[SOLVED] Windows Server 2019 - SFC dies at 77%

[gogeek]

Lucky us, it seems like our original Server 2019 template used to deploy all our servers had an issue. "SFC /Scannow" errors out saying "Windows Resource Protection could not perform the requested operation" at 77% on all of our 2019 servers.
I have followed the steps (Windows Update Forum Posting Instructions).
I have uploaded the CBS.zip and ComponentsScanner.txt files here:
Server2019 - Google Drive
Thanks for any help you can provide

 

[Maxstar]

Hi and welcome to Sysnative,

Step 1. Download

SFCFix and save it to your desktop.

Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFix.zip and save it to your desktop.
• Drag the SFCFix.zip file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

Step 2. Run the System File Checker and post the result. If it fails attach a new copy of the CBS log.

SFC /Scannow

 

[gogeek]

Super excellent! SFC scan now completes without error. SFCFix.txt attached as requested in case it is of interest.
Bonus question: We've got a bunch of other servers built from the same VM template. Looking at the log file I see that you've just fixed some permissions on some windows defender files, what's the risk of me running this same fix on those other servers? Also is there a command line that can be used to pass the zip fix file to the exe for mass deployment?

Thanks so much for your help in getting this fixed.

 

[Maxstar]

Hi,

I've replaced the expected payload files and the associated registry key, this is why the permissions have been saved and restored.
How many servers you'll need to fix, and can you please upload the CBS log of another server after running the system file checker.

SFCFix can be executed through the command line when both files are in the same location: SFCFix.exe SFCFix.zip

 

[gogeek]

Thanks Maxstar - I've got about 232x Windows 2019 servers with the same issue. I'm not actually convinced it's causing any practical issues as some of these servers have been running for years now without having a noticeable problem. It's just that someone tried to run SFC and found out that it doesn't complete.

I've run a fresh SFC /Scannow on another one of the servers and uploaded the CBS log zip to the same share as CSB2.zip

 

[Maxstar]

Hi,

This log shows exactly the same error, this means you can safely run the fix in post#2 on this server and all other servers with the same issue.

 

[gogeek]

That's great news Maxstar. Can you clarify how "SFCFix can be executed through the command line when both files are in the same location". I've tried several different ways to pass the zip to the exe but it never works and also throws the following error (presumably because it didn't like the path to the zip file): Failed to extract zip archive. Failed to unzip in location 2 with error code 0x1

Also, is there a way to bypass the update check as the servers don't have internet access and therefore the tool creates the prompt "If you are already using the latest version, press any key to continue . .". I'd like to automate the deployment and not have an prompts

 

[Maxstar]

Hi,

So far as I know there's no option to bypass the update check. Perhaps it would be better to create a custom script to deploy this fix on all the servers.

This fix includes a registry and WinSxS component (Files.zip):
1. The WinSxS component must be replaced in the following directory %Systemroot%\WinSxS, but you'll need to change the permissions with icacls first.
2. To replace the registry component, you'll need to load the COMPONENTS hive first with the following command: reg load HKLM\COMPONENTS C:\Windows\System32\Config\COMPONENTS

 

[gogeek]

Thanks Maxstar - your a legend

 

[Maxstar]

Hi,

You're welcome. Please let us know when all the servers are fixed, then we can mark this thread as solved.

 

[gogeek]

Maybe one more question seeing as you are being so helpful. Can you expand on "you'll need to change the permissions with icacls first". I assume you mean I need to grant myself permissions to the C:\Windows\WinSxS\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.831_none_5892c02f26f780e5 folder in order to be able to copy in the new files. I've tried to grant myself full access using icacls from an admin powershell console, but I keep getting access denied errors. Any tips?

The command (and variations) I was trying to run was: icacls C:\Windows\WinSxS\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.831_none_5892c02f26f780e5 /grant username:F /t

 

[Maxstar]

Hi,

I recommend to use the following commands (in an elevated CMD prompt) to save the current permissions, change them to get full access and then restore the ownership and saved permissions after copying the files.

icacls "%systemroot%\WinSxS\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.831_none_5892c02f26f780e5" /save "%userprofile%\desktop\perms.acl" /t
takeown /f "%systemroot%\WinSxS\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.831_none_5892c02f26f780e5" /r
icacls "%systemroot%\WinSxS\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.831_none_5892c02f26f780e5" /grant administrators:(F) /t

Copy files>>

icacls "%systemroot%\WinSxS\amd64_windows-defender-management-powershell_31bf3856ad364e35_10.0.17763.831_none_5892c02f26f780e5" /setowner "NT SERVICE\TrustedInstaller" /t
icacls "%systemroot%\WinSxS" /restore "%userprofile%\desktop\perms.acl" /t

 

[gogeek]

That works perfectly. I can mass deploy the fix now. Thanks Maxstar! I'll try to mark this thread as solved.

 

[Maxstar]

Hi,

Great, good luck with the mass deployment of this fix, if you have further questions please let me know.