[SOLVED] Events ({3bb9fd2b-351e-4b9c-b1fc-ed0758805998}) with HRESULT HRESULT_FROM_WIN32(234)

M

McMcatt

Member
Joined
Nov 26, 2021
Posts
18
Running into an issue applying rollups on four 2016 Servers I've recently taken over.


Applying October and November 2021 rollups, they install, prompt for a reboot and make it to about 95% on restart before rolling back.


I've run the Windows Update Troubleshooting which found no errors, I've run Dism /Online /Cleanup-Image /RestoreHealth which completed with no issues. I've done the following:


net stop bits
net stop wuauserv
net stop appidsvc
net stop cryptsvc
Del "c:\programdata\Application Data\Microsoft\Network\Downloader*.*"
rmdir c:\windows\SoftwareDistribution /S /Q
rmdir c:\windows\system32\catroot2 /S /Q
regsvr32.exe /s atl.dll
regsvr32.exe /s urlmon.dll
regsvr32.exe /s mshtml.dll
netsh winsock reset
netsh winsock reset proxy
net start bits
net start wuauserv
net start appidsvc
net start cryptsvc


I've tried what is suggested here as its one of the few things I can find that seems pretty close to being the same issue: Tutorial: Failure will not be ignored: A rollback will be initiated.../


Deleting (exporting first) the following:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-PrintService/Admin


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-PrintService/Operational

CBS.zip

Thanks!

~Matt
 
Last edited:
Sorry forgot -

SFCFix version 3.0.2.1 by niemiro.
Start time: 2021-11-26 14:49:46.318
Microsoft Windows Server 10 Build 14393 - amd64
Not using a script file.




AutoAnalysis::
SUMMARY: No corruptions were detected.
AutoAnalysis:: directive completed successfully.




Successfully processed all directives.



Failed to generate a complete zip file. Upload aborted.


SFCFix version 3.0.2.1 by niemiro has completed.
Currently storing 0 datablocks.
Finish time: 2021-11-26 14:58:40.876
----------------------EOF-----------------------
 
Hello McMcatt,

I was just looking back over some of our unanswered threads and came across yours. Are you still needing help with this?
 
I am!

It's on a few servers - the 2016 variety.

It's been going on for months, just haven't had a chance to get back to it.

DISM repairhealth and sfc scan come back as no problems, as well as sfcfix.

CBS logs attached!

Thanks for getting back to me!

~Matt
 

Attachments

Hello McMcatt

You are on the right track - it has to do with rollbacks being triggered most likely because of a registry issue. I'm not sure why you chose to delete the Windows Print service keys? Was that simply because of what you read in the tutorial?

What you need to do is dictated by what you find in your CBS logs. In your case this is the error I spot:

Code: 
2022-01-26 15:01:05, Info                  CSI    00000280 Begin executing advanced installer phase 31 index 0 (sequence 0)
    Old component: [l:0]''
    New component: [l:0]''
    Install mode: delta
    Smart installer: TRUE
    Installer ID: {3bb9fd2b-351e-4b9c-b1fc-ed0758805998}
    Installer name: 'Events'
2022-01-26 15:01:05, Info                  CSI    00000281 Registry root HKLM\Software: HKLM\Software

2022-01-26 15:01:05, Info                  CSI    00000282 Registry root HKLM\System: HKLM\System

2022-01-26 15:01:21, Error                 CSI    00000283 (F) Error HRESULT_FROM_WIN32(234) from InstrumentationManifestAssert at onecore\admin\wmi\events\util\reghelp.cpp line 27, online=TRUE
[gle=0x80004005]
2022-01-26 15:01:21, Error                 CSI    00000284 (F) Error HRESULT_FROM_WIN32(234) in eventsXml: <events><provider guid="{3663a992-84be-40ea-bba9-90c7ed544222}" message="$(string.eventProviderName)" messageFileName="%SystemRoot%\system32\efscore.dll" name="Microsoft-Windows-EFS" resourceFileName="%SystemRoot%\system32\efscore.dll" symbol="EFS_PUBLISHER"><channels xmlns="http://schemas.microsoft.com/win/2004/08/events">

          <channel chid="Microsoft-Windows-EFS/Debug" isolation="Application" name="Microsoft-Windows-EFS/Debug" symbol="EFS_DEBUG" type="Debug"></channel>

          <importChannel chid="Application" name="Application"></importChannel>

        </channels></provider></events>
[gle=0x80004005]
2022-01-26 15:01:21, Info                  CSI    00000285@2022/1/26:23:01:21.054 CSI Advanced installer perf trace:
CSIPERF:AIDONE;{3bb9fd2b-351e-4b9c-b1fc-ed0758805998};(null);17813972us
2022-01-26 15:01:21, Info                  CSI    00000286 End executing advanced installer (sequence 0)
    Completion status: HRESULT_FROM_WIN32(234)

It refers to Microsoft-Windows-EFS/Debug
 
Heya!

Sorry - so ignore kinda the first one. That was on a different server, and just one of the ONLY threads I found with a similar message. Same error message (HRESULT_FROM_WIN32(234)), but instead of the EFS one it was the printer one. I just took a snapshot and deleted it just for kicks.

I scanned the filesystem using cipher, no EFS encrypted files on the machine...bitlocked wasn't even on, though not sure if it's related.

What would you suggest? Grab that section of the registry from a known working copy of server 2016 on the same build version?

Thanks!

~Matt
 
Checked a working 2016 server (patched last week) for the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-EFS/Debug

All values in the key are identical between the two servers.

Permissions on it are also identical.

Weird eh?

~Matt
 
Ok so if you refer back to the tutorial you will see that the key that you are recommended to delete is the Events related one.

I think yours might be this one:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-EFS

You could check this out on your broken and working servers and try deleting the key on the broken server.

I am unavailable for the next day or so and therefore I will not be able to follow up until early next week. Feel free to experiment - just remember to make backups and/or restore points so that you can recover if anything goes wrong. Good luck!
 
Hey there!

Thanks for the reply!

No go unfortunately.

I deleted

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-EFS

as well as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-EFS/Debug

Did them at separate times, but no luck.

I also tried the two following things, just for kicks, from other threads I found:

https://social.technet.microsoft.com/Forums/en-US/90505fa7-1004-4590-8894-8e32ef01bd01/security-upda...
Delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{8c416c79-d49b-4f01-a467-e56d3aa8234c}

and

https://social.technet.microsoft.com/Forums/lync/en-US/70219bcb-36a8-466e-900b-cbf390db38d2/quotfail...

net localgroup WinRMRemoteWMIUsers__ /add mydomain.corp.com\Domain Admins

WinRMRemoteWMIUsers wasn't on the machine so I added it, but it looks like its not on non-DC machines anyway, but neither helped. Didn't expect em to, was just giving it a try.

Below is the most recent set of logs if you have any other ideas.

CBS.zip

Much appreciate it!

~Matt
 
Still appears to be the same error. I will need to dig into this a bit more and will report back if I find anything else you can try.
 
Please can you Export the Publishers Key from your registry.

  1. Click on the Start button type regedit
  2. When you see regedit on the list, right-click on it and select Run as administrator
  3. When regedit opens, using the left pane, navigate to the following registry key and select it by clicking on it once.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers
  4. Once selected, click File > Export....
  5. Change the Save as type: to Registry Hive Files (*.*)
  6. Name this file PUB (with no file extension) and save it to your Desktop.
  7. Right-click on the saved file and choose Send To -> Compressed (zipped) Folder.
  8. Attach the .ZIP file to your next post.
  9. If the file is too large to upload here, upload to Dropbox or OneDrive or SendSpace and just provide the link here.
 
Hello Matt,

Please can you redo this and make sure you follow step 5 to export as a Registry Hive file type.

Also please send me the same export from your working version of the Server 2016 - make sure it has a different name to distinguish it.

Thanks!
 
I have found a missing value in the Publishers key for Microsoft-Windows-EFS on your broken server.
The attached script will add it for you.

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

  1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
  2. Download the attached file, SFCFixScript.txt, and save this to your Desktop. Ensure that this file is named SFCFixScript.txt - do not rename it.
  3. Save any open documents and close all open windows.
  4. On your Desktop, you should see two files: SFCFix.exe and SFCFixScript.txt.
  5. Drag the file SFCFixScript.txt onto the file SFCFix.exe and release it.
  6. SFCFix will now process the script.
  7. Upon completion, a log should be created on your Desktop: SFCFix.txt.
  8. Attach this file into your next post for me to check please.

Then try the update again.
 

Attachments

Hmm - so did it twice to make sure.

It deletes that dword when it tries to do the update. Confirmed it created it in the registry, and just restarting doesn't delete it.

Each time the update runs though, its gone when it comes back up.

CBS attached and the log.

cbs.zip

Thanks!

~Matt
 

Attachments

Hello Matt,

Well, that didn't work - trying to get the key
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{3663a992-84be-40ea-bba9-90c7ed544222}]
to match your working server was not the answer. I wonder if exporting and then deleting that particular key might be the answer. Keep the exported Key so you can put it back if necessary.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top