diff --git a/changelog/unreleased/pull-5170 b/changelog/unreleased/pull-5170
new file mode 100644
index 000000000..312eb14a5
--- /dev/null
+++ b/changelog/unreleased/pull-5170
@@ -0,0 +1,21 @@
+Bugfix: Prevent Windows VSS event log 8194 warnings for backup with fs snapshot
+
+When running `restic backup` with `--use-fs-snapshot` flag in Windows with admin rights, event logs like
+```
+Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
+. This is often caused by incorrect security settings in either the writer or requestor process. 
+
+Operation:
+   Gathering Writer Data
+
+Context:
+   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
+   Writer Name: System Writer
+   Writer Instance ID: {54b151ac-d27d-4628-9cb0-2bc40959f50f}
+```
+are created several times(the backup itself succeeds). Prevent this from occurring.
+
+
+https://github.com/restic/restic/issues/5169
+https://github.com/restic/restic/pull/5170
+https://forum.restic.net/t/windows-shadow-copy-snapshot-vss-unexpected-provider-error/3674/2
diff --git a/internal/fs/vss_windows.go b/internal/fs/vss_windows.go
index 840e97107..1cbaf82f8 100644
--- a/internal/fs/vss_windows.go
+++ b/internal/fs/vss_windows.go
@@ -810,6 +810,26 @@ func initializeVssCOMInterface() (*ole.IUnknown, error) {
 		}
 	}
 
+	// initialize COM security for VSS, this can't be called more then once
+
+	// Allowing all processes to perform incoming COM calls is not necessarily a security weakness.
+	// A requester acting as a COM server, like all other COM servers, always retains the option to authorize its clients on every COM method implemented in its process.
+	//
+	// Note that internal COM callbacks implemented by VSS are secured by default.
+	// Reference: https://learn.microsoft.com/en-us/windows/win32/vss/security-considerations-for-requestors#:~:text=Allowing%20all%20processes,secured%20by%20default.
+
+	if err = ole.CoInitializeSecurity(
+		-1,   // Default COM authentication service
+		6,    // RPC_C_AUTHN_LEVEL_PKT_PRIVACY
+		3,    // RPC_C_IMP_LEVEL_IMPERSONATE
+		0x20, // EOAC_STATIC_CLOAKING
+	); err != nil {
+		// TODO warn for expected event logs for VSS IVssWriterCallback failure
+		return nil, newVssError(
+			"Failed to initialize security for VSS request",
+			HRESULT(err.(*ole.OleError).Code()))
+	}
+
 	var oleIUnknown *ole.IUnknown
 	result, _, _ := vssInstance.Call(uintptr(unsafe.Pointer(&oleIUnknown)))
 	hresult := HRESULT(result)