Ghost critical update?

Katytude · Sep 19, 2013

Hi folks!

I am following Corrine's advice to stop here to try repairing a W7 SP1 installation that suddenly developed on odd behavior: yesterday morning September 18th Windows started with problems: no wi-fi, services not able to start, unable to load restore points. After immediately restarting in safe mode I noticed a restore point by "Critical Update" had just been created and chose it, Windows then started normally and Windows Update did not show any installed updates since September 10.

Not having much time yesterday I just used my laptop for the day and turned if off. This morning rinse repeat: same behavior at startup, loaded that "Critical Update" restore point to have back a working Windows session. What I have done so far today:
- checked the memory and hard drive, no problems reported
- ran sfc/ scannow, I attached the cbs zip file (no problem reported)
- ran the Windows Update Diagnostic Automad Troubleshooter that detects "missing or corrupt files", problems installing recent updates twice (not fixed) and Windows Update Error 0x8024402C (not fixed) I do not know how to save the troubleshooting report
- restarted the computer as per the troubleshooter instruction then same dance: unusable Windows, safe mode and loading of the same restore point, working session that I am using right now

BITS, WU service and Cryptographic services are all running. Not sure what else I need to report to help you help me...

Thanks for any input!

niemiro · Sep 20, 2013

Hello Katy, and welcome to Sysnative :)

Tricky problem. First, CBS.log has not been particularly helpful. No problems in there so nothing I can aim a fix at.

Second, I suspect that Windows Update Diagnostic Automad Troubleshooter isn't giving a correct diagnosis here. I intend to keep the results at the back of my mind, but ultimately perform my own set of tests.

Thirdly, next time the problem occurs (unless you can pretty much remember) can you please note down which services cause a problem, and what error code they fail to start with.

Fourthly, please upload C:\Windows\SoftwareDistribution\ReportingEvents.log

Then please download and install the System Update Readiness Tool from here: What is the System Update Readiness Tool?
Please save the download somewhere convenient you can later find it as we may well need it again later. Save you a second download :)
Also please be aware that the tool can take up to an hour (very occasionally even longer) to complete. Please be patient.
Once it has finished, please upload C:\Windows\Logs\CBS\CheckSUR.persist.log.

Finally, please do NOT run any commands involving fsutil, deleting any files from the TxR folder, or deleting any *.tm*, *.blf, or *.regtrans-ms files.

I am not quite able to fully explain my reasoning here, it's more of an instinct at this point until I can get some logfiles to assess the situation. You may find those commands posted online in relation to Windows Update reboot issues. But, my instinct just tells me that it's going to make things worse, not better, here.

Thank you!

Richard

Katytude · Sep 20, 2013

Hello Richard!

First, nice to meet you and thank you very much for your time!

- the problem is easy to reproduce, I just need to restart my computer: I did this morning and found it it unusable, I am not sure how to get a list of failing service, it is rather a bunch of failures, the ones I quickly found are listed below
no internet connectivity, cannot open the Network and Sharing Center nor launch the troubleshooter from the network icon in the taskbar
MS Security Essentials real-time protection is off with error code 0x800705b4
System Properties windows cannot retrieve the system rating or the Windows Activation status (ID not available)
System Restore is unavailable
in Windows Explorer I noticed that the right-click Send to command is empty
)
These are from my notes this morning, I am sure there are other bits and pieces not working, I did not go further. Like yesterday and two days before I restarted the computer (with F8) and choose the option to repair to select a restore point. Please note that every time I restore the system a "critical update" restore point is made then when I restart the computer the same problem occurs. I am attaching a gif of the restore points I see today. Also note that I have now set WU to not automatically install updates, and the list of updates do not show anything being installed re the creation of that critical update restore point.

There is some corruption somewhere that keeps being re-installed I guess but I have no idea where to look, I am also attahing the CheckSUR.persist.log

Again, my thanks!

niemiro · Sep 23, 2013

Hello again Katy :)

I am so sorry for my delayed response. I don't have any other threads on the go at the moment and completely forgot about this one.

I think we are safe to try this now based on your SURT report.

First, boot & restore your computer so that it is working normally, and then start an Elevated Command Prompt: https://www.sysnative.com/forums/wind...vista-7-a.html

and copy and paste in the following:

fsutil resource setautoreset true %systemdrive%\

attrib -r -s -h %SystemRoot%\System32\Config\TxR\*
del %SystemRoot%\System32\Config\TxR\*

attrib -r -s -h %SystemRoot%\System32\SMI\Store\Machine\*
del %SystemRoot%\System32\SMI\Store\Machine\*.tm*
del %SystemRoot%\System32\SMI\Store\Machine\*.blf
del %SystemRoot%\System32\SMI\Store\Machine\*.regtrans-ms

and press enter after the final line if necessary.

If you are asked if you are sure, type Y and press enter.

You may get some errors on some of these lines. Please just ignore them (they are normal), and let me know whether this resolves your problem.

It may or may not do. Basically, these commands clear out certain locations where updates are pended. If there is a corrupt pending update, it is likely to be there (although no guarantee - there are other locations to explore).

If problem persists, please upload C:\Windows\SoftwareDistribution\ReportingEvents.log and C:\Windows\winsxs\pending.xml (if it exists) or any other file starting with the word pending.

Thank you!

Richard

Katytude · Sep 24, 2013

Hi Richard!

Again thank you for your instructions. Unfortunately there was no change after those commands, I am attaching the file you requested. There is no pending xml file or other in the winsxs folder, only a reboot.xml

I have a backup ready and very willing to flatten and re-install Windows cleanly so if you do not have the time to dig further please let me know. I am already very appreciative for your help so far!
View attachment ReportingEvents.log

niemiro · Sep 24, 2013

Don't worry, there isn't a need to reinstall yet :)

However, I will be honest in saying that I have never run across this exact problem before, so of course cannot guarantee to be able to fix the issue. If you want to reinstall to avoid any further troubleshooting, then that is absolutely fine, however, I would be very happy to make a couple of more attempts at a fix before giving up.

Can you please zip up and upload reboot.xml? If that is the root cause of your problem it will certainly be a rare one. I will need to check to be sure though....

Thank you!

Richard

Katytude · Sep 24, 2013

Richard!

I don't mind digging, I just have now a collection of "critical update" restore points as every time I restore to a working session something gets "updated"...

I am attaching a text file with the content of reboot.xml as I can't zip the small file (access denied). Thanks!
View attachment rebootxml.txt

niemiro · Sep 25, 2013

Ooooh! It's a registry thing. I didn't expect that. Back in your working Windows session, and back in the Elevated Command Prompt, please run:

Code:

reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing" %userprofile%\Desktop\RegistryExports\RegistryExport1.reg
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" %UserProfile%\Desktop\RegistryExports\RegistryExport2.reg

Then click Start > Search for regedit > right click on regedit.exe > select Run as Administrator

Expand HKEY_LOCAL_MACHINE, and look for a subkey called COMPONENTS

If you find it, jump to the end of this paragraph. If you do not find it, you must make it appear:
Single click on HKEY_LOCAL_MACHINE,
go to the File Menu > Load Hive... > navigate to C:\Windows\System32\config > select the COMPONENTS file (the one without a file extension - i.e. NOT COMPONENTS.log or similar, just COMPONENTS >
Click Open > Give it a key name of COMPONENTS > OK.

(screenshots here if they would help: https://www.sysnative.com/forums/windows-update/3791-windows-update-not-working.html#post27638)

Then single click on HKEY_LOCAL_MACHINE\COMPONENTS and take a screenshot of your regedit display so that I can see all values under the COMPONENTS key.

Thank you!

Richard

Katytude · Sep 25, 2013

Hi Richard!

I was not able to export the registry information with an error: unable to write to the file. Do I need to create a RegistryExports folder on my desktop?

I am attaching the screenshot

Edit: running the reg command as administrator
Edit 2: I manually exported the reg values for both keys if you need them

niemiro · Sep 26, 2013

Katytude said:
Hi Richard!

I was not able to export the registry information with an error: unable to write to the file. Do I need to create a RegistryExports folder on my desktop?

I am attaching the screenshot

View attachment 5401

Edit: running the reg command as administrator
Edit 2: I manually exported the reg values for both keys if you need them

Yeah, can you please zip up and upload them both (separately or via Skydrive/etc. if too big). It looks like I made a mess of those commands. Sorry for not testing them!

Screenshot looks fine though. The problem isn't there.

Richatrd

Katytude · Sep 26, 2013

Hi Richard!

No problem, here are the files

niemiro · Sep 30, 2013

Hello again :)

I've gone through the data with a fine tooth comb (not literally

) several times and I am struggling to find anything out of place. It really is a weird problem.

I would like to investigate further what your actual service issues are. Please boot computer so that it does not work properly (service issues), download Farbar Service Scanner: Farbar Service Scanner Download

put a tick in every box and click Scan. Post log.

Then please download the ESET services repair tool, extract the file to your desktop.

Double-click ServicesRepair.exe.
If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.

Thank you!

Richard

Katytude · Oct 1, 2013

Hello Richard!

No good news I'm afraid, I have downloaded both tools and rebooted in the "corrupted" state but can't launch either: like most commands or programs that I try to launch in that state nothing happens. I am going to bite the bullet and simply re-install Windows. I am sorry that I have wasted your time with this, my many thanks for helping out but I don't trust the system any longer. Three new "critical updates" restore points have been created today out of nowhere already after each restart and I am too afraid that I won't be able to restore windows to a working state at all.

Again my thanks for trying to resolve this issue, and sorry I took so much of your time for inconclusive results.

Babjim · Oct 21, 2013

Did you ever get this resolved. I have the same thing. It started about the first week of September. My symptoms were, no program that connects to the internet would work, yet other programs would. when you click on the network icon in the bottom right corner nothing would happen. System restore would not work, MS security realtime would be turned off and could not be turned on and any other virus programs would not start. System restore would only work in safe mode and there was always a critical update in there even though I have never check for updates selected. When I would restore it would come back the next time the computer was turned on. I reformatted and reinstalled everything and it came back about a week later. I reformatted and reinstalled everything again and about a week or it came back. I scanned my system with every virus program there is and they found nothing, And I am sure it is a virus. After many hours I have figured out how to control it, but I can't get rid of it. What I have found out about it is that it must be in some program that I use, but I have used them for a long time and have not installed any new ones, but they have been updated. It is some kind of virus that has been there for a while and at a certain time it will activate. It installs it self as a critical update in system restore then when it activates it seems to control every program that is connected to the internet. The way to control it is to put a system restore shortcut on the desktop and check it several times a day. As soon as it appears right click computer, properties, advanced system settings, system protection, configure, and delete all restore points the make a new restore point. On the C drive in system volume information if you check there will be a file there that that occurs at the same time and I think that is where it is hiding. It appears randomly, but at least if I do this I can use my computer till I figure how to get rid if it. Long post but that is the info I have on it

Jim

Katytude · Oct 24, 2013

No I could not resolve it, unlike your situation though it did not re-appear after re-installing Windows for me, at least not yet...

Search

Search

Ghost critical update?

Katytude

Member

Attachments

niemiro

Senior Administrator, Windows Update Expert

Katytude

Member

Attachments

niemiro

Senior Administrator, Windows Update Expert

Katytude

Member

niemiro

Senior Administrator, Windows Update Expert

Katytude

Member

niemiro

Senior Administrator, Windows Update Expert

Katytude

Member

niemiro

Senior Administrator, Windows Update Expert

Katytude

Member

Attachments

niemiro

Senior Administrator, Windows Update Expert

Katytude

Member

Babjim

New member

Katytude

Member