Avamar:VSS 停用 Windows 用戶端的使用者設定檔收集

Summary: Windows 安全日誌指示avtar.exe正在訪問用戶端上的每個使用者配置檔,包括“活動”、“禁用”、“過期”和“已刪除/刪除/丟失”配置檔。此使用者設定檔資訊會儲存在備份結束時的「.system_info/userinfo.xml」檔案中。 默認情況下,此使用者配置檔收集對所有 Windows 用戶端備份處於打開狀態,但如下所述,在某些情況下可能會導致性能下降。 ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Windows 安全日誌指示avtar.exe正在訪問用戶端上的每個使用者配置檔。

  • 對於 活動 使用者配置檔,條目如下所示:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 4:00:07 PM
Event ID:      4648
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
A logon was attempted using explicit credentials.

Subject:
Security ID: SYSTEM
Account Name: CNCSD1C$
Account Domain: CORP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: testuser
Account Domain: CORP
Logon GUID: {1d662ff0-b57a-9c60-620c-b7f5c70ad1df}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x1544
Process Name: C:\Program Files\avs\bin\avtar.exe 

-----

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 4:00:07 PM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
An account was successfully logged on.
 
Subject:
Security ID: SYSTEM
Account Name: CNCSD1C$
Account Domain: CORP
Logon ID: 0x3e7
 
Logon Type: 3
 
New Logon:
Security ID: CORP\testuser
Account Name: testuser
Account Domain: CORP
Logon ID: 0x8150fc1
Logon GUID: {cac983ee-8bf7-3789-896f-c9be1e852ead}
 
Process Information:
Process ID: 0x1334
Process Name: C:\Program Files\avs\bin\avtar.exe
  • 對於過期 的使用者配置檔,它看起來像:
     
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 12:51:58 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: W8001DB03$
Account Domain: INTERNAL
Logon ID: 0x3e7
 
Logon Type: 3
 
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:                     
Account Domain:                 
 
Failure Information:
Failure Reason: The specified user account has expired.
Status: 0xc0000193
Sub Status: 0xc0000193
 
Process Information:
Caller Process ID:  0xe7c
Caller Process Name: C:\Program Files\avs\bin\avtar.exe
  • 若為 停用 的使用者設定檔,外觀如下:
     
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 12:51:58 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
An account failed to log on. 

Subject:
Security ID: SYSTEM
Account Name: W8001DB03$
Account Domain:  INTERNAL
 Logon ID:  0x3e7
 
Logon Type: 3
 
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:                     
Account Domain:                 
 
Failure Information:
Failure Reason:  Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072
 
Process Information:
Caller Process ID:  0xe7c
Caller Process Name: C:\Program Files\avs\bin\avtar.exe
  • 還可以看到如下條目:
     
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 12:51:58 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
An account failed to log on. 

Subject:
Security ID: 
Account Name: testuser
Account Domain: CORP
Logon ID: 0x3e7

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name:        
Account Domain:        

Failure Information:
Failure Reason:  Error occured during Logon.
Status: 0xc000018b
Sub Status: 0x0

Process Information:
Caller Process ID: 0x1544
Caller Process Name: C:\Program Files\avs\bin\avtar.exe
  • 以下是可能遇到的常見狀態清單:
      
     
Status Code	Description
0XC000005E	There are currently no logon servers available to service the logon request.
0xC0000064	User logon with misspelled or bad user account
0xC000006A	User logon with misspelled or bad password
0XC000006D	This is either due to a bad username or authentication information
0XC000006E	Unknown user name or bad password.
0xC000006F	User logon outside authorized hours
0xC0000070	User logon from unauthorized workstation
0xC0000071	User logon with expired password
0xC0000072	User logon to account disabled by administrator
0XC00000DC	Indicates the Sam Server was in the wrong state to perform the desired operation.
0XC0000133	Clocks between DC and other computer too far out of sync
0XC000015B	The user has not been granted the requested logon type (aka logon right) at this machine
0XC000018C	The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192	An attempt was made to logon, but the Netlogon service was not started.
0xC0000193	User logon with expired account
0XC0000224	User is required to change password at next logon
0XC0000225	Evidently a bug in Windows and not a risk
0xC0000234	User logon with account locked
0XC00002EE	Failure Reason: An Error occurred during Logon
0XC0000413	Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.

如需完整清單,請參閱錯誤 ode ntstatus.h此超連結會帶您前往 Dell Technologies 以外的網站。 (外部連結)
每次執行備份時,都會在用戶端電腦上每個使用者設定檔的安全日誌中找到這些條目。

Cause

在每個備份結束時,外掛程式生成的 avtar 進程會收集用戶端上每個使用者配置檔的資訊。

  • 在 avtar 記錄中,可以找到以下行 (請注意,數字會根據設定檔的數量而有所不同):
avtar Info <11035>: Reading 14 user profiles
avtar Info <11036>: Done reading user profiles
  • 此設定檔收集會在 Windows 機器上每個 avtar 工作階段結束時進行。它不僅發生在 Windows 檔案系統備份 (avtar) 結束時,而且每次不同的外掛程式(如 avexvss (Exchange)、avsql (SQL)、avvss (VSS) 都會生成avtar.exe進程。
  •  如果 Windows VSS 備份會產生三個 avtar 程序來備份 不同的磁碟區,則設定檔會收集三次,並增加額外負荷時間。
  • 雖然收集使用者設定檔應該是一個快速的過程,但在一些罕見情況下,例如孤立的安全識別符 (SID) 項目,這需要很長時間才能影響 Avamar 效能。此類記錄項目的範例:
2017-05-25 04:34:18 avtar Info : Reading 37 user profiles

 

兩個多小時后,緊隨其後的是:

2017-05-25 06:50:34 avtar Info : Done reading user profiles
  • 在備份結束時收集設定檔,甚至會在叫用「AuthzInitializeContextFromSid」時失敗:
2023-10-13 09:51:21 avtar Warning <16147>: AuthzInitializeContextFromSid failed: 2

 

有關在設定檔收集中使用此 API 的更多詳細資訊,請參閱:

https://learn.microsoft.com/en-us/troubleshoot/sql/reporting-services/call-authzinitializecontextfromsid-api-fails此超連結會帶您前往 Dell Technologies 以外的網站。

在這種情況下,某些 SID 會遺失對應的使用者名稱項目,且 avtar 停滯或無法處理這些孤立的 SID。刪除使用者帳戶但未刪除對應的使用者主目錄時,可能會發生這種情況。

默認情況下,此配置檔收集處於打開狀態,但僅用於台式機或筆記型電腦 (DTLT) 還原。對於每個使用者配置檔,avtar 會獲取使用者所屬的所有組,以確定使用者是否為本地管理員。此資訊可用來決定登入的使用者可使用 DTLT Web 介面查看和還原哪些檔案。

Resolution

雖然可以安全地忽略這些安全條目,但可以在 Windows Server 用戶端上禁用配置檔收集。如果使用 DTLT Web 介面,則不應在桌上型電腦或筆記型電腦上停用此功能。若要停用使用者設定檔收集,請在用戶端或關聯資料集上的 avtar.cmd 檔案中新增下列 avtar 旗標。

--x05=65536

可以通過兩種方式處理配置檔收集的禁用。

  1. 針對單一用戶端
    1. 在 C:\Program Files\avs\var 中建立名為 avtar.cmd 的文字檔
    2. 在avtar.cmd檔中,添加以下標誌:
    3. --x05=65536
    4. 這會影響用戶端上的所有備份,因為 avtar 會在每次啟動時使用它。
  2. 對於使用資料集的多個用戶端:
    1. 在資料集中,前往「選項」標籤
    2. 從下拉式清單中選取適當的附掛程式類型
    3. 點擊“更多”按鈕。
      1. 若為 Windows 檔案系統備份:
        1.  在「輸入屬性」下:輸入 x05
        2. 在「輸入屬性值」下, 輸入 65536
        3. 然後按一下 + 按鈕
      2.  針對所有其他 Windows 附掛程式:
        1. 在「輸入屬性:」下輸入 [avtar]x05
        2. 在「輸入屬性值」下, 輸入 65536
        3. 然後按一下 + 按鈕
    4. 必須為作為數據集一部分的每個外掛程式類型以及分配給用戶端所屬組的每個數據集執行此操作。

Affected Products

Avamar Client, Avamar Plug-in

Products

Avamar
Article Properties
Article Number: 000054866
Article Type: Solution
Last Modified: 05 Sep 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.