[SOLVED] [W11 PRO x64] DISM Error: 1009 - The configuration registry database is corrupt.

[xilolee]

Windows Logs > double-click on Application.
(On the right) Filter current log.
In the entry where it is written "all event ids", put 26226 and confirm (click ok or Filter).
Then double-click the latest event 26226 and the chkdsk report should appear.
Click Copy and paste the content here.

If you still can't find it, read the tutorial: Find Check Disk (CHKDSK) results

 

[Caliopus]

This is the only one that came up for 26226


Chkdsk was executed in scan mode on a volume snapshot.

Checking file system on \Device\HarddiskVolume3

Stage 1: Examining basic file system structure ...
1059584 file records processed. File verification completed.
Phase duration (File record verification): 9.21 seconds.
5544 large file records processed. Phase duration (Orphan file record recovery): 1.54 milliseconds.
0 bad file records processed. Phase duration (Bad file record checking): 0.00 milliseconds.

Stage 2: Examining file name linkage ...
135 reparse records processed. 1179654 index entries processed. Index verification completed.
Phase duration (Index verification): 11.14 seconds.

Phase duration (Orphan reconnection): 652.92 milliseconds.

Phase duration (Orphan recovery to lost and found): 0.03 milliseconds.
135 reparse records processed. Phase duration (Reparse point and Object ID verification): 2.50 milliseconds.

Stage 3: Examining security descriptors ...
Security descriptor verification completed.
Phase duration (Security descriptor verification): 190.98 milliseconds.
60036 data files processed. Phase duration (Data attribute verification): 0.00 milliseconds.
CHKDSK is verifying Usn Journal...
37940904 USN bytes processed. Usn Journal verification completed.
Phase duration (USN journal verification): 381.10 milliseconds.
Windows has found problems that must be fixed offline.
Please run "chkdsk /f" to fix the issues.

487567359 KB total disk space.
101017908 KB in 247871 files.
159116 KB in 60037 indexes.
1187299 KB in use by the system.
65536 KB occupied by the log file.
385203036 KB available on disk.

4096 bytes in each allocation unit.
121891839 total allocation units on disk.
96300759 allocation units available on disk.
Total duration: 21.59 seconds (21590 ms).

----------------------------------------------------------------------


Stage 1: Examining basic file system structure ...

Stage 2: Examining file name linkage ...

Stage 3: Examining security descriptors ...

 

[xilolee]

This was on January 31st, which is why I asked you to use chkdsk...

 

[Caliopus]

Yes. I was puzzled by that, but couldn't see anything else with the 26226 designation. Went back to the notepad file and going by date found the 8449 report. attached. Sorry about my misstep.

------< Log generate on 2/27/2025 8:55:26 AM >------
Category: 0
Computer Name: Rosenberg
Event Code: 1001
Record Number: 8449
Source Name: Microsoft-Windows-Wininit
Time Written: 02-26-2025 @ 18:09:10
Event Type: Information
User:
Message:

Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.

Stage 1: Examining basic file system structure ...
1059584 file records processed.

File verification completed.
Phase duration (File record verification): 10.31 seconds.
13807 large file records processed.

Phase duration (Orphan file record recovery): 4.29 milliseconds.
0 bad file records processed.

Phase duration (Bad file record checking): 1.87 milliseconds.

Stage 2: Examining file name linkage ...
245 reparse records processed.

1273972 index entries processed.

Index verification completed.
Phase duration (Index verification): 15.16 seconds.
0 unindexed files scanned.

Phase duration (Orphan reconnection): 850.69 milliseconds.
0 unindexed files recovered to lost and found.

Phase duration (Orphan recovery to lost and found): 379.61 milliseconds.
245 reparse records processed.

Phase duration (Reparse point and Object ID verification): 6.45 milliseconds.

Stage 3: Examining security descriptors ...
Cleaning up 4528 unused index entries from index $SII of file 0x9.
Cleaning up 4528 unused index entries from index $SDH of file 0x9.
Cleaning up 4528 unused security descriptors.
Security descriptor verification completed.
Phase duration (Security descriptor verification): 70.97 milliseconds.
107195 data files processed.

Phase duration (Data attribute verification): 2.13 milliseconds.
CHKDSK is verifying Usn Journal...
37869112 USN bytes processed.

Usn Journal verification completed.
Phase duration (USN journal verification): 246.11 milliseconds.

Windows has scanned the file system and found no problems.
No further action is required.

487567359 KB total disk space.
117815792 KB in 546617 files.
348096 KB in 107196 indexes.
0 KB in bad sectors.
1187863 KB in use by the system.
65536 KB occupied by the log file.
368215608 KB available on disk.

4096 bytes in each allocation unit.
121891839 total allocation units on disk.
92053902 allocation units available on disk.
Total duration: 27.18 seconds (27186 ms).

Internal Info:
00 2b 10 00 fa f9 09 00 cd 5b 11 00 00 00 00 00 .+.......[......
64 00 00 00 91 00 00 00 00 00 00 00 00 00 00 00 d...............

 

[Maxstar]

Please run the following tool as well.

Download the

Farbar Recovery Scan Tool and save it to your Desktop:

Download the 64 bit version: - Farbar Recovery Scan Tool Link

• Note: Your antivirus program may report FRST incorrectly as an infection. If so, disable the real-time protection when downloading and running FRST.
• Right-click to run the tool as administrator. When the tool opens click Yes to disclaimer.
• Note: Ensure that the Addition.txt check box is checked at the bottom of the form within the Optional Scan area.
• Press the Scan button.
• Please wait for the tool to finish. It will produce two logfiles called FRST.txt and Addition.txt in the same directory the tool is run from (which should be the desktop)
• Post the logfiles FRST.txt and Addition.txt as attachment in your next reply.

 

[Caliopus]

attached

 

[Maxstar]

Hi,

1. Please uninstall Bitdefender Total Security and the VPN part using the official removal tool. -> Uninstall Consumer Paid
2. The latest dumps listed are:

2025-02-25 16:00 - 2025-02-25 16:00 - 002883356 _____ C:\Windows\Minidump\022525-8609-01.dmp
2025-02-25 13:41 - 2025-02-25 13:41 - 003171060 _____ C:\Windows\Minidump\022525-11031-01.dmp
2025-02-20 16:00 - 2025-02-20 16:01 - 002767380 _____ C:\Windows\Minidump\022025-9140-01.dmp

When BitDifender is uninstalled, run the following tool again and provide the SysnativeFileCollectionApp.zip file in your next post.

Download the

Sysnative BSOD Dump + System File Collection App to your desktop.

• Right-click on SysnativeBSODCollectionApp.exe and select "Run as administrator".
• When the tool is ready, it will open the directory: C:\Users\<username>\Documents.
• Post the zipfile: SysnativeFileCollectionApp.zip as attachment in your next reply.
• The textfile 'BSODPostingsInstructions' you may close.

 

[Caliopus]

The last 2 reports (services & tracert) took too long to generate and were indicated in yellow font as skipped. File attached.

 

[Maxstar]

KERNEL_MODE_HEAP_CORRUPTION (13a) was triggered by vlflt.sys (Bitdefender) as it seems. And another dump shows MEMORY_MANAGEMENT (1a), which could be related!

MODULE_NAME: vlflt
IMAGE_NAME:  vlflt.sys
STACK_COMMAND:  .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET:  13e496
FAILURE_BUCKET_ID:  0x139_1d_INVALID_BALANCED_TREE_vlflt!unknown_function

@xilolee can you tell us more about this, dump files are not my area to analyse! Thanks!

 

[Maxstar]

Please do also the following.

Follow the instructions below to run Memtest. (It's recommended to run it for 8 passes (2 runs of 4 passes).

1. Download Download MemTest86 Free to your desktop and extract this file.
2. Right click imageUSB.exe and select the option "Run as Administrator".
3. Select the USB-stick to place a checkmark.
4. Warning! When you perform the following steps it will overwrite all your data on this USB-stick!
5. Then click Write to copy the ISO file "memtest86-usb.iso" to the USB-stick.
6. When you get the message: "You have chosen to write an image to the following USB-drive, click Yes.
7. Then a final warning will appear, click Yes to create the USB-stick with the Memtest ISO file...
8. Boot the system from this stick and run MemTest for the first 4 passes.
9. If no errors have been found after the four passes of the 13 different tests that the free version does, then restart Memtest86 and do another four passes.

 

[Caliopus]

Memtest86 failed on the first run of the first set of 4: "Test has aborted due to too many errors." number on error counter = 10k

Memtest86-report-20250227-142656_753588.html saved

 

[Maxstar]

Manufacturer     Part Number     Serial Number     Speed     Capacity     Bank Label     DIMM     Form Factor     Data Width
Corsair     CMK16GX4M2E3200C16     00000000     2133 MHz     8 GB     BANK 0     Controller0-ChannelA-DIMM0     8     64
Corsair     CMK16GX4M2E3200C16     00000000     2133 MHz     8 GB     BANK 0     Controller0-ChannelA-DIMM1     8     64
Corsair     CMK16GX4M2E3200C16     00000000     2133 MHz     8 GB     BANK 1     Controller0-ChannelB-DIMM0     8     64
Corsair     CMK16GX4M2E3200C16     00000000     2133 MHz     8 GB     BANK 1     Controller0-ChannelB-DIMM1     8     64

You can try to run Memtest again with just one RAM module to find the bad one(s), than you can decide to replace the faulty module with a new one (same model) or a complete new set of RAM.

 

[Caliopus]

The memory stick in the A2 channel was the bad one. The other 3 checked out OK through the full 4 runs each.

Memtest86 report
20250228-095134_026536,html
20250228-122326_330245.html
20250228-145306_799605.html

 

[Maxstar]

Hi,

Okay, please try to update again using the Update Assistant with only the healthy RAM.

 

[Caliopus]

Success!! Update finally worked with A1 B1 installed (replacement RAM on order for A2 B2) and was on pins and needles from 79% installed until the reboot. Winver says 24H2! Thank you so much. You guys can't comprehend how grateful I am to you for your help (and patience with me). I've had PCs since 5 months after IBM first came out with theirs (64K ram), built my first one toward the end of the PS2 era, and this has far and away been the biggest, most frustrating problem I've ever run into with a computer. Know that you've made one guy's life a lot more pleasant with what you're doing here. And yes, I will show my appreciation in a more material way also.

Just out of curiosity, once you have some time you're just looking to kill, can you please explain to me what went wrong (no hurry at all). I understand that a RAM stick can just randomly crap out for no good reason (luck of the draw), but as I understand what's played out tracking down the problem, there was another problem that required chkdsk /f to fix. What's your best theory as to how, if any way, they may have been related (2 simultaneous independent problems strike me as a very low probability event, no?).

In any case, thanks again.

 

[Maxstar]

Great, glad to hear the issue has been resolved and this system is up-to-date now...

Just out of curiosity, once you have some time you're just looking to kill, can you please explain to me what went wrong (no hurry at all). I understand that a RAM stick can just randomly crap out for no good reason (luck of the draw), but as I understand what's played out tracking down the problem, there was another problem that required chkdsk /f to fix.

Faulty RAM can lead to various issues such as; BSOD's, system hangs or crashes, file corruptions and also incorrect data written to the registry. See also this blogpost with an detailed explanation. His video is also interesting to watch:

 

[Caliopus]

Thanks for indulging my curiosity. The video is mostly over my head, but I do now understand how the problems were related and rooted in the bad ram. That leads me to another question. Back when I first noticed the failure to update in December, I followed the troubleshooting guide to follow in cases of update failures and checked if all my hardware was working properly. It showed everything as OK. Why didn't the bad ram stick get flagged by that command back then? Too basic and resolution not fine enough? My failure to read the results properly (always a possibility for me - I know enough to get into trouble and not enough to get out of it)?

 

[Maxstar]

Why didn't the bad ram stick get flagged by that command back then?

Which command do you mean? CHKDSK will not detect RAM issues and only file system (metadata) issues BAD sectors etc. But in this case I don't think the HDD/SSD was an issue only the RAM issue which resulted in corrupt system files. But you can always check your current drives with the following tool:

Drive c: () (Fixed) (Total:464.98 GB) (Free:347.37 GB) (Model: CT500MX500SSD1) NTFS
Drive d: (New Volume) (Fixed) (Total:1863 GB) (Free:1852.67 GB) (Model: ST2000DM008-2UB102) NTFS

Follow the instructions below to check your SMART status with GSmartControl

Download

GSmartControl to your desktop.

• Extract the zip file to your Desktop. Open the folder gsmartcontrol-1.1.4-win64 which should be located on your Desktop and double-click gsmartcontrol.exe to launch the program.
• Identify your drive in the list (if recognized by the tool), and hover your mouse over it.
• Please note: If the SMART Status reads: Unsupported, stop and let me know.

• Otherwise: > double-click on the (problematic) drive you want to test.
• Open the Self-Tests tab, then select Extended Self-test in the Test type drop-down list and click on Execute (this test can take a few hours to complete).
• Open the Attributes tab and if you have any entries highlighted in red or pink, take a screenshot of the GSmartControl window and attach it in your next reply;

 

[Caliopus]

I don't recall many specifics, besides that I checked device manager and used google to direct me to some number of apps, mostly through start-settings, and couldn't find the performance monitor, so I'm betting I just didn't dig deep enough. Have a folder now labeled 2025 diagnostics with all the downloads you guys pointed me at (and bookmarked this thread to keep the instructions available) and I'm adding GSmartControl to the set.

Thanks again for everything. The weather here today is a very nice taste of Spring. I wish the same for you, if not today then at least soon.

 

[xilolee]

KERNEL_MODE_HEAP_CORRUPTION (13a) was triggered by vlflt.sys (Bitdefender) as it seems. And another dump shows MEMORY_MANAGEMENT (1a), which could be related!

MODULE_NAME: vlflt
IMAGE_NAME:  vlflt.sys
STACK_COMMAND:  .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET:  13e496
FAILURE_BUCKET_ID:  0x139_1d_INVALID_BALANCED_TREE_vlflt!unknown_function

@xilolee can you tell us more about this, dump files are not my area to analyse! Thanks!

Hey good job!

I already knew that it was bitdefender that was blocking the bsodcollectionapp, but I didn't have the heart to have caliopus uninstall it.
This is what windbg says:

20/02/2025 22:01:02 (likely, converted to my time)
0x13a (0x12, 0xffffe780cce00140, 0xffffe7821ff05000, 0)
KERNEL_MODE_HEAP_CORRUPTION
The kernel mode heap manager has detected corruption in a heap.
Type of corruption detected hex 0x12 (=decimal 18, the first parameter): The heap detected invalid internal state during the current operation. This is usually the result of a buffer overflow.

25/02/2025 19:41:52 (likely, converted to my time)
0x139 (0x1d, 0xfffff5089834e060, 0xfffff5089834dfb8, 0)
KERNEL_SECURITY_CHECK_FAILURE
A kernel component has corrupted a critical data structure.
The corruption could potentially allow a malicious user to gain control of this machine.
Decimal 29 on microsoft.com (0x139 explanation) = hex 0x1d (the first parameter): an RTL_BALANCED_NODE RBTree entry has been corrupted.
.exr 0xfffff5089834dfb8
ExceptionAddress: fffff80461ab7f5b (nt!RtlRbRemoveNode+0x00000000001bac0b)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000001d
Subcode: 0x1d FAST_FAIL_INVALID_BALANCED_TREE