Windows Backup on EC2: Introduction to Volume Shadow Copy Service (VSS)

When backing up Windows Servers in EC2, one would naturally want to utilize the power of EBS snapshots. While EBS snapshots are crash consistent by nature, creating an application-consistent backup typically requires the backup software to interact directly with applications, be it databases or other.  And that’s where Volume Shadow Copy Service (VSS) comes in.

Windows applications are more integrated than Unix/Linux applications. Volume Shadow Copy Service (VSS) is a backup infrastructure for Window servers. It allows applications to integrate to it on one end, and backup software and storage hardware on the other. VSS creates “shadow copies” which are consistent copies of volumes that can be stored on the file system or in specialized storage devices and repositories.

Introduced in Windows server 2003, VSS is the standard way to make consistent backup of Windows servers. All Microsoft applications, like Exchange, SQL Server and SharePoint support VSS and other Windows components make sure backup is consistent by utilizing VSS: Active Directory, Windows Registry and the file system itself. Additionally, some non-Microsoft applications, such as Oracle, support VSS as well.

The three main components of VSS are requestors, writers and providers:

  • Requestors – Applications that request for a backup or “shadow copy” to be created, like backup applications.
  • Writers – Applications that write data to volumes and support backing up their persistent data using VSS. Writers include: SQL Server writer, Oracle writer, NTFS writer etc… Writers make sure shadow copies are consistent from the application’s perspective.

  • Providers – Components that know how to create and maintain shadow copies (or backups). Windows comes with a system provider capable of storing the backup data into regular Windows volumes. Storage Arrays sometimes come with hardware providers that know how to store shadow copies.
vss diagram EC2 backup EBS
image taken this page on Microsoft’s site

VSS supports two methods for shadow copies:

  • Clone: A complete clone of a volume usually provided by software or hardware mirroring. Storage hardware providers typically support this type.
  • Differential:  Changed data blocks from the original volume are copied to the shadow copy, to provide a consistent image for a certain point-in-time. This method is also called “copy-on-write.” With this method, the shadow copy consists of blocks in the volumes which were changed after the shadow copy was taken. This means that the amount of data is small at the beginning and grows over time.

Writers register with the Windows infrastructure the specific volumes they write to. For instance, a database that stores data of volume D: and logs in volume E:, will notify VSS that this application writes to these volumes. When a provider asks to create a shadow copy on a certain volume or volumes (e.g. D:), the infrastructure signals all the writers writing to that volume to make sure the persistent data on the volume is consistent. This can be done by closing transactions, flushing queues, closing files etc… Once the provider receives indications that all writers are in a consistent state, it creates the actual shadow copy. Any errors from writers result in an error. In addition, if a writer doesn’t respond in a timely fashion, the process will time out and fail.

While the shadow copy exists, backup software can use the frozen and consistent image of the volume to copy the data out as a valid backup. Once the backup operation completes, the requestor notifies the VSS infrastructure that backup is completed and VSS notifies all relevant writers that backup was successful. Applications can automatically perform operations depending on a successful completion of backup, like logs truncation.

VSS on EC2 and EBS Volumes:

When running production Windows Servers on EC2 with EBS volumes for persistent data, the power of VSS can be leveraged. It is possible to implement a general-purpose file level backup solution that supports VSS in EC2. While such a solution will result in consistent backups, all the advantages of EBS snapshots will be missed out. To take consistent backups of Windows applications and still benefit from the powerful capabilities of EBS snapshots, such as fast incremental backup and rapid recovery, a backup solution utilizing VSS with EBS snapshots is required. Such a solution will enjoy all worlds in terms of backup and recovery times as well as consistency of Windows applications.


Cloud Protection Manager (CPM) is an enterprise-class backup solution for EC2 based on EBS & RDS snapshots. It supports VSS using a thin backup agent that is installed in seconds on the Windows instances. Consistent backup based on VSS is supported automatically. CPM is sold on AWS Marketplace with prices ranging from $62.5/month to $500/month. See pricing or try it for free.

Share this post →

You might also like: