[SOLVED] Server 2019 fails nearly all CUs with 0x800f0922 or 0x80246007

rhonda

Contributor
Joined
Sep 20, 2024
Posts
14
Hello,
I've run some of the cmds based on other posts I've read here. This is a 2019 standard vm that has been failing nearly all updates for the last year. It gets to 30% updated, reboots, gets to 90% and rolls back updates.
What I've tried:

DISM /Online /Cleanup-Image /RestoreHealth
(CBS log attached)

dir /s /a %systemroot%\WinSxS\msil_microsoft.identitys..r.service.resources_31bf3856ad364e35_10.0.17763.1432_ko-kr_99d60db3c722e4c6
C:\Users\Administrator>dir /s /a %systemroot%\WinSxS\msil_microsoft.identitys..r.service.resources_31bf3856ad364e35_10.0.17763.1432_ko-kr_99d60db3c722e4c6
Volume in drive C has no label.
Volume Serial Number is 747A-B6EE
File Not Found

certutil -hashfile %systemroot%\WinSxS\Manifests\msil_microsoft.identitys..r.service.resources_31bf3856ad364e35_10.0.17763.1432_ko-kr_99d60db3c722e4c6.manifest SHA256
bf3856ad364e35_10.0.17763.1432_ko-kr_99d60db3c722e4c6.manifest SHA256
CertUtil: -hashfile command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.

Thanks in advance for your assistance,
Rhonda
 

Attachments

Hi and welcome to Sysnative,

Please provide all the previous CBS logs as well.

Upload a copy of the CBS folder
  • Open Windows Explorer and browse to the C:\Windows\Logs folder.
  • Right-click on the CBS folder and choose Send to > Compressed (zipped) folder.
  • Now the message will appear, "Windows cannot create the Compressed (zipped) Folder here. Do you want it to be placed on the desktop instead?"
  • Click on the Yes button here.
653a64385d891-618e949e09fef-CBS-Folder.png

  • Attach the file CBS.zip to your next reply. If the file is too large to attach, upload the CBS.zip file to www.wetransfer.com and post the link in your next reply.
 
Hello, thanks so much. I ran sfc /scannow a few days ago and reran DISM before running the attached.
 

Attachments

Hi,

Open an elevated command prompt, run the following command and attach Services.txt to your next post.
Code:
WMIC SERVICE GET caption, name, startmode, state > "%userprofile%\desktop\services.txt"
 
Hi,

Please open an elevated command prompt, run the following commands and copy paste the result in your next post.
Code:
sc qc http
sc config http start= auto
 
C:\Users\Administrator>sc qc http
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: http
TYPE : 1 KERNEL_DRIVER
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\drivers\HTTP.sys
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP Service
DEPENDENCIES : WinQuic
SERVICE_START_NAME :

C:\Users\Administrator>sc config http start= auto
[SC] ChangeServiceConfig SUCCESS
 
Great, please run the following commands and post the result.
Code:
sc start http
sc qc http
sc query http
 
C:\Users\Administrator>sc start http
[SC] StartService FAILED 1009:

The configuration registry database is corrupt.


C:\Users\Administrator>sc qc http
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: http
TYPE : 1 KERNEL_DRIVER
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\drivers\HTTP.sys
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP Service
DEPENDENCIES : WinQuic
SERVICE_START_NAME :

C:\Users\Administrator>sc query http

SERVICE_NAME: http
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1009 (0x3f1)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
 
Please run the following command and post the HTTP.txt file.
Code:
reg query HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo > "%userprofile%\Desktop\HTTP.txt"

Edit:
please run also the following command and post the result:
Code:
netsh show ssl cert
 
C:\Users\Administrator>netsh show ssl cert
The following command was not found: show ssl cert.
 

Attachments

Hmm, do you recognize the following entry under this key, which shouldn't be there?
Rich (BB code):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443

If not detete that entry and run the following command again.
Code:
netsh http show sslcert
 
Last edited:
Let me back it all up and I'll check on it. I will be away for a few hours but will update after that. I appreciate the help.
 
Update: I was able to reproduce this issue, but could your provide an export of this key to look at.

Export registry key as hive file.
  • Open the Start menu of Windows and type CMD.
  • When you see Command Prompt on the list, select the option Run as administrator.
  • Copy and paste the following command into the command prompt and press enter.
Code:
reg save "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo" "%userprofile%\Desktop\SslBindingInfo.hiv"
  • Once done, a file will appear on your desktop, called SslBindingInfo.hiv.
  • ZIP this file and attach it to your next reply.
 
Hello, so sorry about the lag. I'm hesitant to remove the 0.0.0.0:443 reg but attached is what you just requested. It looks to be empty.
 

Attachments

Hi,

Yes this key is empty and seems to be the issue. So please run the following command, I expect you will see the message: The configuration registry database is corrupt or The handle is invalid.
Code:
netsh http show sslcert
See also this article about IIS / Certificate Mapping.
 
Last edited:
Yes, you're right. I got this:
The handle is invalid.

I reviewed the article and wondering what the repercussions are for enabling this on a public facing dmz server. This is not AD domain joined. Thank you :)
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top