[SOLVED] Windows 7 update failing 0x80070002, CBS Watchlist Package missing - stray registry key

S

stormy

Member
Joined
Jan 7, 2020
Posts
7
Have a win7 sp1 machine, all is great, except, windows UPDATE won't run, error 0x80070002, searched/worked on this for weeks, made a lot of progress, i think bottom line need to remove this registry key:

Code: 
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-intl.resources_31bf3856ad364e35_en-us_7478f32cca3f49f0\.1"

no matter what tried, it fails with:

Code: 
Cannot delete key, The system cannot find the key specified.  \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-intl.resources_31bf3856ad364e35_en-us_7478f32cca3f49f0\.1

In past, i've worked with opening permissions, etc. tried all that, but no luck, the key cannot be FOUND, which leads me to think it has some embedded non-printable character maybe???

In CBS log it shows as a problem:


Code: 
2020-01-08 03:14:23, Error                 CSI    00000021 (F) STATUS_OBJECT_NAME_NOT_FOUND #6486021# from Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey(flg = 0, key = {provider=NULL, handle=0}, da = (KEY_READ|KEY_WOW64_64KEY), oa = @0x120c850->OBJECT_ATTRIBUTES {s:48; rd:NULL; on:[161]"\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-intl.resources_31bf3856ad364e35_en-us_7478f32cca3f49f0\.1"; a:(OBJ_CASE_INSENSITIVE)}, disp = Unmapped disposition: 18926616 (0x0120cc18))[gle=0xd0000034]
2020-01-08 03:14:23, Error                 CSI    00000022@2020/1/8:01:14:23.086 (F) d:\win7sp1_gdr\base\wcp\sil\merged\ntu\ntsystem.cpp(3676): Error STATUS_OBJECT_NAME_NOT_FOUND originated in function Windows::Rtl::SystemImplementation::DirectRegistryProvider::SysOpenKey expression: (null)
[gle=0x80004005]
2020-01-08 03:14:23, Error                 CSI    00000023 (F) STATUS_OBJECT_NAME_NOT_FOUND #6486020# from Windows::Rtl::SystemImplementation::CKey::OpenExistingKey(f = 0, da = (KEY_READ), oa = @0x120cd10, key = NULL, disp = (null))[gle=0xd0000034]

Latest SFC Fix claims to fix something, but repeated runs show the same fix over and over, so it's not really succeeding:

Code: 
SFCFix version 46.32768.0.0 by niemiro.
Start time: 2020-01-08 00:12:49.691
Microsoft Windows 7 Service Pack 1 - amd64
Not using a script file.
AutoAnalysis::
WARNING: Failed to backup registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-StarterEdition~31bf3856ad364e35~amd64~~0.0.0.0.
FIXED: Orphaned package Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7&01.17514 (Microsoft-Windows-StarterEdition~31bf3856ad364e35~amd64~~0.0.0.0) on package watchlist.
WARNING: Failed to backup registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect\Microsoft-Windows-HomePremiumNEdition~31bf3856ad364e35~amd64~~0.0.0.0.
FIXED: Orphaned package Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~en-US~6.1.7&01.17514 (Microsoft-Windows-HomePremiumNEdition~31bf3856ad364e35~amd64~~0.0.0.0) on package watchlist.



SUMMARY: All detected corruptions were successfully repaired.
AutoAnalysis:: directive completed successfully.




Successfully processed all directives.
SFCFix version 46.32768.0.0 by niemiro has completed.
Currently storing 2 datablocks.
Finish time: 2020-01-08 00:16:44.518
----------------------EOF-----------------------


Assuming it has some non-printable character, suspect right before the ".1", indeed inspecting CBS.log under hex editor shows:

Code: 
cca3f49f0\.1";

as:
Code: 
30 5C 1E 2E 31 22 3B 20

SO, the "20" is the space, then "2E" is the DOT, and left of it, is "1E" which is a non-printable, i.e. "record separator"..

Tried the obvious, like cp CBS.log to removekey.bat, and left just this line in it:

Code: 
 reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-intl.resources_31bf3856ad364e35_en-us_7478f32cca3f49f0\.1"
(non-printable is there, just not shown here).

however, this fails with:

Code: 
c:\Windows\Logs\CBS>reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu
rrentVersion\SideBySide\Winners\amd64_microsoft-windows-intl.resources_31bf3856a
d364e35_en-us_7478f32cca3f49f0\▲.1"
Permanently delete the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Window
s\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-intl.resources_31bf3
856ad364e35_en-us_7478f32cca3f49f0\▲.1 (Yes/No)? yes
ERROR: The system was unable to find the specified registry key or value.

Tried to merge via regdel.reg file with:


Code: 
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-intl.resources_31bf3856ad364e35_en-us_7478f32cca3f49f0\.1]

it says keys successfully added, but the ".1" key is not removed...

Any ideas how to remove such a registry key? would love to try any idea :)

Stormy.
 
Tested at BIOS, and OS, all is fine, this i suspect is some sort of mal-ware, trying to block win7 UPDATES, the trick is a non-printable character in the KEY, which blocks everything update related.. I would not be surprised if other reports are same, it's just hard to tell since the character IS there, but not printable to normal tools..

I think i need such a tool, RegView, this looks promising: http://regenerus.com/tools/regview-exploring-hidden-windows-registry-data/

but do not know where to find it.. it talks about exactly that, non-printable in key name in registry, any tips specific to this request are welcomed, please, general suggestions, I'm way passed that, I'm 99% certain that is the issue, since compared to many other non-affected windows 7 systems that are cloned from the same base disk (btw, ran all 4 major anti-viruses, they will never find such a thing, this is not really a virus, it's just a block to update, or maybe leftovers from a virus, not sure, either way, key needs to be removed)
 
This is not malware. This is clear cut registry corruption and it is rather difficult to fix.

Retrieve COMPONENTS/SOFTWARE Hives
Note: The SOFTWARE hive has confidential and sensitive information in it so please send me a PM with a link to that particular hive so it's not in the public form.
  • Please download the Freeware RegBak from here: Acelogix Software - Download products
    You will find it at the bottom of the page that the link brings you to.
  • Go ahead and install this program and accept all the defaults. After the last install screen the program should open.
  • Click the New Backup button. Accept the defaults and simply click Start.
  • When it says Finished successfully, click the Close button.
  • This will bring you back to the main screen of the program. You will see one entry in this list with the date that you did it. Right-click on this line-item and select Explore Backup...
  • This will bring you into the folder where the backup was made. You should see a Users folder and a Windows folder along with a couple other files. Double-click on the Windows folder to open it. Then open the System32 folder and then config folder. You should see around 6 files in here, two of which are named COMPONENTS and SOFTWARE.
  • Copy these two files to your Desktop. If the COMPONENTS file does not exist, please fetch it instead from C:\Windows\System32\config\COMPONENTS.
  • Now right click on these files on your desktop and select Send to > Compressed (zipped) folder.
  • Then please upload the zip file(s) to your favourite file sharing website (it will be too big to upload here). Examples of services to upload to are Dropbox or OneDrive or SendSpace and then just provide the link in your reply.
  • You can close any open windows you have as well as the RegBak program now.
 
found this blog explaining the differences between the Win32 API and Native API, How to Evade Detection: Hiding in the Registry
possibly it's a corruption, like power outage/crash, that "1E" (non printable) should be the number "6", then the key would be what is expected "6.1"
I'm not sure i can share the registry content for the reason (privacy), let me see if it can somehow be patched directly :)
 
OK, thanks for the help although not sure what the proposed fix is.. other than upload so someone else (you) will fix it... I'm fine with doing any "dirty work"..

btw, found another close hit: NtRegEdit - Native Registry Editor
looks like others were trying to create such a tool, maybe someone (developer) can compile that :)

Will wait for any other suggestions/advice... As I understand, the issue is finding an editor that's Native API based. Do you have one, and hence offering to edit something or how would it be fixed on your end?
Stormy.
 
The thing is, the SOFTWARE hive is constantly loaded on your system and therefore cannot be fixed by you. I need to get a copy, fix it (while not active) and then send it back to you with instructions to replace over reboot.

If done correctly, the error will be gone.

However, if you happen to miss a step, this can easily render your computer unbootable, so I would recommend backing everything up prior to attempting this.
 
Thanks friend, appreciate your time and eagerness to help/fix..

I've got plenty of other PCs, windows, linux that can be of use, personally, specifically to this case, and in general - not just softare; it's all about the learning, not necessarily to "fix", i.e. the way is more important than the final destination.. maybe this PC needs to be in this state until i find a Native API registry editor :) or somehow corrupt in the recovery attempts , whichever happens first :) :)

Will post here if any solution pops up, mind you, I've been working on this several weeks, but only few hours ago discovered this non-printable business :)

Stormy.
 
@softwaremaniac, pls, do not spend anymore time on this, thanks really!

I'm sure the answer will come soon.. if there's a will, there's a way.. will post here since this is useful ability...
 
Ok, here we go! got it!!

Searched high-low, nothing openly stating which tool can do it (edit registry via Native API and not Win32 API).. finally came about this page: Registry Workshop Update History | www.torchsoft.com (I'm not affiliated with any of these links), it said:

Code: 
Allowed address bar to accept registry paths in Native API namespace. (\Registry\Machine and \Registry\User)

so, thought, hmm, maybe it can do it (also EDIT based on the entered path)..

Downloaded, and sure enough writing the path of the key in the above format, i.e. \Registry\Machine ... INSTEAD of the HKEY_LOCAL_MACHINE\SOFTWARE\... format causes the program to access that location using the Native API (instead of the Win32 API), it immediately found, and allowed deleting the offensive ".1" key! (which had a non-printable before the ".")..

In another already open CMD window, typed sfc/scannow, and it ran for ~50min, all the way to completion:

Code: 
C:\Windows\System32>sfc/scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

WOW, pretty surprised given the amount of attempts it went under recently.. not worth describing, but tried ALL guide books, and so forth, in safe mode, and all that...

Windows update also instantly started working, no reboot or anything :) after ~6hours, found 3 missing fixes and now it's installing, seems to run OK...

Hopefully it helps someone, someday :)

Enjoy,

Stormy.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top