[SOLVED] Server 2019 - SFC Windows Resource Protection could not perform the requested operation.

[dafunk]

Hello,

I have 6 Server 2019 instances, one on bare metal, the rest are VMs. All are fully patched. On 5 of the 6 instances, SFC /SCANNOW fails around 70% with the message "Windows Resource Protection could not perform the requested operation."

When I started troubleshooting, dism /online /cleanup-image /restorehealth would not complete. I ran the Windows disk cleanup tool & cleaned up Windows Updates, Defender Files, & Temp files. In hindsight I'm wondering if this was a bad move.

After the disk cleanup completed dism online /cleanup-image /restorehealth completes without issue.

I reboot & run SFC /SCANNOW. This fails around 70% with the message "Windows Resource Protection could not perform the requested operation."

The CBS.log shows duplicate ownership for a variety of files & directories. It also shows hash mismatch for several Windows Defender / Powershell files. These appear to be a known issue that should have been fixed by a Windows Defender update back in 2019.

Logs attached.

Thank you in advance for your assistance.

 

[Maxstar]

Hi and welcome to Sysnative,

Step 1. Download

SFCFix and save it to your desktop.

Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFix.zip and save it to your desktop.
• Drag the SFCFix.zip file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

Step 2. Run the System File Checker and post the result. If it fails attach a new copy of the CBS log.

SFC /Scannow

 

[dafunk]

Hello @Maxstar & thank you for your assistance.

After running the SFCFix, sfc /scannow fails at 71% with the message "Windows Resource Protection could not perform the requested operation."

Results of SFCFix.txt & new CBS.log attached.

 

[Maxstar]

Hi,

Please run the System File Checker again with Process Monitor running.

Step#1 - Capture Process Monitor Trace
1. Download and run Process Monitor. Leave this running while you perform the next steps.
2. Run the System File Checker just like you have in the past.
3. When SFC failes wait a minute and then stop the Process Monitor trace. You can simply do this by clicking the capture icon (CTRL +E) on the toolbar as shown below.

4. Select the File menu...Save... and save the file to your desktop. This is likely the default location. The name (unless changed) will be LogFile.PML. This is fine.
5. Zip up the LogFile.PML and upload it to WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free and provide the link.
6. Attach also a new copy of the CBS log for the time stamps.


Upload your COMPONENTS hive.

• Navigate to C:\Windows\System32\Config and locate the COMPONENTS file.
• Please copy this file to your desktop.
• Note: If you receive an error that this file is in-use, simply reboot your computer and try again.
• Right-click on this file on your desktop and select Send To > Compressed (zipped) folder. This will create a file named COMPONENTS.ZIP on your desktop.
• If the file is too large to upload here, upload the file to www.wetransfer.com and post the link in your next reply.

 

[dafunk]

Thank you! The requested steps have been taken & files attached.

 

[Maxstar]

It seems Process Monitor is stopped too early, it's just 50MB?

 

[dafunk]

I would like to request help for 4 other Windows 2019 servers which have no DISM errors but the same SFC /scannow now failure. Much of the CBS log appears the same as this machine.

Would it be best to create a new thread for each machine?

 

[dafunk]

It seems Process Monitor is stopped too early, it's just 50MB?

I will try again & post the results shortly.

 

[Maxstar]

Please stop the Process Monitor trace a minute after the System File Checker failed.

 

[dafunk]

Please stop the Process Monitor trace a minute after the System File Checker failed.

Understood. You may find the 3 updated files at SFC Troubleshooting Round 3. The Process Monitor log is almost 4GB when uncompressed so hopefully I've captured the necessary info. Thank you!

 

[Maxstar]

Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFixScript.txt and save it to your desktop.
• Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

 

[dafunk]

SFCFix results attached.

 

[Maxstar]

Unfortunately, the fix failed! Please try the following.

Open an elevated command prompt, run the the following command to load the COMPONENTS hive.

reg load HKLM\COMPONENTS C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS

1. Then import the RegFix.reg from the attached RegFix.zip file manually into the registry.
2. Run the following command and copy and paste the result in your next post.

reg query HKLM\COMPONENTS\DerivedData\Components\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.5830_none_311d57717347d139

 

[dafunk]

The registry import indicated it was successful.

Results of the reg query are:

HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.5830_none_311d57717347d139
    S256H    REG_BINARY    01D156F2C10286677CFD50C69CD4F705CC948EC70833D83C4068B692C1BED5CA
    identity    REG_BINARY    57696E646F77732D446566656E6465722D4D616E6167656D656E742D506F7765727368656C6C2C2043756C747572653D6E65757472616C2C2056657273696F6E3D31302E302E31373736332E353833302C205075626C69634B6579546F6B656E3D333162663338353661643336346533352C2050726F636573736F724172636869746563747572653D616D6436342C2076657273696F6E53636F70653D4E6F6E537853
    f!msft_mpthreatcatalog.cdxm_fa3800d54a854129    REG_DWORD    0x1
    f!defender.psd1    REG_DWORD    0x1
    f!msft_mpwdoscan.cdxml_a0349ca355f79443    REG_DWORD    0x1
    f!msft_mpsignature.cdxml_17413cb6c77c7834    REG_DWORD    0x1
    f!msft_mpthreat.cdxml_480974b3d925ddfc    REG_DWORD    0x1
    f!msft_mpcomputerstatus.cdx_8c431b39dfd4b87f    REG_DWORD    0x1
    f!msft_mpscan.cdxml_4571001ee28f5ead    REG_DWORD    0x1
    f!msft_mpthreatdetection.cd_e79d9594e2ec5083    REG_DWORD    0x1
    f!msft_mppreference.cdxml_24c6c7a4f947a643    REG_DWORD    0x1
    c!deployment-..7b879c560d5_31bf3856ad364e35_10.0.17763.5830_1008d14ed85ec289    REG_BINARY
    CF    REG_DWORD    0x80

 

[Maxstar]

Great, please run the System File Checker again with Process Monitor running. Post the new trace file and the CBS log when it fails.

 

[dafunk]

SFC /scannow completed successfully & did not find any integrity violations. I ran it twice as well as a dism /online /cleanup-image /scanhealth & everything looks good.

Thank you very much for your help!

I have 4 other Windows 2019 machines with the same windows defender power shell errors. I think they all got into the same state, the same way. Would it be advisable to to run the fixes you've provided in this thread on those machines? If not, is it proper etiquette to post 1 thread for each machine or can I post the info in this, or a new thread for all 4 machines? I know you guys volunteer your time & do not want to waste it.

Thanks again, you've saved me many hours of reinstalling the OS & software.

 

[Maxstar]

You're welcome. Glad to hear this server is fixed.

Please provide the CBS logs of the other servers in your next post, then I can take a look if you can use the same fix...

 

[dafunk]

I appreciate you taking a look at these. 4 CBS.log files attached. It's well past my bedtime but I will check this thread ASAP.

 

[Maxstar]

No problem and take your time. But the issue is exactly the same on all the other servers, so you can use the same fix.

1. Run SFCFix with the SFCFix.zip file in post #2.
2. Check the SFCFix.txt result, when you'll see the following, run the manual RegFix in post #13.

RegistryScript::
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.5830_none_311d57717347d139.

Failed to import registry key HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.5830_none_311d57717347d139.

Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.5830_none_311d57717347d139.
RegistryScript:: directive failed to complete successfully.

3. Run the System File Checker.

 

[dafunk]

Everything went smoothly & all is working as expected on the 4 additional machines. Thank you again for all your help. Made a donation to sysnative.

Best regards