[SOLVED] SFC found corrupt files that it can't fix

The lack of a log file is rather unusual.

Please zip and upload the entire C:\Windows\Logs\CBS\ folder, then include the link here.
 
Yes I agree, especially when booting in the RE. Any idea where else to look for it? I haven't found a way to tell sfc to place it somewhere else. Do you think there might be a way to do that? The CBS file only seems to get touched when booting back into normal mode. I don't think its touched in safe mode.

Along a different path, I'm looking into the permissions of registry key:

8F5DF053-3013-4DD8-B5F4-88214E81C0CF

It's the key for SFP Repair Class as shown for its default data. Right now only TrustedInstaller has full control, and it also is the current owner. The SYSTEM, Administrator and Users accounts only have Read access. I might try giving SYSTEM and Administrators full access and see if that helps. I'll probably need to take ownership of the key in order to do that.

Just so you know, the BSOD folks advised me to remove all traces of Roxio (including Sonic Solutions) from my system so that I could get back into this stage of repair. I couldn't boot into safe mode, BSOD while loading safe mode drivers. The last thing I did was to surgically remove the Roxio hard disk drivers, and now there are only Microsoft drivers controlling the drives. Hopefully there isn't something still lurking around.

Your thought and advice are truly appreciated!

Tom
 
I found something interesting here:

Windows Modules Installer Error:126 - Microsoft Community

While the issue doesn't seem to be directly related to mine, there is an interesting response/solution there saying:

I was missing the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version.

To fix it:
1. Navigate to C:\Windows\Servicing\Version and read the name of a subfolder. It will be named something like 6.1.7600.16385. That is your {TrustedInstaller ID}. Copy the name of that folder to the clipboard (and paste it in Notepad for safe keeping).

2. Find a subfolder in C:\Windows\WinSxS whose name starts with:

x86_microsoft-windows-servicingstack_31bf3856ad364e35_{TrustedInstaller ID} (32bit Windows)

amd64_microsoft-windows-servicingstack_31bf3856ad364e35_{TrustedInstaller ID} (64bit Windows)

Copy the name of that folder to the clipboard (and paste it in Notepad for safe keeping).

3. Create subkey "HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version". You will need to take ownership of "Component Based Servicing" then give yourself full access permissions before you can create the key.

4. In the new Version key, create an "expandable value" using the TrustedInstaller ID as its name and the complete path of the folder you identified in WinSxS as its value. Properly you should use %SystemRoot%\WinSxS\whatever instead of C:\Windows\WinSxS\whatever.



In my case, the (only) similar folder filename is:

x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7601.17514_none_93149d6fab68cf06


While I do have the registry entry, mine is:

Keyname: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version\
Value name: 6.1.7601.23505
Type: REG_EXPAND_SZ
Type #: 00000002
Size: 222
Value: x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.23505_none_0bfc08bf3ea166ba

Your thoughts?

 
tjsepka said:
I found something interesting here:

Windows Modules Installer Error:126 - Microsoft Community

While the issue doesn't seem to be directly related to mine, there is an interesting response/solution there saying:
I was missing the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version.

To fix it:
1. Navigate to C:\Windows\Servicing\Version and read the name of a subfolder. It will be named something like 6.1.7600.16385. That is your {TrustedInstaller ID}. Copy the name of that folder to the clipboard (and paste it in Notepad for safe keeping).

2. Find a subfolder in C:\Windows\WinSxS whose name starts with:

x86_microsoft-windows-servicingstack_31bf3856ad364e35_{TrustedInstaller ID} (32bit Windows)

amd64_microsoft-windows-servicingstack_31bf3856ad364e35_{TrustedInstaller ID} (64bit Windows)

Copy the name of that folder to the clipboard (and paste it in Notepad for safe keeping).

3. Create subkey "HKLM\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version". You will need to take ownership of "Component Based Servicing" then give yourself full access permissions before you can create the key.

4. In the new Version key, create an "expandable value" using the TrustedInstaller ID as its name and the complete path of the folder you identified in WinSxS as its value. Properly you should use %SystemRoot%\WinSxS\whatever instead of C:\Windows\WinSxS\whatever.



In my case, the (only) similar folder filename is:

x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7601.17514_none_93149d6fab68cf06


While I do have the registry entry, mine is:

Keyname: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version\
Value name: 6.1.7601.23505
Type: REG_EXPAND_SZ
Type #: 00000002
Size: 222
Value: x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.23505_none_0bfc08bf3ea166ba

Your thoughts?

Click to expand...

After reviewing more closely, I found that my system is actually ok. Additionally, further into the thread, I found the information there came from here:

https://support.microsoft.com/en-us/kb/959077
 
I did a little looking, it turns out that the CBS log will be hidden in the recovery environment so it will not be displayed when using DIR at the command prompt.

Please try running the SFC scan as usual in the recovery environment, then when it completes run the following command:

notepad %windir%\logs\cbs\cbs.log

If that doesn't work, try notepad x:\Windows\Logs\CBS\CBS.log

Once the log is open, save it somewhere convenient (like C:\temp) so that you can zip and attach it on the next boot into Windows.
 
I booted 3 times into the recovery environment (RE) and never found a cbs.log file. Before doing this I renamed my current cbs.log file in order to generate a new one from scratch. I used attrib "cbs.log -H" in numerous directories on both the C and X drives and didn't find the file. As best as I can tell, one was never generated even though sfc /scannow /offbootdir=c:\ /offwindir=c:\windows ran for about 9 minutes before returning "Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log.".

Here are some notes on other things I did or noted (sorry, I didn't keep exact track of the order in which I tried various things - my bad):
1.) I used GetBackData for NTFS to scan the C drive to see if the cbs.log file was generated but somehow got deleted when booting into normal mode. I didn't see any trace of it. I've used this method to recover chkdsk log files in the RE that fail to transfer with error code 50.
2.) A 0 byte cbs.log file was generated after booting into safe mode subsequent to booting and running sfc in the RE;
3.) A cbs.log file was generated after booting into normal mode. It's attached and shows the 3 normal mode boots;
4.) I've attached the output running the "set" command to display the environment variables when booted to a command prompt in the RE.
5.) The cbs.log file generated and appended to from booting into normal mode is attached;
6.) I ran cleanmgr to get rid of older stuff hanging around hoping to get a new baseline to run further tests from.

I guess we've gotten back to the point of being able to run sfc where it wouldn't before (my earlier post #9). Note that vssadmin list writers still does not show the SYSTEM writer.

I'm not sure what to try next. Maybe a new procmon capture of sfc run in safe and normal modes? Did my earlier uploads of the PML files reveal anything? I threw out an idea that maybe there was a permissions problem, but after further thought, I would have expected to see an "ACCESS DENIED" in the result column if that were the case - I didn't see one.

In summary, the checkpoint we're at is:
1.) "Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log.";
2.) I believe the sxs errors have been corrected, but I haven't rerun CheckSUR again. I didn't want to go further ahead without documenting this checkpoint.
3.) "vssadmin list writers" does not show the SYSTEM writer object. I don't know if or how this might be relevant to the sfc problem.

My specific reasons for wanting to get this resolved are because all of the troubleshooting I've done to fix Windows Media Player, IE, and other more important things that I can't recall right now, all end up with using sfc as the only thing left to try prior to attempting an in-place upgrade again. A clean install is out of the question!

I thought the procmon captures would give the most powerful insight to what's going wrong. Your thoughts on what to try next would be appreciated!
 

Attachments

Would you mind if we continue troubleshooting the System Writer problem a little further?
One of the instructors here has seen something similar, so I'd like to see if his solution might apply to your case.
 
Yes, continuing troubleshooting the system writer problem is fine with me. I'll wait for your suggestions and advise before attempting to do anything further on my own.
 
Please copy the following text:

Code: 
@echo off
ECHO processing...
for /f "tokens=*" %%G in ('dir /s "C:\Windows\WinSxS\FileMaps\" /a:-d /b') do (
(find /c /i "PcmH" "%%G">NUL) || (ECHO BAD: "%%G")
)
ECHO Done! Please note corrupt files.
pause

Paste the text into notepad, then save the file as checkfilemap.bat somewhere convenient (like the desktop).
Once complete, double click on the batch file to run it. This should result in a list of one (or more) files.
Move the files listed in the command window from the C:\Windows\WinSxS\FileMaps\ folder to somewhere convenient, like C:\temp\BadFileMaps\
Once complete, try the VSSAdmin List Writers command again and verify if the System Writer is present.
 
Something appears to be wrong in the code - here's its output:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

Thu 12/29/2016 13:11:39.16 C:\Windows\system32>@echo off
ECHO processing...
processing...
for /f "tokens=*" %%G in ('dir /s "C:\Windows\WinSxS\FileMaps" /a:-d /b') do (
%%G was unexpected at this time.
(find /c /i "PcmH" "%%G">NUL) || (ECHO BAD: "%%G")
File not found - %%G
BAD: "%%G"
)
ECHO Done! Please note corrupt files.
Done! Please note corrupt files.
pause
 
Copying and pasting the batch commands into a command window will not work.

Please copy and paste the text into notepad and save it as a batch file (.bat) as stated in the instructions in post #52 :)
 
System Writer has returned! Here's what is says:

Writer name: 'System Writer'
Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Instance Id: {43a2409f-8656-4c48-954c-301ae8bc8851}
State: [1] Stable
Last error: No error

Next step?
 
Excellent :) Which file was reported as corrupt? I'll see if it requires replacement or if something else needs to be done.
 
Here's the list of bad files:

BAD: "C:\Windows\WinSxS\FileMaps\$$_cursors_bff8b8b245707919.cdf-ms"
BAD: "C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_postmigres_web_base_images_0e64dea9756e1d4c.cdf-ms"
BAD: "C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-international-core_05a14960964e6af4.cdf-ms"
BAD: "C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-audio-mmecore-other_5137bedd30b4e5d8.cdf-ms"
BAD: "C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-ndis_b44547c729f73574.cdf-ms"
BAD: "C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-terminalservices-appserver-licensing_10d3d9d862990d9c.cdf-ms"
BAD: "C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_microsoft-windows-terminalservices-licenseserver_cff2bf5f876a8fcd.cdf-ms"
BAD: "C:\Windows\WinSxS\FileMaps\$$_system32_migwiz_replacementmanifests_windowssearchengine_145004789b880a4a.cdf-ms"
BAD: "C:\Windows\WinSxS\FileMaps\$$_system32_mui_dispspec_d93de566344a36d0.cdf-ms"
BAD: "C:\Windows\WinSxS\FileMaps\$$_system32_networklist_029a48465a9cac56.cdf-ms"
 
You must log in or register to reply here.
Back
Top