Technical question about DISM result and FRST REG Search

[Maxstar]

Hi,

I am currently busy with a update problem on my dutch forum. The CBS.log of the TS shows the following. I can provide a link to the topic if that's convenient?

2021-05-02 16:28:36, Info                  CSI    00000007 Manifest hash for component [l:98 ml:140]'wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7' does not match expected value.
Expected:{l:32 b:66fa942bd32e0dd187308265b232a5c6b97de2e23f2ce003df8cfebf30842b11}
Found:{l:32 b:6bed6ecd7fb8a2ef5778c39309a072b28fd839f212be56b3537c590866129ce7}.

On my system, and install.wim from the ISO (Win10_2004_Dutch_x64) is the HASH of 'wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7.manifest' > 6F603B158E59A4E5D16061CE7EA961E53313D56C9D50FD87EB2022E057B8A66A

This file-hash is not matching with the hashes that the CBS.log shows. Now comes the strange thing?

I ran the following script with FRST (on my own PC and two others) and this shows me this result.

Fix resultaat van Farbar Recovery Scan Tool (x64) Versie: 28-04-2021
Gestart door Ted (05-05-2021 12:32:15) Run:2
Gestart vanaf C:\Users\Ted\Desktop
Geladen Profielen: Ted
Boot Modus: Normal
==============================================

fixlist inhoud:
*****************
CMD: certutil -hashfile "C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7.manifest" SHA256
CMD: reg query HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7 /s
*****************


========= certutil -hashfile "C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7.manifest" SHA256 =========

SHA256 hash of C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7.manifest:
6f603b158e59a4e5d16061ce7ea961e53313d56c9d50fd87eb2022e057b8a66a
CertUtil: -hashfile command completed successfully.

========= Einde van CMD: =========


========= reg query HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7 /s =========


HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7
    S256H    REG_BINARY    66FA942BD32E0DD187308265B232A5C6B97DE2E23F2CE003DF8CFEBF30842B11
    identity    REG_BINARY    4D6963726F736F66742D57696E646F77732D5465726D696E616C53657276696365732D436F6D6D616E644C696E65546F6F6C732C2043756C747572653D6E65757472616C2C2056657273696F6E3D31302E302E31393034312E312C205075626C69634B6579546F6B656E3D333162663338353661643336346533352C2050726F636573736F724172636869746563747572653D776F7736342C2076657273696F6E53636F70653D4E6F6E537853
    c!microsoft-w..-deployment_31bf3856ad364e35_10.0.19041.1_de1b4054674630b6    REG_BINARY
    f!reset.exe    REG_DWORD    0x21
    f!tsdiscon.exe    REG_DWORD    0x21
    f!qprocess.exe    REG_DWORD    0x21
    f!change.exe    REG_DWORD    0x21
    f!logoff.exe    REG_DWORD    0x21
    f!tscon.exe    REG_DWORD    0x21
    f!qappsrv.exe    REG_DWORD    0x21
    f!chglogon.exe    REG_DWORD    0x21
    f!rwinsta.exe    REG_DWORD    0x21
    f!tskill.exe    REG_DWORD    0x21
    f!query.exe    REG_DWORD    0x21
    f!chgusr.exe    REG_DWORD    0x21
    f!chgport.exe    REG_DWORD    0x21
    CF    REG_DWORD    0x200


========= Einde van CMD: =========


==== Einde van Fixlog 12:32:16 ====

The command 'certutil -hashfile' shows me the same file-hash, but the REG query is given the 256-hash that matches with the expected HASH in the CBS.log from the TS?

Am i correct as i think that this entry in the register of the TS contains the incorrect HASH?

Thanks in advance..

Maxstar (Ted)