Avamar：VSS 禁用 Windows 客户端的用户配置文件收集

Windows 安全日志指示avtar.exe正在访问客户端上的每个用户配置文件。

• 对于 活动 用户配置文件，条目如下所示：

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 4:00:07 PM
Event ID:      4648
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
A logon was attempted using explicit credentials.

Subject:
Security ID: SYSTEM
Account Name: CNCSD1C$
Account Domain: CORP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: testuser
Account Domain: CORP
Logon GUID: {1d662ff0-b57a-9c60-620c-b7f5c70ad1df}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x1544
Process Name: C:\Program Files\avs\bin\avtar.exe 

-----

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 4:00:07 PM
Event ID:      4624
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
An account was successfully logged on.
 
Subject:
Security ID: SYSTEM
Account Name: CNCSD1C$
Account Domain: CORP
Logon ID: 0x3e7
 
Logon Type: 3
 
New Logon:
Security ID: CORP\testuser
Account Name: testuser
Account Domain: CORP
Logon ID: 0x8150fc1
Logon GUID: {cac983ee-8bf7-3789-896f-c9be1e852ead}
 
Process Information:
Process ID: 0x1334
Process Name: C:\Program Files\avs\bin\avtar.exe

• 对于过期 的用户配置文件，如下所示：
   

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 12:51:58 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: W8001DB03$
Account Domain: INTERNAL
Logon ID: 0x3e7
 
Logon Type: 3
 
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:                     
Account Domain:                 
 
Failure Information:
Failure Reason: The specified user account has expired.
Status: 0xc0000193
Sub Status: 0xc0000193
 
Process Information:
Caller Process ID:  0xe7c
Caller Process Name: C:\Program Files\avs\bin\avtar.exe

• 对于 已禁用 的用户配置文件，如下所示：
   

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 12:51:58 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
An account failed to log on. 

Subject:
Security ID: SYSTEM
Account Name: W8001DB03$
Account Domain:  INTERNAL
 Logon ID:  0x3e7
 
Logon Type: 3
 
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:                     
Account Domain:                 
 
Failure Information:
Failure Reason:  Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072
 
Process Information:
Caller Process ID:  0xe7c
Caller Process Name: C:\Program Files\avs\bin\avtar.exe

• 还可以看到如下条目：
   

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/27/2017 12:51:58 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      CNCSD1C.corp.emc.com
Description:
An account failed to log on. 

Subject:
Security ID: 
Account Name: testuser
Account Domain: CORP
Logon ID: 0x3e7

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name:        
Account Domain:        

Failure Information:
Failure Reason:  Error occured during Logon.
Status: 0xc000018b
Sub Status: 0x0

Process Information:
Caller Process ID: 0x1544
Caller Process Name: C:\Program Files\avs\bin\avtar.exe

• 以下是可能遇到的常见状态列表：
   

   
  Status Code	Description
  0XC000005E	There are currently no logon servers available to service the logon request.
  0xC0000064	User logon with misspelled or bad user account
  0xC000006A	User logon with misspelled or bad password
  0XC000006D	This is either due to a bad username or authentication information
  0XC000006E	Unknown user name or bad password.
  0xC000006F	User logon outside authorized hours
  0xC0000070	User logon from unauthorized workstation
  0xC0000071	User logon with expired password
  0xC0000072	User logon to account disabled by administrator
  0XC00000DC	Indicates the Sam Server was in the wrong state to perform the desired operation.
  0XC0000133	Clocks between DC and other computer too far out of sync
  0XC000015B	The user has not been granted the requested logon type (aka logon right) at this machine
  0XC000018C	The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
  0XC0000192	An attempt was made to logon, but the Netlogon service was not started.
  0xC0000193	User logon with expired account
  0XC0000224	User is required to change password at next logon
  0XC0000225	Evidently a bug in Windows and not a risk
  0xC0000234	User logon with account locked
  0XC00002EE	Failure Reason: An Error occurred during Logon
  0XC0000413	Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
  
  

有关完整列表，请参阅 Error ode ntstatus.h （外部链接）
每次运行备份时，都会在客户端计算机上每个用户配置文件的安全日志中找到这些条目。

在每次备份结束时，插件程序产生的 avtar 进程会收集客户端上每个用户配置文件的信息。

• 在 avtar 日志中，可以找到以下行（注意，数量因配置文件数量而异）：

avtar Info <11035>: Reading 14 user profiles
avtar Info <11036>: Done reading user profiles

• 此配置文件收集在 Windows 计算机上的每个 avtar 会话结束时发生。它不仅发生在 Windows 文件系统备份 （avtar） 结束时，而且每次不同的插件（如 avexvss （Exchange）、avsql （SQL）、avvss （VSS））都会生成avtar.exe进程。
•  如果 Windows VSS 备份产生三个 avtar 进程来备份 不同的卷，则配置文件会收集三次并增加开销时间。
• 尽管用户配置文件收集过程应该很快，但在某些极少数情况下（如孤立的安全标识符 （SID） 条目），它需要很长时间才能影响 Avamar 性能。此类记录条目的示例：

2017-05-25 04:34:18 avtar Info : Reading 37 user profiles

两个多小时后，紧随其后的是：

2017-05-25 06:50:34 avtar Info : Done reading user profiles

• 调用“AuthzInitializeContextFromSid”时，备份结束时的配置文件收集甚至可能失败：

2023-10-13 09:51:21 avtar Warning <16147>: AuthzInitializeContextFromSid failed: 2

有关在配置文件收集中使用此 API 的更多详细信息，请访问：

https://learn.microsoft.com/en-us/troubleshoot/sql/reporting-services/call-authzinitializecontextfromsid-api-fails

在这种情况下，某些 SID 缺少相应的用户名条目，并且 avtar 在处理这些孤立的 SID 时停滞或失败。当删除用户帐户但不删除相应的用户主目录时，可能会发生这种情况。

默认情况下，此配置文件收集处于打开状态，但仅用于台式机或笔记本电脑 （DTLT） 还原。对于每个用户配置文件，avtar 将获得用户所属的所有组，以便确定用户是否为本地管理员。此信息用于确定登录用户可以使用 DTLT web 界面查看和恢复的文件。

虽然可以安全地忽略这些安全条目，但可以在 Windows 服务器客户端上禁用配置文件收集。如果正在使用 DTLT Web 界面，则不应在台式机或笔记本电脑上禁用它。要禁用用户配置文件收集，请在客户端或关联数据集上的avtar.cmd文件中添加以下 avtar 标记。

--x05=65536 

可以通过两种方式处理配置文件收集的禁用。

1. 对于单个客户端：
   1. 在 C：\Program Files\avs\var 中创建名为 avtar.cmd 的文本文件
   2. 在avtar.cmd文件中，添加以下标记：

   3. --x05=65536

   4. 这会影响客户端上的所有备份，因为每次启动时 avtar 都会使用它。
2. 对于使用数据集的多个客户端：
   1. 在数据集中，转到“选项”选项卡
   2. 从下拉列表中选择相应的插件类型
   3. 单击“更多”按钮。
      1. 对于 Windows 文件系统备份：
         1.  在 “Enter Attribute”下：输入 x05
         2. 在“输入属性值”下， 输入 65536
         3. 然后单击 + 按钮
      2.  对于所有其他 Windows 插件：
         1. 在“Enter Attribute：”下输入 [avtar]x05
         2. 在“输入属性值”下， 输入 65536
         3. 然后单击 + 按钮
   4. 必须对属于数据集的每个插件类型以及分配给客户端所属组的每个数据集执行此作。