The configuration registry database is corrupt.

fidget77

fidget77

Member
Joined
Jul 11, 2016
Posts
13
Hello,
I have a similar the same problem as this thread: "The configuration registry database is corrupt."
The Windows update which didn't work is KB5005033 from 21H1 Version with Error 0x800703f1.
I also try to inplace upgrade, but I also get an error 0x8007001F-0x2000C (Apply Image)
All exactly the same with this thread: "The configuration registry database is corrupt."
My question is how can this C:\Windows\System32\Config\COMPONENTS file can be repaired/restored.
Is it necessary to upload it so that you can fix it for me?
Tyvm!
 
It appear that your COMPONENTS hive is corrupt and there appears to be several parts which are corrupted. This can sometimes be due to hardware issues such as RAM and therefore I would recommend running MemTest86 for at least four passes. Please see the following instructions here - Test RAM with PassMark MemTest86

The reason why I would like to make sure there isn't any hardware issues beforehand, because if that is the case, then the hive will eventually become corrupted again.
 
I suspect this happened to me after a boot time defrag. I used a third-party defrag tool. It has an option to defrag and move unmovable files like MFT, pagefile, all the $Files, 30% in for the outer tracks of the drive. It was failing in moving files like that and I finally just defragged w/o moving the files to the recommended location on the disk. I'm reading right now on the software's manual:

"When running boot time defragmentation files are being accessed at a low level. It is not
uncommon for your file system to have pre-existing minor corruption that is not even
detectable and correctable by Windows CHKDSK. In this instance, the likelihood of any boot
time routine causing further corruption is extremely low but not entirely impossible. We highly
recommend you have a backup of your important data before running any boot time
module, especially the first time.
On top of that, many drives have minor corruptions that are not apparent during normal use
but are correctable with CHKDSK. Since the boot time analysis is very sensitive to such
corruptions, if the boot time module gives an error stating that there is a pre-existing MFT
corruption or disk error and that does not enable it to proceed you can usually correct such
corruptions with the Windows CHKDSK feature. Please consult the Windows Help file for more
information on CHKDSK in the event that you need to run it."

I have run chkdsk multiple times. Disk drive seems fine now. But I'm pretty sure this defragment software caused my COMPONENTS file corruption!
So I think it's not a corruption that can reoccur. I can run MemTest86 too if you insist though!
What do you think?
I would also like to know your thoughts on such defragment functions of software!
 
Last edited by a moderator:
fidget77 said:
I would also like to know your thoughts on such defragment functions of software!
Click to expand...
You don't need to run any third-party defragmentation tools and defragmentation is largely redundant on newer operating systems. If you ever wanted to, then I would only recommend you use the Windows in-built defragmentation tool. Have you ran any other third-party tools like registry cleaners? I'm doubtful that the defrag tool has corrupted your components hive.

Thanks for providing the results of the Windows Memory Diagnostic tool. It appears that it detected no errors with your RAM. However, I don't find that tool to be practically reliable, and therefore would still recommend that you run MemTest86.
 
I had trouble with MemTest86. Latest version isn't working on a non UEFI system. Older compatible version (4.3.7) does not recognize keyboard when run from a flash drive. I used MemTest86+ and gave no errors but I had no means to get any results log. I'm thinking now to run MemTest86 from a CD-ROM or burn the MemTest86 cd rom iso on a flash drive, but I'm not sure If I can get results log that way.
According to the instructions here - Test RAM with PassMark MemTest86 I may not get any that way. Will I be able to see results and choose where to save the HTML report? I will run MemTest86 if I get it to recognize keyboard overnight anyways.
Any advice about running MemTest86 or any alternative that suits as reliable enough and can give results?
As for the corruption, I'm pretty sure it's the defragmentation that caused it because I saw how it left my drive after I rerun it and it analyzed my disk. It couldn't make the free space to move the MFT $ and sys files. It gave errors, twice, and the corruption I'm facing. I could see that from the COMPONENTS file date as well.
Well, I run two memory test tools already (Windows Memory Diagnostic tool and MemTest86+) and they found no errors, I doubt Memtest86 will find any and I even doubt I will get results.
 
Last edited:
As you mentioned, if the third-party defragmentation tool has caused additional problems other than just the components hive corruption, then it would be best to perform a clean install of the operating system.
 
I know that! But guess what, the PC works fine! It just can't update. I never mentioned any "additional problems". I wouldn't post here if I had "additional problems" other than the components hive corruption. I would just clean install. I've just posted here for the components hive repair, which I know not how to do as I mentioned at my first post. Clean install I can do and maybe I would save time If I had done in the first place on 12/8 and get is over with. But then why do I wait so many days? It's too late to clean install now. Sorry! Is it so hard to repair the COMPONENTS file? Does it take days? weeks? months? I will attach when I have the MemTest86 report.
Thank you in advance!
 
MemTest86 version 4.3.7 running atm from USB. First pass complete w/o errors. I'll just wait for four passes now.
 
I've asked for a second insight into your hive corruption, and they agreed, that there really is only two options: either attempt a repair install or do a complete clean install. Your hive corruption is very bad, it isn't just a few corrupted or missing keys, there's entire chunks of NTFS metadata inside your COMPONENTS hive when there shouldn't be. It does appear it's highly likely that the Utimate Defrag tool is to blame for the corruption. This isn't something which is easy to fix: it's going to very long and tedious and would require lots of manual tweaking via a hex editor. Additionally, if the defrag tool has messed up your COMPONENTS hive, then it's possible it has corrupted other parts of the operating system which we are just simply aren't aware of yet.
 
Why did I have to insist that defragmenting had to do with the corruption then? And why did you ask me to run MemTest86? Did you ask before checking hive corruption or you haven't checked it at all and you are just speculating from what I told you?
 
Last edited:
I did in fact check your logs and I knew that the COMPONENTS hive was badly corrupted, hence why I recommended that you run MemTest86, since a badly corrupted hive is usually due to hardware issues. The reason I was doubtful, yet not completely against the idea, that Ultimate Defrag was the issue is because I've never seen a defragmentation tool wreck a COMPONENTS hive. At best, they usually don't do much at all. I'm still new to diagnosing Windows Update issues so I asked for a second opinion from a much more experienced analyst and they indicated that the issue was very likely due to Ultimate Defrag.

And since, you believe that I'm just speculating, here's the evidence:

Tekno Venus said:
The good news is most of the data is still in the hive.

The bad news is the root nk record is corrupt, which is preventing the hive from loading. You can read more about NK records here: Registry hive basics part 2: NK records. Essentially since the root key is corrupt, it can't load any more data since all the other data is underneath that root key.

The Hivex port Richard did has always been super buggy. Hivex is a linux tool, so it's easiest just to use a Linux machine and use the original tool from source (or on Ubuntu you can grab it from apt apt install libhivex-bin)

Unfortunately again, even an up-to-date hivex build has issues with this hive:
Code: 
❯ hivexsh /mnt/d/Stephen/Desktop/COMPONENTS
hivexsh: failed to open hive file: /mnt/d/Stephen/Desktop/COMPONENTS: Operation not supported

If you think this file is a valid Windows binary hive file (_not_
a regedit *.reg file) then please run this command again using the
hivexsh option '-d' and attach the complete output _and_ the hive file
which fails into a bug report at https://bugzilla.redhat.com/

We can get a bit more info running it in debug mode
Code: 
❯ hivexsh -d /mnt/d/Stephen/Desktop/COMPONENTS
hivex: hivex_open: created handle 0x55dcf40df370
hivex: hivex_open: mapped file at 0x7f8e92510000
hivex_open: header fields:
  file version             1.5
  sequence nos             20370 20370
    (sequences nos should match if hive was synched at shutdown)
  last modified            0
    (Windows filetime, x 100 ns since 1601-01-01)
  original file name       DOWS\System32\config\COMPONENTS
    (only 32 chars are stored, name is probably truncated)
  root offset              0x20 + 0x1000
  end of last page         0x3341000 + 0x1000 (total file size 0x3380000)
  checksum                 0xb94294a4 (calculated 0xb94294a4)
hivex: hivex_open: root offset = 0x1020
hivex: hivex_open: returning ENOTSUP because: /mnt/d/Stephen/Desktop/COMPONENTS: trailing garbage at end of file (at 0x1
000, after 0 pages)
hivexsh: failed to open hive file: /mnt/d/Stephen/Desktop/COMPONENTS: Operation not supported

I'm actually pretty sure this is the defrag program's fault - or perhaps a chkdsk gone wrong. Let's open the hive in a hex editor.

At offset 0x1000, there's some unusual data in the file:
View attachment 69127

Compared to a "good" hive we should find the root hbin at the same offset
View attachment 69129

The RSTR and N.T.F.S are curious...

Moving further down the corrupt hive we see RCRD sections, which are again not part of a normal hive structure:
View attachment 69131

It's not until offset 0x5000 that we start seeing something that resembles correct data:
View attachment 69132


So what is this junk data? Well it's actually (somehow!) part of the NTFS log file. This log file is what makes NTFS a journaling filesystem, and the logfile contains metadata about filesystem actions (create/modify/edit etc). From Windows Internals 6th Edition:


The NTFS logfile isn't well documented, but there are two data structures used in the file we're interested in here - LFS_RESTART_PAGE and LFS_RECORD_PAGE.

LFS_RESTART_PAGE structs start with the a header with the RSTR signature, and LFS_RECORD_PAGE's header has the RCRD signature. Source: $LogFile (2) - File - NTFS Documentation

What this means is somehow parts of the NTFS logfile have been inserted into the start of the COMPONENTS hive file. How this could have happened I'm not too sure, but I suspect it would be the result of this defrag program.



Can we repair it? Well, put simply - maybe, but it's not worth the effort. Not only is NTFS record data at the start of the hive (we might be able to re-build the root key manually if that was the case), but it's also scattered throughout the hive. We'd have to remove all the instances of the RCRD value, then re-create valid hbins in all the locations manually in the hex editor where the RCRD values were. It's not worth the time...

View attachment 69134

I'd also be very nervous about this corruption being present in other locations - I'd be surprised if it's localised entirely to the COMPONENTS hive, it's just that that's where we're looking first.
Click to expand...

I'm stepping out of this thread now. Please note that everyone here - including staff members - are volunteers who dedicate a portion of their free time attempting to help users with their computer issues. You've been nothing but rude and disrespectful since the start of this thread and through PMs.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top