Access denied on many files (Win 11)

Hi everyone!
I want to switch from Veeam to Restic.
In Veeam I used to backup the whole system to be able to do a bare metal recovery. It already saved my ass a few times when I had some hardware issues.

Anyway… trying to replicate this in restic, I run backup C:.
Looking at the results afterwards I realized that there are many “The file cannot be accessed by the system” and a few “access denied” errors. Some of the files seem to be just log files and other temp files but some of them are executables and other somehow important stuff. At least important enough to possibly prevent a seamless full recovery.

What can I do circumvent that? Since I need that to create a shadow copy backup, I’m running restic as admin and wouldn’t expect any permission issues.

I’m not clear if you’re already using them or not (you mentioned creating a shadow copy backup), but if not, VSS snapshots would seem to be the most straightforward solution to backing up files locked by another process on a Windows machine.

Restic can handle the VSS snapshot management for you, but you need to pass the --use-fs-snapshot flag as part of your backup command for it to do this, otherwise it defaults to not using VSS snapshots.

Sorry for being unclear.

The whole command looks like that:
restic backup -r D:\test C:\ –use-fs-snapshot --no-scan --pack-size 64 --exclude [some excludes]
It runs as administrator, restic is whitelisted in Windows Defender.

The output (some lines):

error: open \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\Users.…\AppData\Local\Microsoft\WindowsApps\SnippingTool.exe: The file cannot be accessed by the system.

error: open \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\Users.…\AppData\Local\Microsoft\WindowsApps\Spotify.exe: The file cannot be accessed by the system.

error: open \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\Users.…\AppData\Local\Microsoft\WindowsApps\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify.exe: The file cannot be accessed by the system.

error: open \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\ProgramData\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\S-1-5-21-4024458782-2530143891-2336270728-1002\SystemAppData\Helium\Cache\2bd14e1c612a254e.dat: Access is denied.

error: open \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\ProgramData\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\S-1-5-21-4024458782-2530143891-2336270728-1002\SystemAppData\Helium\Cache\2bd14e1c612a254e_COM15.dat: Access is denied.

error: open \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\ProgramData\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\S-1-5-21-4024458782-2530143891-2336270728-1002\SystemAppData\Helium\Cache\2bd14e1c612a254e_COM15.dat.LOG1: Access is denied.

error: open \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\ProgramData\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\S-1-5-21-4024458782-2530143891-2336270728-1002\SystemAppData\Helium\Cache\2bd14e1c612a254e_COM15.dat.LOG2: Access is denied.

Most of the files, if not all, aren’t necessary if I would reinstall the OS by hand and then restore the user folders, but they are probably critical if I want to do a bare metal restore without any more steps to do.

To be honest - I don’t know if these files were included in the Veeam backup. Veeam never complained about access problems and the restore was successful.
Unfortunately I’m not able to run a test restore, because I don’t have a spare machine that I could use without risking to ruin the OS.

Update:
After investigating a bit more. I realized that the files which are responsible for the “cannot be accessed by the system.” are actually links. The dir command shows -a—l as mode for these files.

The “access denied” files seem to be files and directories that belong to the SYSTEM user and I don’t have any rights on them.

I suppose, that they don’t need to be in the backup, but I’m not sure.

The question now ould be: Is there a way to automatically exclude files that don’t belong in the backup because they are links, protected system files or cloud - only online files without manually adding them to the exclude list?

The other question would be how to find out if the files really don’t belong in to a backup, but I think this is not the right place for such a question.

Neither of them look like your data files, and some of them are even just cache files or program files.

Generally, when I back up a Windows system, I only include the paths containing data, rather than including everything and excluding stuff. But each to their own

I do it on purpose to be able to do a bare metal restore.
When I only backup data, I have to install Windows and all software on my own.

I used Veeam several times for that and saved hours of time because the restore only took ~2 hours and everything was like it was before. After that I fell in love for that backup strategy.

I’m sorry, but how often do you really need to restore your entire system from scratch?

I totally stopped bothering with that type of backup, because even with many tens of clients, I had that need maybe once per ten years. I therefore deemed it completely pointless to spend time and complicate things to have full system restore. If shit truly hits the fan, reinstalling a system does not take that long, and in the end you get a nice and clean and fully updated system at the same time. I simply consider it a non-issue, not worth the effort.

I know it’s pretty unusual, but I had to do it ~6 times in the last 12 months.
I had to give my PC away for repair and another one had some weird driver issues that went away after simply restoring the system, but they reoccured after a few months. Probably some Windows update solved that issue completely and the issues didn’t come back yet.
In both cases it wasn’t really a catastrophic situation where I would have made a fresh install anyway.

The point is that making a full backup or a partial backup made no difference beside the needed space and time for the initial backup. It just worked. If I didn’t knew the Veeam full backup feature I would probably not bother with it too, but since I know it, i’m eager to replicate that behaviour with restic.

I will hit the microsoft forum and try to find out if they have some guideline to achieve a full backup of Windows without risking to get a non working system and without getting tons of errors. Maybe I come back with a generic exclude list that could help others.

Edit:
Two questions may belong here:
It seems that all of the “The file cannot be accessed by the system” errors are triggered by 0 Byte large files that are actually links. Looking into the Veeam backup, it seems that they are part of the backup.

• Is there a way to include them correctly in the Restic backup too?

Digging deeper into the docs, I found the following sentence:

Note that restic does not back up some metadata associated with files. Of particular note are:
file ownership and ACLs on Windows.

Am I understanding that correctly that if there are multiple users on a Windows system and I make a restore, I have to manually restore the ownerships of all files (e.g. program files belong to admins, user files belong to the particular user)?
That would mean that the effort to backup the whole system wouldn’t make sense anyway because of the lost metadata.

A cursory google search suggests the files/folder you’re having difficulty with holds data related to UWP apps, aka apps installed from the Microsoft store.
It also suggests that the data might not be usable on a new system, even if you were able to back it up.
Most advice seems to be to exclude the failing files/folders.

FWIW, the restic wrapper I used to backup my windows user dir has the following excludes, which I believe originate with Duplicati, I think some of what you were having errors with would be excluded by this list:
https://github.com/kmwoley/restic-windows-backup/blob/main/windows.exclude

As for the file ownership, I’ve not used restic with windows in quite a while, but your reading of the docs seems accurate - I would expect restic would restore the files with the ownership of the user that ran restic.

Some additional links related to how other backup programs handle backing up/excluding from backup the UWP dirs:
https://help.axcient.com/163545-obm-faqs/360033615354-Backup-for-Files-AppData-and-OBM
https://forum.duplicati.com/t/app-execution-aliases/12626

If you want to do a full disk backup consider reading this article:
https://www.tomshardware.com/how-to/image-backup-windows
My personal list of excluded files is at excluded file list but I do not expect to ever do a full disk restore.