[SOLVED] Windows server 2016 cumulative updates install but rollback after reboot

[Lybra77]

mmh... I am not totally confident in posting all sids from the domain (this a domain joined machine) as this could cause security issues.. can you please tell me what specific informations you need?

 

[Maxstar]

These SID's are listed in the previous log as well, but I want to compare some things. This because the issue seems related to one of the accounts and causing this rollback issue.

 

[Lybra77]

mmh, I am not fully confident to upload the list of sids of all my domain (this is a domain joined machine). can you please tell me what informations you are looking and OI will try to extract them and post ?

sorry about that

Sorry posted two times, thougt it has gone in timout...sorry

 

[Lybra77]

These SID's are listed in the previous log as well, but I want to compare some things. This because the issue seems related to one of the accounts and causing this rollback issue.

the previous one had less sids, only those who entered or interacted with the server (that is ok) but the new one gets full list of all domain accounts and sids (not so much ok, hope you agree)

I had a deeper look after you explaind what you were looking for... some of the users (at least 2 admin-*) are no more in the active directory and therefore in the "wmic useraccount get name,sid" they do not appear.

do you think this could be causing all this headache?

I can remove those profiles from the server, no need to have them hanging there if needed

 

[Maxstar]

(...) some of the users (at least 2 admin-*) are no more in the active directory (...) do you think this could be causing all this headache?

Yes, this is a common issue wit rollbacks, so I would remove the remnants of the 'orphaned' accounts (SID's) first, as well as from the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

 

[Lybra77]

Yes, this is a common issue wit rollbacks, so I would remove the remnants of the 'orphaned' accounts (SID's) first, as well as from the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

ok, did some cleanup... 3 accounts were 100% orphaned, deleted profiles from the user profiles consolle, this deleted also from the profilelist registry the related entries. I now launched the update, will post the CBS once done, fingers crossed

 

[Lybra77]

nothing, same issue here are the new logs

 

[Maxstar]

I'ts still an issue with one of the profiles, so please do the following.

Step#1 - Capture Process Monitor Trace
1. Download and run Process Monitor. Leave this running while you perform the next steps.
2. Try updating the system just like you have in the past.
3. Stop Process Monitor as soon as it fails. You can simply do this by clicking the capture icon (CTRL +E) on the toolbar as shown below.

4. Select the File menu...Save... and save the file to your desktop. This is likely the default location. The name (unless changed) will be LogFile.PML. This is fine.
5. Zip up the LogFile.PML and upload it to WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free and provide the link.
6. Attach also a new copy of the CBS logs for the time stamps to set some filters.

 

[Lybra77]

the fact is that it fails during reboot, first part goes untill the update is installed and just needs reboot... but during reboot after reaching 99% it rolls back

 

[Maxstar]

Sorry, I posted the wrong 'canned speech' for Process Monitor..

Capture Process Monitor BootLog
1. Download and run Process Monitor. Leave this running while you perform the next steps.
2. Select the Options....Enable Boot Logging option. A Enable Boot Logging dialog will come up. Just click OK.
3. Create a folder on your desktop named BootLog.
4. Attempt to install the update just like you have in the past. Let the machine reboot and revert just like it has in the past.
5. After the machine has rebooted and come back up to the desktop, open Process Monitor again. A message box will come up telling you that a log of boot-time activity was created and ask if you wish to save it. Click Yes and save to the BootLog folder on your desktop.
6. This may take some time as it converts the boot-time data. Allow it to finish.
7. Zip up the entire BootLog folder on your desktop and upload to a file sharing service like: WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free
8. Attach also a new copy of the CBS logs for the time stamps to set some filters.

 

[Lybra77]

here are the two logs

procmon : Bootlog.pml

cbs is attached

 

[Maxstar]

Unfortunately, the file 'C:\Users\<...>\Desktop\Bootlog.pml' was not closed cleanly during capture and is corrupt.

It seems the server is still running out of free space, so please free up more space at least 25 ~ 30GB just to be sure there's enough space for the update as well as ProcMon trace.

2024-06-24 16:29:35, Info                  CBS    Failed to write data to session file. [HRESULT = 0x80070070 - ERROR_DISK_FULL]

Then, please run Process Monitor again using the following instructions while updating.

Capture Process Monitor BootLog from the command line

• Download Process Monitor.
• Create a folder on your systemdrive called "C:\Tools" and copy ProcMon.exe into this directory.
• Open an elevated command prompt and navigate to C:\Tools with the command cd C:\Tools.
• Copy and paste the following command into the prompt and press enter.
  

  ProcMon.exe /accepteula /quiet /EnableBootLogging

• Attempt to install the update just like you have in the past. Let the machine reboot and revert just like it has in the past.
• After the machine has rebooted and come back up to the desktop, open an elevated command prompt and navigate to C:\tools.
• Copy and paste the following command to create the Bootlog Trace file.
  

  ProcMon.exe /ConvertBootLog C:\Tools\bootlog.pml

• Now the following window will appear and the bootlog will be created, wait for it to complete.
  
  
• Zip up the Bootlog.pml file as well as your CBS.log and upload it to a file sharing service like: WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free

Attach also a new copy of the CBS logs.

 

[Lybra77]

hello,

did again and here are the wetransferlink and the cbs zipped folder

the logs were huge! at the end of the reboot after having freed 19 giga, only 2 were free
after saving the logs now I am back to 17,5 free space

procmon logs: bootlog.zip

L

 

[Maxstar]

Hi,

Sorry, but the files are still corrupted. So I would definitely free up more disk space.

 

[Lybra77]

I am trying to find a solution, meanwhile, can you please tell me which (orphaned) SID you suspect to be causing the ussue?

thanks

L.

 

[Maxstar]

That's the problem, this is the latest excerpt of the CBS log. What is the purpose of the following account?

2024-06-24 19:04:55, Info                  CSI    00000797 Failed unloading hive file: \??\C:\Users\ITIS-NUBE-Connector\NTUSER.DAT, key: \Registry\User\S-1-5-21-2507177388-3982217149-145561031-4115, with flags: 0, NTSTATUS: 0
2024-06-24 19:04:55, Error                 CBS    Startup: Failed to process advanced operation queue, startupPhase: 0.  A rollback transaction will be created. [HRESULT = 0x800f0922 - CBS_E_INSTALLERS_FAILED]
2024-06-24 19:04:55, Info                  CBS    Setting ExecuteState key to: CbsExecuteStateInitiateRollback | CbsExecuteStateFlagAdvancedInstallersFailed
2024-06-24 19:04:55, Info                  CBS    SetProgressMessage: progressMessageStage: -1, ExecuteState: CbsExecuteStateInitiateRollback | CbsExecuteStateFlagAdvancedInstallersFailed, SubStage: 0
2024-06-24 19:04:55, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Rollback.
2024-06-24 19:04:55, Info                  CBS    Setting original failure status: 0x800f0922, last forward execute state: CbsExecuteStateResolvePending

Please check also the following.

• Open the start menu and type Task Scheduler and hit enter.
• Navigate to Task Scheduler Library > Microsoft > Windows > PI
• Take a screenshot of this window and post it into your next post.

 

[Lybra77]

ha! that was the last "ghost account" that i was unsure to remove, will investigate and try to remove it (it is a service account, maybe no more in use)

meanwhile her is the requested screenshot

 

[Maxstar]

Great, please check also the following location: C:\Windows\System32\Tasks\Microsoft\Windows\PI - does the file Secure-Boot-Update exist?

 

[Lybra77]

So, removed the last ghost user , tried to install aaannnd... rollback.. attached the new cbs files... are you aware of any Mandatory windows server 2016 update that MUST be installed froma a certain date and that may cause newer updates to fail/rollback?

Great, please check also the following location: C:\Windows\System32\Tasks\Microsoft\Windows\PI - does the file Secure-Boot-Update exist?

the file exists

 

[Maxstar]

Hmm, it seems this is a combination of issues. So please run the following commands first and attach tasklist.txt to your next post.

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache" /s > "%userprofile%\desktop\tasklist.txt"
dir "%systemroot%\System32\Tasks\Microsoft\Windows\PI" /s >> "%userprofile%\desktop\tasklist.txt"

Please run also the following tool, if it contains sensitive data please send me the logs in a Private Message.

Download the

Farbar Recovery Scan Tool and save it to your Desktop:

Download the 64 bit version: - Farbar Recovery Scan Tool Link

• Note: Your antivirus program may report FRST incorrectly as an infection. If so, disable the real-time protection when downloading and running FRST.
• Right-click to run the tool as administrator. When the tool opens click Yes to disclaimer.
• Note: Ensure that the Addition.txt check box is checked at the bottom of the form within the Optional Scan area.
• Press the Scan button.
• Please wait for the tool to finish. It will produce two logfiles called FRST.txt and Addition.txt in the same directory the tool is run from (which should be the desktop)
• Post the logfiles FRST.txt and Addition.txt as attachment in your next reply.