Can't get Windows Update to scan for updates 8024402F

G

GGILLEY

Member
Joined
Dec 16, 2019
Posts
22
Hi there! First off, I would like to thank you all for your service here, this site seems to be the best opportunity I've found at getting these fixed and I've already spent many hours troubleshooting. I'm a senior engineer at an MSP and have a client with 3 Windows Server 2012 R2 physical machines that are all having issues with scanning for Windows Updates. I'm not sure the history of these machines, but they are pretty basic on what's setup on them, 2 are domain controllers and one is a regular server, all same OS. It's possible that these things could have been offline for a LONG LONG time, but I'm not sure of that. Within about 5 seconds of scanning, it errors with 8024402F. I've done all sorts of things to try to fix this including steps you have such as running the sfcfix tool. A lot of your posts indicate that you're providing them with some custom script to run with a tool, so I think it may likely be something I'll need here. For the purposes of this fix, we will just work with one of these servers.

Since we are an MSP, we have software, Kaseya, that can manage patches, but at this point we've removed the stuff associated with patching, but it's possible a registry entry or something could still be incorrect. At one point I had renamed the components store and I think that caused even more issues as it created a 256kb temp one, which I have since removed and replaced the original back in, which is like 75MB. In the WindowsUpdate.log file attached, you can see it's failing all over the place towards the end. Here's a few of the logs, but keep in mind you should read them bottom up as some of the stuff up top has to do with tests when I had things removed like the components store, but the last test on these logs should be accurate.

At one point, I thought I had pinpointed this to a certain download that wasn't working... but it seems that the .cab contains only a single .txt file. One of the errors was this;
http://download.windowsupdate.com/c..._d30dfd7354a1fd4f7f8869d2355a0abbe5cc8bbd.cab with error 0x80072efe That .cab file only has a single .txt, and the error I saw was something about missing a manifest... seeing as this is also a 2013 dated folder in the download path, I thought something could be a problem with that.

Anyways, here's the logs! Thanks in advance
 

Attachments

Hello and welcome!

If your COMPONENTS hive is really 256KB, that's bad. Let's check:

Retrieve Components Hive
1. Navigate to C:\Windows\System32\Config and locate the COMPONENTS file.
2. Please copy this file to your desktop.
Note: If you receive an error that this file is in-use, simply reboot your computer and try again.
3. Right-click on this file on your desktop and select Send To...Compressed (zipped) folder. This will create a file named COMPONENTS.ZIP on your desktop.
4. The file will likely be too large to upload here so please upload to a file sharing service. Examples of services to upload to are Dropbox or OneDrive or SendSpace and then just provide the link in your reply.
 
It's currently pointing the the primary DC, running DNS server, however I changed the primary to 8.8.8.8 temporarily and ran ipconfig/flushdns and tried again and the same error, over and over.
 
Changed them both to Googles 2 DNS servers, made sure no third DNS existed, flushed DNS, restarted WU service, same thing.
 
Thanks.

Step#1 - FRST Scan

1. Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the 64-bit Version so please ensure you download that one.
2. Right-click FRST64.exe and click Run as Administrator to run it as administrator. When the tool opens, click Yes to disclaimer.
3. Please ensure you place a check mark in the Addition.txt check box at the bottom of the form before running (if not already checked).
4. Press Scan button.
5. It will produce a log called FRST.txt in the same directory the tool is run from (which should now be the desktop)
6. Please attach the log back here.
7. Another log (Addition.txt - also located in the same directory as FRST64.exe) will be generated Please also attach that along with the FRST.txt in your reply.
 
Hello! I looked through these files and the big thing that stuck out to me was this;

Error: (12/19/2019 09:36:12 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.

Over and over, every time I tried running the scan in WU I see that log. So that led me back to Google, and I noticed the first time I tried to go to that URL in Chrome, I got a name error mismatch warning. The original site error says This server could not prove that it is ctldl.windowsupdate.com; it's security certificate is from *.ssl.hwcdn.net - I thought that was odd that it didn't seem to be from M$ - potentially a driver manufactures site or something? I don't know. Google led me to believe this may be a Certificate problem based on that error so I followed steps here, Updating List of Trusted Root Certificates in Windows 10/8.1/7 | Windows OS Hub, to attempt to get all of the certificates up to date. I found something odd here, when I try to run the command "certutil -generatesstfromwu roots.sst" I got an error on the server saying;

c:\temp>certutil -generatesstfromwu roots.sst
The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA) -- authrootstl.ca
b
CertUtil: -generateSSTFromWU command FAILED: 0x8007000d (WIN32: 13 ERROR_INVALID
_DATA)
CertUtil: The data is invalid.


I ran the same command on my workstation and it worked, so I proceeded to move the file over to the server and then ran the PowerShell portion to add the certs in, which seemed to run successfully. Now when I try to go to the same site, I see that it's no longer showing the *.ssl.hwcdn.net cert, but now it's an AKAMI one, which I'm familiar with being a content delivery provider for Microsoft. I thought maybe I was headed in the right direction, so even after doing things like clearing some caches, certutil -urlcache * delete, and then restarting the WU service and flushing DNS, no improvement. Now I have run the FRST tool and here's the files you requested, I'm pulling my hair out trying to figure out what's going on here.
 

Attachments

I have previously tried uninstalling Cylance but the same problems continued. I've done a lot of troubleshooting since then, so maybe something is different now, but I can say I see no errors in Cylance or anything indicating that it's interfering. We also have 1000's of machines running it and no one else has experienced issues related to it that I'm aware of. Regardless, I'm working on getting approval to remove it again now and I will update after. Front the get go, I have been leaning towards this being some kind of a firewall (Cisco ASA I believe) issue, but the pcaps didn't show traffic even leaving the server's IP for anywhere except AWS related IPs and my own. I should have Cylance off today and will update then, if it doesn't work with it off, is there another test you'd like me to do?

Thanks,
Glenn
 
Yes, please clear out the blocked certs:

Step#1 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the 64-bit Version so please ensure you download that one.
2. Download the attached fixlist.txt and save it to the Desktop.
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
3. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
4. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
5. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.
 

Attachments

Yeah, I'm definitely testing this before I reply back every time, generally flushing DNS and restarting Windows update, then trying twice or more. Same error every time. We are not aware of any proxies in the way here.
 
Here's some more logs. It looks to me like WSUS at one point back in like 2016 or before, may have been configured here, but as I said, it's gone as far as I can tell now. Check out the windowsupdate.log here as well as a new CBS log. There's some reference to Symantec which isn't even installed anymore.
 

Attachments

I am suspecting an AV or some other network interference, because the error is pointing towards that. Would you please do the following as well:

Export this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
 
Yeah, I am in the same boat as you but our networking team is telling me there's nothing in the way. I've done a ton since I first had Cylance uninstalled so possibly some of the fixes might have fixed it, and now Cylance is in the way. Alert Logic is on there too but I don't think that's the issue. Do you have any experience about this in regards to hardware manufacturers updates? Is it possible Dell or something could be causing the problem?
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top