Windows 2019 Server Microsoft Updates Failing

[scjohnson]

Updates did not take, it went to 95% complete and then stated "We couldn't complete the updates. Undoing changes. Don't turn off your computer."

Updated CBS logs attached. Thank you in advance!

 

[Maxstar]

Hi,

2025-03-10 17:29:41, Error                 CSI    000005b8@2025/3/10:22:29:41.102 (F) internal\onecorebase\inc\auto_hive.h(358): Error STATUS_CANNOT_DELETE originated in function Windows::Rtl::AutoHive::Unload expression: UnloadStatus
[gle=0x80004005]
2025-03-10 17:29:41, Info                  CBS    Could not get active session for current session file logging [HRESULT = 0x80004003 - E_POINTER]
2025-03-10 17:29:41, Info                  CBS    Could not get file name for current session file logging [HRESULT = 0x80004003 - E_POINTER]
2025-03-10 17:29:41, Info                  CSI    000005b9 Failed unloading hive file: \??\C:\Users\admin-fj\NTUSER.DAT, key: \Registry\User\S-1-5-21-1960408961-1897051121-682003330-27690, with flags: 0, NTSTATUS: -1073741535

This SID does nox exist in the profile list, could you please the profile folder?

 

[scjohnson]

Maxstar, same results as before. I attached the updated logs.

 

[Maxstar]

Are you able to clone this server into another environment like Hyper-V? You can use Sysinternals Disk2vhd to create an VHDx image from a physical server. Looking at the CBS logs, all the accounts with the fdeploy subkey are causing issues.

 

[scjohnson]

I was able to clone the virtual server and replicate the update results. I will remove the other users and attempt it again. I'll keep you updated on any progress.

 

[Maxstar]

Great let me know the result.

 

[scjohnson]

I was able to get the updates to go in my test environment by deleting the following entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20

I am restoring my snapshot to see if I can do it without deleting all of these, I am not sure what complications might arise with having these removed.

 

[Maxstar]

Hmm, deleting those profiles is not a good idea, as these are the built-in system profiles:

S-1-5-18 = System
S-1-5-19 = LocalService
S-1-5-20 = NetworkService

Please remove only (roaming / user) profiles not the built-in and admin profiles. You can run the following command in an elevated prompt to check the SID's and profile names.

wmic useraccount get name,sid >> "%userprofile%\desktop\ProfileList.txt"

 

[scjohnson]

Since it is a test environment, I removed all of the profiles (except for my admin one), left S-1-18, S-1-19, S-1-20, and it failed again at 94%.

 

[scjohnson]

Attached the updated CBS logs.

 

[Maxstar]

2025-03-11 10:23:10, Info                  CSI    000005ac Shutting down pending transaction queue.
2025-03-11 10:23:10, Info                  CSI    000005ad Failed unloading hive file: \??\C:\Users\admin-sj\NTUSER.DAT, key: \Registry\User\S-1-5-21-1960408961-1897051121-682003330-23451, with flags: 0, NTSTATUS: -1073741535

2025-03-11 10:23:10, Error                 CSI    000005ae@2025/3/11:15:23:10.508 (F) internal\onecorebase\inc\auto_hive.h(358): Error STATUS_CANNOT_DELETE originated in function Windows::Rtl::AutoHive::Unload expression: UnloadStatus

This profile is the remaining issue now on this clone.

 

[scjohnson]

That is my profile, I will log in as local admin and delete it to see if it updates.

 

[Maxstar]

Okay let me know the result. It seems all the profiles with an fdeploy subkey are causing issues, so I would definitely check the policies and why those subkeys are created.

 

[scjohnson]

That did not resolve the issue and it is currently restoring/rebooting.

If it is helpful information, we have 15 of these BG servers, all on Windows Server 2019 and they all contain the same registry keys (including the fdeploy). This is the only one that has had updating problems.

 

[Maxstar]

When the clone is rebuild to a previous state, please attempt to update again with Process Monitor running.

Capture Process Monitor BootLog
1. Download and run Process Monitor. Leave this running while you perform the next steps.
2. Select the Options....Enable Boot Logging option. A Enable Boot Logging dialog will come up. Just click OK.
3. Create a folder on your desktop named BootLog.
4. Attempt to install the update just like you have in the past. Let the machine reboot and revert just like it has in the past.
5. After the machine has rebooted and come back up to the desktop, open Process Monitor again. A message box will come up telling you that a log of boot-time activity was created and ask if you wish to save it. Click Yes and save to the BootLog folder on your desktop.
6. This may take some time as it converts the boot-time data. Allow it to finish.
7. Zip up the entire BootLog folder on your desktop and upload to a file sharing service like: WeTransfer | Send Large Files Fast
8. Upload also the latest CBS log for the time stamps.

 

[scjohnson]

Here are the requested files:

New Server Uploads

 

[Maxstar]

Unfortunately, the bootlog is corrupted so please do the following.

Capture Process Monitor BootLog from the command line

• Download Process Monitor.
• Create a folder on your systemdrive called "C:\Tools" and copy ProcMon.exe into this directory.
• Open an elevated command prompt and navigate to C:\Tools with the command cd C:\Tools.
• Copy and paste the following command into the prompt and press enter.
  

  ProcMon.exe /accepteula /quiet /EnableBootLogging

• Attempt to install the update just like you have in the past. Let the machine reboot and revert just like it has in the past.
• After the machine has rebooted and come back up to the desktop, open an elevated command prompt and navigate to C:\tools.
• Copy and paste the following command to create the Bootlog Trace file.
  

  ProcMon.exe /ConvertBootLog C:\Tools\bootlog.pml

• Now the following window will appear and the bootlog will be created, wait for it to complete.
  
  
• Zip up the Bootlog.pml file as well as your CBS.log and upload it to a file sharing service like: WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free

 

[scjohnson]

Hopefully this works:

BootLog CBS

 

[Maxstar]

Hi,

2025-03-11 13:50:09, Info                  CSI    0000053b Performing HKCU for sid: S-1-5-21-1960408961-1897051121-682003330-15048
2025-03-11 13:50:09, Error                 CSI    0000053c (F) STATUS_OBJECT_NAME_NOT_FOUND #122656# from Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey(flg = (AllowAccessDenied), key = {provider=NULL, handle=0, name= ("null")}, da = (KEY_READ|KEY_WOW64_64KEY), oa = @0x67459fb9d8->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[61]'\Registry\USER\S-1-5-21-1960408961-1897051121-682003330-15048'; a:(OBJ_CASE_INSENSITIVE)}, disp = Unmapped disposition: 1168095160)[gle=0xd0000034]
2025-03-11 13:50:09, Error                 CSI    0000053d@2025/3/11:18:50:09.460 (F) onecore\base\wcp\sil\ntsystem.cpp(5348): Error STATUS_OBJECT_NAME_NOT_FOUND originated in function Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey expression: (null)
[gle=0x80004005]

3/11/2025 7:50:09 PM    TiWorker.exe    RegOpenKey    HKU\S-1-5-21-1960408961-1897051121-682003330-15048    NAME NOT FOUND    Desired Access: Read

Now there is an issue with the highlighted SID, this was one of the profiles without the subkey fdeploy and does not exist under the HKU hive.

 

[scjohnson]

I am looking through the logs, but still having problems. I removed EMAR and it still failed. I have also attempted to install this update with all local and roaming profiles removed and it is still failing. Attached is the CBS after removing EMAR.