SFC unable to repair Server 2019 Datacenter Terminal Server

[x BlueRobot]

Interesting, there doesn't appear to be any events in the event log which indicate that the file has been overwritten. Could you please follow the below steps? I just want to ensure that we capture what process is overwriting that file because that appears to be the reason why the hashes are mismatched.

If not, could you please run the SFCFix .zip file from post #49 and then reboot the system once it has successfully copied over the files to your WinSxS folder. After rebooting the server, please provide the event log as you did before.

 

[dzampino-cmers]

SFCFix version 3.0.2.1 by niemiro.
Start time: 2022-03-22 08:24:53.219
Microsoft Windows Server 10 Build 17763 - amd64
Using .zip script file at C:\Users\adm-david\Desktop\SFCFix.zip [1]




PowerCopy::
Successfully took permissions for file or folder C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
Successfully took permissions for file or folder C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml

WARNING: File C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml was not backed up as that would replace the current backup.
Successfully copied file C:\Users\adm-david\AppData\Local\niemiro\Archive\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml to C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml.
WARNING: File C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml was not backed up as that would replace the current backup.
Successfully copied file C:\Users\adm-david\AppData\Local\niemiro\Archive\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml to C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml.

Successfully restored ownership for C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
Successfully restored permissions on C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-tlsbrand_31bf3856ad364e35_10.0.17763.1075_none_9c481b71554a77d4\tls_branding_config.xml
Successfully restored ownership for C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
Successfully restored permissions on C:\windows\WinSxS\amd64_microsoft-windows-t..enseserver-lrwizdll_31bf3856ad364e35_10.0.17763.1_none_f5101f628983b202\LServer_PKConfig.xml
PowerCopy:: directive completed successfully.




Successfully processed all directives.
SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 3 datablocks.
Finish time: 2022-03-22 08:24:53.641
Script hash: pRJjp3ChLjr0HeOJD06K8JwaBy2c2dAbsxKzguLDT6Q=
----------------------EOF-----------------------

 

[x BlueRobot]

Thanks, I can see that SFCFix has amended the file which it should do, have you rebooted since?

 

[dzampino-cmers]

I installed Sysmon and rebooted, then I ran SFCFix and rebooted, then I sent the event log. The only thing I haven't done is run sfc /scannow post-reboot.

 

[x BlueRobot]

Okay, could you please run SFC /scannow and then provide the event log if it fails?

 

[dzampino-cmers]

It doesn't look like any additional records were added to the sysmon log.

C:\windows\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files but was unable to fix some of them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

C:\windows\system32>wevtutil epl Microsoft-Windows-Sysmon/Operational %userprofile%\Desktop\Sysmon.evtx

C:\windows\system32>

 

[x BlueRobot]

So, it would seem that no given process is directly writing to those files then and the issue appears to be isolated to Windows Update from what we can tell. Hmm, not sure if the Windows Update logs will contain anything useful, but there is no harm in checking them.

Could you please open a PowerShell window and then enter the following command:

Get-WindowsUpdateLog

 

[dzampino-cmers]

Attached

 

[x BlueRobot]

Could you please repair the files using SFCFix again and then attempt the update but with ProcMon running too.

Step#1 - Capture Process Monitor Trace
1. Download and run Process Monitor. Leave this running while you perform the next steps.
2. Try updating the system just like you have in the past.
3. Stop Process Monitor as soon as it fails. You can simply do this by clicking the square icon on the toolbar as shown below.

4. Select the File menu...Save... and save the file to your desktop. This is likely the default location. The name (unless changed) will be LogFile.PML. This is fine.
5. Zip up and provide the link to the LogFile.PML file as well as your CBS.log Examples of services to upload to are Dropbox or OneDrive or WeTransfer.

 

[dzampino-cmers]

By update, do you mean sfc /scannow? And do you want ProcMon running during SFCFix?

 

[x BlueRobot]

Is there no updates available to install? There was a cumulative update released at the beginning of this month. If there is, could you please run SFCFix using the fix script we used to repair the corrupted files and then run ProcMon while attempting to install an update. I'm wondering if this issue was addressed by Microsoft unknowingly in an update.

 

[dzampino-cmers]

There are no updates currently available for it. It's a production server and it gets updated regularly.

 

[x BlueRobot]

FRST Registry Search
1. Click your Start button and type in cmd.
2.After you find the Command Prompt, right click on it and select Run as Administrator.
3. Copy and paste the following into the Command Prompt:

reg load HKLM\COMPONENTS C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS

4. Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the 64-bit Version so please ensure you download that one.
5. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
6. Copy and paste KB5011503 into the Search box and click the Search Registry button.
7. When the scan is complete a notepad window will open with the results. Please attach this to your next reply. It is saved on your desktop named SearchReg.txt.

 

[dzampino-cmers]

Attached