[SOLVED] SFC found corrupt files that it can't fix

T

tjsepka

Contributor
Joined
Apr 6, 2016
Posts
169
Location
Crystal Lake, Illinois
I know it's been a while, but I've worked past my BSOD while trying to boot into safe mode. I posted my finding in another forum that was helping me find its root cause.

Coming back to this issue, I have cleared up all problems related to my damaged sxs files, but I still have a SFC problem. I still get the "Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log." error.

I ran Tweaking.com - Windows Repair as outlined in post #55. I've attached its log files, the SFCFix log file, and my current cbs.log file.

Interestingly, the cbs.log was not generated when when I ran sfc, so the message "Details are included in the CBS.Log windir\Logs\CBS\CBS.log" was not helpful.

Any thought on how to resolve this problem? Is it appropriate to continue in this forum, or should I start a new thread in a more appropriate forum? Thanks!
 

Attachments

I haven't heard anything back on this yet, but I'd like to add a couple of things:
1.) I've been having problems getting Windows Media Player version 12.0.7601.23517 to launch and have exhausted all suggestions on how to fix it. The only thing left is sfc /scannow which has the issue outlined in my post #1 of this thread.
2.) I'm having problems with Windows Defender, but it might be because I'm using AVG 2016 Antivirus Free, but then again, maybe not. I would hope that they can coexist, even if there might be some overlap. Again, have exhausted all suggestions on how to fix it and I'm back to my sfc /scannow problem. Here's what I got from Computer Management Windows Application Logs:

Faulting application name: svchost.exe_WinDefend, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: mpsvc.dll, version: 6.1.7601.18170, time stamp: 0x51a2e7c9
Exception code: 0xc0000005
Fault offset: 0x000339ef
Faulting process id: 0x1630
Faulting application start time: 0x01d244e475ff9567
Faulting application path: C:\Windows\System32\svchost.exe
Faulting module path: c:\program files\windows defender\mpsvc.dll
Report Id: b3b83e0d-b0d7-11e6-95dd-1078d284ca82

Here's what I got from NirSoft AppCrashView:
Version=1
EventType=APPCRASH
EventTime=131243087790197620
ReportType=2
Consent=1
UploadTime=131243087794447863
ReportIdentifier=d898c8ea-b0d7-11e6-95dd-1078d284ca82
IntegratorReportIdentifier=d898c8e9-b0d7-11e6-95dd-1078d284ca82
Response.BucketId=4029157968
Response.BucketTable=1
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=svchost.exe_WinDefend
Sig[1].Name=Application Version
Sig[1].Value=6.1.7600.16385
Sig[2].Name=Application Timestamp
Sig[2].Value=4a5bc100
Sig[3].Name=Fault Module Name
Sig[3].Value=mpsvc.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.1.7601.18170
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=51a2e7c9
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=000339ef
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=0a9e
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=0a9e372d3b4ad19135b953a78882e789
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=0a9e
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=0a9e372d3b4ad19135b953a78882e789
UI[2]=C:\Windows\System32\svchost.exe
UI[3]=Windows Defender has stopped working
UI[4]=Windows can check online for a solution to the problem.
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Windows Defender stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Windows\System32\svchost.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Program Files\AVG\Av\avghookx.dll
LoadedModule[3]=C:\Windows\system32\kernel32.dll
LoadedModule[4]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[5]=C:\Windows\system32\msvcrt.dll
LoadedModule[6]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[7]=C:\Windows\system32\RPCRT4.dll
LoadedModule[8]=c:\program files\windows defender\mpsvc.dll
LoadedModule[9]=C:\Windows\system32\ADVAPI32.dll
LoadedModule[10]=C:\Windows\system32\ole32.dll
LoadedModule[11]=C:\Windows\system32\GDI32.dll
LoadedModule[12]=C:\Windows\system32\USER32.dll
LoadedModule[13]=C:\Windows\system32\LPK.dll
LoadedModule[14]=C:\Windows\system32\USP10.dll
LoadedModule[15]=C:\Windows\system32\WTSAPI32.dll
LoadedModule[16]=C:\Windows\system32\sfc.dll
LoadedModule[17]=C:\Windows\System32\sfc_os.DLL
LoadedModule[18]=c:\program files\windows defender\MpClient.dll
LoadedModule[19]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[20]=C:\Windows\system32\USERENV.dll
LoadedModule[21]=C:\Windows\system32\profapi.dll
LoadedModule[22]=C:\Windows\system32\WINTRUST.dll
LoadedModule[23]=C:\Windows\system32\CRYPT32.dll
LoadedModule[24]=C:\Windows\system32\MSASN1.dll
LoadedModule[25]=C:\Windows\system32\VERSION.dll
LoadedModule[26]=C:\Windows\system32\SHELL32.dll
LoadedModule[27]=C:\Windows\system32\SHLWAPI.dll
LoadedModule[28]=C:\Windows\system32\IMM32.DLL
LoadedModule[29]=C:\Windows\system32\MSCTF.dll
LoadedModule[30]=C:\Windows\System32\GPAPI.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
State[1].Key=DataRequest
State[1].Value=Bucket=-265809328/nBucketTable=1/nResponse=1/n
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Windows Defender
AppPath=C:\Windows\System32\svchost.exe
 
Update: I was able to clear the uploaded file Services_Set_Permissions_Error_Log.txt from Tweaking.com - Windows Repair by installing the latest version v3.9.17. I did not help in getting sfc to get any further in its repair process. Anyone have any ideas on how to move forward?
 
Hi there tjspeka,

I don't see the results of the SFC scan in the attached log.

SFC Scan

  1. Click on the Start
    Start%20Orb.jpg
    button and in the search box, type Command Prompt
  2. When you see Command Prompt on the list, right-click on it and select Run as administrator
  3. When command prompt opens, copy and paste the following commands into it, press enter after each

    sfc /scannow

    Wait for this to finish before you continue

    copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt

  4. This will create a file, cbs.txt on your Desktop. Please zip and attach this to your next post.
 
The cbs.log was attached to the first post in this thread. I'm guessing it and the other files I attached also were purged due to inactivity. I've attached a re-post of the files to this post. Note that I was able to correct the Services_Set_Permissions_Error_Log.txt file as I described earlier in this thread.

The only way I can get sfc to run is through booting through a Windows installation disk to a command prompt. I haven't been able to run sfc in either safe or normal mode. I use this command to run sfc from the command prompt:

sfc /scannow /offbootdir=c:\windows /offwindir=c:\windows

The original thread from which moderator Aura split this thread from is here:

https://www.sysnative.com/forums/wi...-help-repair-damaged-files-sxs-directory.html

Please let me know if there's anything else you need from me.

Tom
 

Attachments

I see, thanks for the additional information.

The CBS.log file I will need is the one from the X: drive after running SFC in the windows recovery environment.

You will have to copy the X:\Windows\Logs\CBS\CBS.log file to your C: drive or removable media, then upload it here.
 
I'm not sure what happened, but I'm now getting "Windows resource protection could not perform the requested operation" when I run:

sfc /scannow /offwindir=c:\windows /offbootdir=c:\

from a command prompt via the Windows installation disk. I'm not sure what I might have done to cause this (:huh:). Previously I got "Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log". Before I go back to a restore point, I'd like your feedback on the current cbs.log that I have attached file for this current condition .
 

Attachments

I'm now to a point where I get the message "Windows resource protection could not perform the requested operation" in safe mode, normal mode and also when I boot from a Windows installation CD. Unfortunately, I no longer get a cbs.log file in x:\windows\logs\cbs\ when booted from the CD. I've attached my current cbs.log file from booting into normal mode. Any thoughts on how to proceed? I have a restore point that might date back to before things started getting worse, but I don't want to try going back until all other avenues have been looked into.
 

Attachments

Let's make sure the filesystem is healthy.

chkdsk /f

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

  1. Click on the Start
    Start%20Orb.jpg
    button and in the search box, type Command Prompt
  2. When you see Command Prompt on the list, right-click on it and select Run as administrator
  3. When command prompt opens, copy and paste the following commands into it, press enter after each

    chkdsk /f

  4. Reboot
  5. Download ListChkdskResult.exe (by SleepyDude) from the link below:

    https://dl.dropboxusercontent.com/u/12354842/My Tools/ListChkdskResult.exe
  6. Double click on it to run it. It will take a few seconds to scan, then it will open a Notepad window with the log. Copy and paste the contents of this into your next post please!
 
Yes, I ran chkdsk /f back on 12/01/2016. The utility above didn't find it because it did not get transferred to the log file. I have a way to recover the chkdsk output when this occurs and here's its output:


Checking file system on C:
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process. Chkdsk may run if this volume is dismounted first.
ALL OPENED HANDLES TO THIS VOLUME WOULD THEN BE INVALID.
Would you like to force a dismount on this volume? (Y/N) Volume dismounted. All opened handles to this volume are now invalid.
Volume label is Local Disk C:.

CHKDSK is verifying files (stage 1 of 5)...
525312 file records processed.

File verification completed.
1073 large file records processed.

0 bad file records processed.

0 EA records processed.

95 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
616360 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
525312 file SDs/SIDs processed.

Cleaning up 13 unused index entries from index $SII of file 0x9.
Cleaning up 13 unused index entries from index $SDH of file 0x9.
Cleaning up 13 unused security descriptors.
Security descriptor verification completed.
45525 data files processed.

CHKDSK is verifying Usn Journal...
36045768 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
525296 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
182343757 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

976567295 KB total disk space.
246423484 KB in 266324 files.
168176 KB in 45526 indexes.
0 KB in bad sectors.
600607 KB in use by the system.
4096 KB occupied by the log file.
729375028 KB available on disk.

4096 bytes in each allocation unit.
244141823 total allocation units on disk.
182343757 allocation units available on disk.
 
I'd like to take a look at the event logs.

Event Log Collection

  • Download VEW by Vino Rosso here: VEW.EXE
  • Right click the file and select Run as administrator and click Continue or Allow at the User Account Control Prompt.
  • Click the check boxes next to Application and System located under Select log to query on the upper left.
  • Under Select type to list on the right click the boxes next to Error, Warning and Critical (not XP).
  • Under Number or date of events select Number of events and type 20 in the box next to 1 to 20 and click Run.
  • Once it finishes it will display a log file in notepad.
  • Copy and paste its entire contents into your next reply.
 
Looks like there may be a problem with the Cryptographic services.

I'd like to check if the Volume Shadow Copy Services are working correctly.

Please try the following:

Command Prompt

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

  1. Click on the Start
    Start%20Orb.jpg
    button and in the search box, type Command Prompt
  2. When you see Command Prompt on the list, right-click on it and select Run as administrator
  3. When command prompt opens, copy and paste the following commands into it, press enter after each

    vssadmin list writers > %UserProfile%\Desktop\result.txt

  4. This will create a text file called result.txt on your Desktop. Please attach this file to your next post.

Read More:
 
Maybe the attached might help. It's a Sysinternals pml log file from Process Monitor. It's filtered on the sfc process. I ran sfc /scannow in an administrative command prompt window with Windows running in normal mode. The output said " Windows Resource Protection could not start the repair process.". Hope this helps.
 

Attachments

It didn't seem to help. The utility found an issue with COM+ (I think it said it was by Paragon Software) possibly not being installed or configured properly, so I let it go ahead and fix it. I rebooted after running the utility. A file output from vssadmin list writers is attached.
 

Attachments

I ran vssfix again and this time there was no message regarding COM+. However, the following appeared in the event log after I ran it:

Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddCoreCsiFiles : GetNextFileMapContent() failed.

System Error:
The parameter is incorrect.
.
 
You must log in or register to reply here.
Back
Top