[SOLVED] Can't run Windows Update / Can't run SFC

[utcv]

Eh, this is the last straw before I raze the system, but I thought I'd try.

The other day, I downloaded the Remote Server Administration Tools. I ran the MSU and it never finished checking for current updates. I looked into that issue and found that if stopped the Windows Update service before I started the MSU, then the MSU installed.

However, to continue that process, you have to enable the tools under Enable/Disable Windows Features. That panel is blank.

I've been chasing problems ever since. Here the general symptoms:

1. Windows Features is blank.
2. SFC /SCANNOW doesn't run. It fails immediately.
3. No malware. Scanned with two tools (Malwarebytes and up-to-date ESET).

I downloaded SFCFix from Major Geeks, but it didn't find anything.

Any help is appreciated.

 

[utcv]

Looking over the CBS.log I found the following repeated several dozen times:

2016-12-08  20:33:00, Error                 CSI    00000011 (F)  STATUS_OBJECT_NAME_NOT_FOUND #8174115# from  Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey(flg  = 0, key = {provider=NULL, handle=0}, da = (KEY_READ|KEY_WOW64_64KEY),  oa = @0xd3ca10->OBJECT_ATTRIBUTES {s:48; rd:NULL;  on:[148]"\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-getm`c_31bf3856ad364e35_none_0eb51910a0c59aff";  a:(OBJ_CASE_INSENSITIVE)}, disp = Unmapped disposition: 13880792  (0x00d3cdd8))[gle=0xd0000034]

That key does not exist. Indeed, "Winners" doesn't exist. Since the error message references KEY_WOW64_64KEY, I have checked under WOW64 and not. I don't see SidebySide outside of WOW64.
(I am assuming the back-tick in the entry "getm`c_" is a truncation as it appears in the CBS.log.)

I am attaching some logs: WindowsUpdate.log, DISM.log, and CBS.log

 

[BrianDrab]

Hi and welcome to Sysnative. Sorry for the delay. Do you still need assistance?

 

[utcv]

Yep! I would like the talk about this, yes.

I can't access the workstation right now, but I can tomorrow evening. Feel free to give me some marching orders.

 

[BrianDrab]

OK, please start with the following.

Retrieve Components/Software Hives
Note: The Software have has confidential and sensitive information in it so please send me a PM with a link to that particular hive so it's not in the public form.

• Please download the Freeware RegBak from here: Acelogix Software - Download products
  You will find it at the bottom of the page that the link brings you to.
• Go ahead and install this program and accept all the defaults. After the last install screen the program should open.
• Click the New Backup button. Accept the defaults and simply click Start.
• When it says Finished successfully, click the Close button.
• This will bring you back to the main screen of the program. You will see one entry in this list with the date that you did it. Right-click on this line-item and select Explore Backup...
• This will bring you into the folder where the backup was made. You should see a Users folder and a Windows folder along with a couple other files. Double-click on the Windows folder to open it. Then open the System32 folder and then config folder. You should see around 6 files in here, two of which are named COMPONENTS and SOFTWARE.
• Copy these two files to your Desktop. If the COMPONENTS file does not exist, please fetch it instead from C:\Windows\System32\config\COMPONENTS.
• Now right click on these files on your desktop and select Send to > Compressed (zipped) folder.
• Then please upload the zip file(s) to your favourite file sharing website (it will be too big to upload here). Examples of services to upload to are Dropbox or One Drive or SendSpace and then just provide the link in your reply.
• You can close any open windows you have as well as the RegBack program now.

 

[utcv]

I'll have it for you this weekend, probably tomorrow. The user turned off her workstation and I'll have someone on-site tomorrow to turn it back on.

 

[utcv]

• This will bring you into the folder where the backup was made. You should see a Users folder and a Windows folder along with a couple other files. Double-click on the Windows folder to open it. Then open the System32 folder and then config folder. You should see around 6 files in here, two of which are named COMPONENTS and SOFTWARE.

This is the only place where the instructions deviated. I didn't see a Users folder. I did see a Windows folder and was able to ZIP up the two hives.

I've PMed it to you. Thanks.

 

[BrianDrab]

Let's start with the following.

Step#1 - SFCFix Script
Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

1. Download SFCFix.exe (by niemiro) and save this to your Desktop. If you still have this on your desktop from downloading previously, you don't need to re-download.
2. Download the file below, SFCScript.txt, and save this to your Desktop.
3. Save any open documents and close all open windows.
4. On your Desktop, you should see two files: SFCFix.exe and SFCScript.txt.
5. Drag the file SFCScript.txt onto the file SFCFix.exe and release it.
6. SFCFix will now process the script.
7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please

 

[utcv]

Here you go:

SFCFix version 3.0.0.0 by niemiro.
Start time: 2016-12-17 22:08:39.379
Microsoft Windows 7 Service Pack 1 - amd64
Using .txt script file at C:\Users\Receptionist\Downloads\SFCScript.txt [0]








RegistryScript::
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners.
Successfully took ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners.


Successfully deleted registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-getm`c_31bf3856ad364e35_none_0eb51910a0c59aff.
Successfully imported registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-getmac_31bf3856ad364e35_none_0eb51910a0c59aff\6.1.


Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-getmac_31bf3856ad364e35_none_0eb51910a0c59aff\6.1.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-getmac_31bf3856ad364e35_none_0eb51910a0c59aff.
Successfully restored ownership and permissions for registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners.
RegistryScript:: directive completed successfully.








Successfully processed all directives.
SFCFix version 3.0.0.0 by niemiro has completed.
Currently storing 3 datablocks.
Finish time: 2016-12-17 22:08:39.890
Script hash: 2npk77SJ0zm/Azat5D1u8XL6VrenBroLWrw4jR+cDT4=
----------------------EOF-----------------------

 

[BrianDrab]

Thanks. Please do the following.

SFC Scan

1. Click on the Start
   
   button and in the search box, type Command Prompt
2. When you see Command Prompt on the list, right-click on it and select Run as administrator
3. When command prompt opens, copy and paste the following commands into it, press enter after each
   
   sfc /scannow
   
   Wait for this to finish before you continue
   
   copy %windir%\logs\cbs\cbs.log %userprofile%\Desktop\cbs.txt
4. This will create a file, cbs.txt on your Desktop. Please attach this to your next post.

Please Note:: if the file is too big to upload to your next post please upload via a service such as Dropbox or One Drive or SendSpace and just provide the link.

 

[utcv]

Attached.

 

[BrianDrab]

Thanks. Please do the following.

SOFTWARE Hive Replacement with RegBak
Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

1. Close all open programs and save all your work. You will need to reboot the machine during this process.
2. Download SOFTWARENEW.zip from -->here<-- to your desktop.
3. Right-click on SOFTWARENEW.ZIP and select Extract All... Ensure the "Show extracted files when complete" checkbox is checked and click the Extract button.
4. The software hive will be extracted. You will see the file named SOFTWARE (no extension)
5. Copy the SOFTWARE hive to where you previously saved a backup. It should be (C:\Windows\RegBak\PC-NAME\DATE\Windows\System32\Config)
6. 
7. Overwrite the one that is currently there when prompted.
8. Open RegBak by Click Start and selecting Registry Backup and Restore. Highlight the backup in the list (it should be the only one), and press Restore. Click Start. RegBak will reboot your computer to complete the restore process.

 

[utcv]

I'm doing it now. Unfortunately, I am remote so if the system doesn't come back up, I'll have to go on-site tomorrow to resolve.

Can you explain what was changed in the hive?

*** UPDATE ***
The workstation came back up. What shall I do now?

*** UPDATE #2 ***
SFC /SCANNOW is running. I am going to let it complete and see what comes up.

 

[BrianDrab]

Can you explain what was changed in the hive?

I manually removed the corrupt key in the registry amd64_microsoft-windows-getm`c_31bf3856ad364e35_none_0eb51910a0c59aff and replaced it with a good one.

*** UPDATE ***
The workstation came back up. What shall I do now?

*** UPDATE #2 ***
SFC /SCANNOW is running. I am going to let it complete and see what comes up.

Good. Let's see the log when complete.

 

[utcv]

I manually removed the corrupt key in the registry amd64_microsoft-windows-getm`c_31bf3856ad364e35_none_0eb51910a0c59aff and replaced it with a good one.

Ah. Is it a common one? Meaning, could I have gotten it from another Windows 7 workstation? I didn't think to check one.

Does \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\ indicate the key was off HKLM?

Does that backtick indicate a truncation?

*** UPDATE ***
The workstation came back up. What shall I do now?

*** UPDATE #2 ***
SFC /SCANNOW is running. I am going to let it complete and see what comes up.

Good. Let's see the log when complete.[/QUOTE]

Is that one CheckSUR.log or something else?

Interestingly, the Windows Features dialog box is populated now, but the Remote Server Management Tools are not there. Perhaps reinstalling that MSU will resolve. Unsure. I'll wait to make that kind of change.

 

[BrianDrab]

Ah. Is it a common one? Meaning, could I have gotten it from another Windows 7 workstation? I didn't think to check one.

Yes it was a common one in this case.

Does \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\ indicate the key was off HKLM?

Yes

Is that one CheckSUR.log or something else?

Interestingly, the Windows Features dialog box is populated now, but the Remote Server Management Tools are not there. Perhaps reinstalling that MSU will resolve. Unsure. I'll wait to make that kind of change.

CBS.log

 

[BrianDrab]

Does that backtick indicate a truncation?

A corrupt character. Not a truncation.

 

[utcv]

Well... this one is a bit bigger!

Dropbox - cbs.zip

 

[BrianDrab]

Excellent. Go ahead and try to install the remote tools again.

 

[utcv]

The MSU is installing. It's taking a while, like the HDD is working a bit. I haven't investigated why but perhaps it's the update service scanning for needed updates. It's probably far behind. CPU is relatively quiet.

I'll update when it's done. Progress is being made.