[SOLVED] Windows Server 2019 failing two successive Cumulative Monthly Updates, KB5029247 and KB5030214 with 0x8007007b

[Tonesterfish]

As the subject states, I have a Server 2019 (1809) that has failed to install and reverts update for the last two month's Cumulative Updates for 08/2023 and 09/2023. I have tried with the windows Update and also downloading the update from the catalog and installing.

SFC passes with no integrity violations and I am enclosing the CBS logs after running the DISM with /RestoreHealth. I have 6 MS Azure Instances that are running Server 2019, built at the same time and they are able to be patched other than this one instance.

I am at a loss right now as to what is preventing this one instance from being able to apply the cumulative updates. I am able to install the .NET patches and other patches, just not the cumulative patches starting in August.

Hopefully you can help out and examine the logs to see what might be the issue with this one instance and I won't have to rebuild it.

Thanks in advance.

 

[Maxstar]

Hi and welcome to Sysnative,

Upload the setupapi.dev.log file

• Open Windows Explorer and browse to the C:\Windows\INF folder.
• Right-click on the file setupapi.dev.log and choose Send to > Compressed (zipped) folder.
• Now the message will appear, "Windows cannot create the Compressed (zipped) Folder here. Do you want it to be placed on the desktop instead?"
• Click on the Yes button here.
• Attach the file setupapi.dev.zip in your next reply.

 

[Tonesterfish]

Here is the file,

Thanks in Advance

 

[Maxstar]

Hi,

Please provide the following files as well.

Upload the Event Viewer logs.

• Click the Start button and in the search box, type Command Prompt
• When you see Command Prompt on the list, right-click on it and select Run as administrator.
  Copy and paste the following commands one at a time into the command prompt and press enter after each.
  

  wevtutil epl SYSTEM "%userprofile%\Desktop\System.evt"
  wevtutil epl APPLICATION "%userprofile%\Desktop\Application.evt"
  PowerShell Compress-Archive -Path "%userprofile%\Desktop\*.evt" -DestinationPath "%UserProfile%\Desktop\EventLogs.zip"

• These commands will collect the System and Application logs and create EventsLogs.zip on your Desktop.
• Attach this file in your next reply.

Export registry key as hive file.

• Open the Start menu of Windows and type CMD.
• When you see Command Prompt on the list, select the option Run as administrator.
• Copy and paste the following command into the command prompt and press enter.
  

  reg save "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" "%userprofile%\Desktop\Services.hiv"

• Once done, a file will appear on your desktop, called Services.hiv.
• ZIP this file and attach it to your next reply.

 

[Tonesterfish]

Here are the two requested files

 

[Maxstar]

2023-09-14 14:45:01, Info                  CSI    00000082 Loading user account SID S-1-5-21-1478486540-2306078515-999902690-6841012
2023-09-14 14:45:01, Info                  CSI    00000083 Could not load user
2023-09-14 14:45:01, Info                  CSI    00000084 Loading user account SID S-1-5-21-1478486540-2306078515-999902690-6843850
2023-09-14 14:45:01, Error                 CSI    00000085@2023/9/14:14:45:01.298 (F) internal\onecorebase\inc\auto_hive.h(221): Error c0000033 [Error,Facility=(system),Code=51 (0x0033)] originated in function Windows::Rtl::AutoHive::Load expression: (null)
[gle=0x80004005]

Do you recognize the highlighted SID's? If not please run the following command's in an elevated prompt and attach the result. It seems they're services related profiles I think.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /s > "%userprofile%\desktop\ProfileList.txt"
reg query "HKEY_USERS" /s >> "%userprofile%\desktop\ProfileList.txt"

 

[Tonesterfish]

I do not recognize that domain, and there are no such user profiles as referred to in the profileList. FORENSiT Profile wizard was used on this server to migrate user profiles from one domain to another during a domain change. but this was used on other servers with no similar issue.

 

[Tonesterfish]

correction, I have now looked at another server and that domain is a old domain that we no longer use, but the profile wizard was used to change the profile from on domain to another so that the user could use the new domain account and retain access to their user profile, so I have confirmed that domain referenced is referring to the domain no longer used and that can be removed if it is causing an issue

 

[Maxstar]

I've seen a similar issue with the "Forensit Profile Wizard program" a couple of months ago.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1478486540-2306078515-999902690-6841012
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\..000
    ForensiTMigrated    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1478486540-2306078515-999902690-6843850
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\.
    ForensiTMigrated    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1478486540-2306078515-999902690-6868113
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\..000
    ForensiTMigrated    REG_DWORD    0x1

It seems these are the problematic profiles in this case, so I would suggest make a backup of this server and then delete those profiles with the following script or manually.

Download

SFCFix and save it to your desktop.
Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFixScript.txt and save it to your desktop.
• Drag the SFCFixScript.txt file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

 

[Tonesterfish]

ok, there is no harm in deleting the profiles,, so I will backup the registry entries and removed them and try the updates, thank you and I will report back the results

 

[Maxstar]

You're welcome. Let's hope this will resolve the issue...

 

[Tonesterfish]

CU was successfully applied after I removed the three FORENSiT registry profile entries. Thank you for the diagnostic help.

this thread can be marked solved.

 

[Maxstar]

You're welcome. Glad I could help to resolve this issue..
I will mark this thread as solved.