NetWorker helper binaries under
      C:\Program Files\EMC NetWorker\nsr\bin\ (or your install path).
    • Folders:
      C:\Program Files\EMC NetWorker\ (entire nsr tree), NetWorker temporary, and cache paths if customized.
    • VSS artifacts:
      Exclude access to \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy* and VSS staging locations to avoid deep inspection of snapshot volumes during creation.
  • Defender: Prefer Passive mode when a third‑party AV manages real‑time protection (using policy or Defender configuration). This keeps EDR visibility while avoiding dual real-time filter contention.
  • McAfee: Apply NetWorker/VSS recommended exclusions; ensure that HIPS or DLP policies do not inspect shadow copies or block volsnap/vssvc.

Result: Reduces filter activity during VSS operations and lowers kernel stack pressure without removing AV.

B. Reduce driver and filter depth during VSS.

  • Temporarily disable nonessential endpoint modules (HIPS, DLP, device control) during backup windows by policy if your security team approves.
  • Update AV drivers or definitions and Windows VSS/VolSnap cumulative updates—outdated drivers contribute to stack usage inefficiencies.
  • If a third‑party VSS provider is present, force Microsoft Software Shadow Copy provider (test impact):
    • Service checks: Ensure Volume Shadow Copy service is healthy.
    • Disable or untangle non-Microsoft providers if they are known to conflict (in coordination with the platform or security team).

C. Scheduling and load mitigation

  • Run backups outside peak activity (heavy I/O, scans, or endpoint tasks).
  • Stagger jobs so fewer clients trigger VSS snapshot simultaneously if central policies cause synchronized scans.

D. Last resort (avoid unless mandated)

  • Choose one real-time AV product. If the policy permits, set Defender to passive/EDR-only mode or fully disable real-time when McAfee is the primary AV.
    Uninstalling an AV should be a final step, not the default recommendation.

E. Operational workaround (if business needs override)

  • Continue backups with VSS:*=Off temporarily if consistency risk is acceptable for the affected workload. Document that VSS-level application consistency (writers) may be reduced (for example, open files). Use for noncritical datasets only while remediation proceeds.

Verification

  • After applying exclusions and driver optimizations, run:
    • vssadmin list writers → confirm Stable
    • Test a manual snapshot: wmic shadowcopy call create Volume='C:\' (monitor events for bugchecks)
    • Run a NetWorker file system backup on a single volume; then scale up.
    • Confirm no BugCheck and the job completes with VSS enabled.

Affected Products

NetWorker
Article Properties
Article Number: 000218472
Article Type: Solution
Last Modified: 07 Jan 2026
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.