[SOLVED] Windows update b0rked, trying to avoid a reinstall

[FluffyOne]

Hi all,

New to this forum, stumbled upon it whilst searching for possible ways to figure out what the hell is wrong with this computer. It's currently on Win 10 1909 - obviously needs an upgrade. I can't currently successfully install Windows updates. I've tried all the SFC/DISM usual stuff. I've tried an in-place upgrade from 22H2 install media. All failing so far. I'm trying to avoid a reinstall if possible as the computer has software running on it that requires a 3rd party to reinstall and is a pain to get recovered.

In summary:

Running SFC /scannow reports: "Windows Resource Protection could not start the repair service.".

Running DISM /Online /Cleanup-Image /RestoreHealth reports "Error: 1726 The remote procedure call failed."

Logs files as per the posting instructions are attached.

Many thanks for any insight your collective mind can offer.

Ronny

 

[Maxstar]

Hi and welcome to Sysnative,

Please post all the previous (CbsPersist) logs as well or did you delete them?

Upload a copy of the CBS folder

• Open Windows Explorer and browse to the C:\Windows\Logs folder.
• Right-click on the CBS folder and choose Send to > Compressed (zipped) folder.
• Now the message will appear, "Windows cannot create the Compressed (zipped) Folder here. Do you want it to be placed on the desktop instead?"
• Click on the Yes button here.

• Attach the file CBS.zip to your next reply. If the file is too large to attach, upload the CBS.zip file to www.wetransfer.com and post the link in your next reply.

 

[FluffyOne]

Hi and welcome to Sysnative,

Thanks. .

Please post all the previous (CbsPersist) logs as well or did you delete them?

Yes, I cleared out the CBS folder before I started the debug.

Attached are the old files I previously cleared out from the CBS folder.

Ronny

 

[Maxstar]

Please run the following script with FRST to get more information about the Servicing Stack.

Download the

Farbar Recovery Scan Tool and save it to your Desktop:

Download the 64 bit version: - Farbar Recovery Scan Tool Link

• Download the attachment fixlist.txt and save it to your desktop.
• Right-click on FRST.exe and select "Run as administrator".
• Press the Fix button.
• If for some reason the tool needs a restart, please make sure you let the system restart normally.
• When finished, a log called Fixlog.txt will appear in the same directory the tool is run from.
• Post the logfile Fixlog.txt as attachment in your next reply.

 

[FluffyOne]

Thanks. Fixlog.txt attached.

Ronny

 

[Maxstar]

Please do the following.

Step 1. Download

SFCFix and save it to your desktop.

Warning: This fix was written specifically for this system. Do not run this fix on another system.

• Save any work you have open, and close all programs.
• Download the attachment SFCFix.zip and save it to your desktop.
• Drag the SFCFix.zip file over the SFCFix.exe executable and release it.

• SFCFix will launch, let it complete.
• Once done, a file will appear on your desktop, called SFCFix.txt.
• Post the logfile (SFCFix.txt) as attachment in your next reply.

Step 2. Run the following DISM command and post the result. If it fails attach a new copy of the CBS log.

DISM /online /cleanup-image /RestoreHealth

 

[FluffyOne]

SFCFix.txt attached, thanks.

The DISM command fails with

Error: 1726

The remote procedure call failed.

CBS.zip attached.

Ronny

 

[Maxstar]

2024-05-07 16:19:36, Error                 CSI    00000002@2024/5/7:15:19:36.243 (F) (null)(0): Error STATUS_INTEGER_OVERFLOW originated in function (null) expression: (null)
[gle=0x80004005]
2024-05-07 16:19:38, Info                  CBS    Failed to FinalizeEx using worker session [HRESULT = 0x800706be]

Please run DISM again with Process Monitor running.

Capture Process Monitor Trace
1. Download and run Process Monitor. Leave this running while you perform the next steps.
2. Run DISM again with the following command in an elevated prompt.

DISM /online /cleanup-image /RestoreHealth

3. Stop Process Monitor as soon as it fails. You can simply do this by clicking the square (CTRL +E) on the toolbar as shown below.



4. Select the File menu...Save... and save the file to your desktop. This is likely the default location. The name (unless changed) will be LogFile.PML. This is fine.
5. Zip up the LogFile.PML and upload it to WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free and provide the link.
6. Attach also a new copy of the CBS log for the timestamps.

 

[FluffyOne]

The Process Monitor trace is here:
https://we.tl/t-HbO6PwYnnF

CBS logs attached.

Ronny

 

[Maxstar]

Is Windows Background Activity Moderator (BAM) installed on this this system with a third party Python script?

Please do the following as well.

Download the

Farbar Recovery Scan Tool and save it to your Desktop:

Download the 64 bit version: - Farbar Recovery Scan Tool Link

• Note: Your antivirus program may report FRST incorrectly as an infection. If so, disable the real-time protection when downloading and running FRST.
• Right-click to run the tool as administrator. When the tool opens click Yes to disclaimer.
• Note: Ensure that the Addition.txt check box is checked at the bottom of the form within the Optional Scan area.
• Press the Scan button.
• Please wait for the tool to finish. It will produce two logfiles called FRST.txt and Addition.txt in the same directory the tool is run from (which should be the desktop)
• Post the logfiles FRST.txt and Addition.txt as attachment in your next reply.

 

[FluffyOne]

Is Windows Background Activity Moderator (BAM) installed on this this system with a third party Python script?

I have to plead ignorance here... there's no Python environment deliberately installed on this computer and nothing to do with BAM installed as far as I'm aware - I had not heard of BAM until you referenced it. .

Is there something specific I can check?

Please do the following as well.

Download the

Farbar Recovery Scan Tool and save it to your Desktop:

Download the 64 bit version: - Farbar Recovery Scan Tool Link

• Note: Your antivirus program may report FRST incorrectly as an infection. If so, disable the real-time protection when downloading and running FRST.
• Right-click to run the tool as administrator. When the tool opens click Yes to disclaimer.
• Note: Ensure that the Addition.txt check box is checked at the bottom of the form within the Optional Scan area.
• Press the Scan button.
• Please wait for the tool to finish. It will produce two logfiles called FRST.txt and Addition.txt in the same directory the tool is run from (which should be the desktop)
• Post the logfiles FRST.txt and Addition.txt as attachment in your next reply.

Logfiles attached.

Thanks.

Ronny

 

[Maxstar]

Hi,

BAM exists since Windows 10 fall creator update (version 1709). It stores binary data in the registry holding the execution of different programs/applications by users. The user attribution is based on the way in which the data is maintained in the registry under keys based on the SID

FRST

(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1610_none_16d8d2032a45b189\TiWorker.exe
Failed to access process -> TiWorker.exe

Application errors:
==================
Error: (05/09/2024 07:49:27 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TiWorker.exe, version: 10.0.18362.1610, time stamp: 0x657e0a52
Faulting module name: wcp.dll, version: 10.0.18362.1610, time stamp: 0x68cc6006
Exception code: 0xc0000409
Fault offset: 0x000000000014ec4d
Faulting process ID: 0x7b8
Faulting application start time: 0x01daa1dd045fe481
Faulting application path: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1610_none_16d8d2032a45b189\TiWorker.exe
Faulting module path: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1610_none_16d8d2032a45b189\wcp.dll
Report ID: 270e0161-cbb8-4ead-8412-42f890517043
Faulting package full name:
Faulting package-relative application ID:

ProcMon trace

5/8/2024 11:23:44 AM    dismhost.exe    RegQueryValue    HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2930768224-1664396922-908808448-1106\\Device\HarddiskVolume2\Users\AINET~1.CAL\AppData\Local\Temp\2B0AC3EB-326C-4BF4-84C1-6CF8634B2A81\DismHost.exe    NAME NOT FOUND    Length: 40
5/8/2024 11:23:44 AM    Dism.exe    RegQueryValue    HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2930768224-1664396922-908808448-1106\\Device\HarddiskVolume2\Windows\System32\Dism.exe    NAME NOT FOUND    Length: 40
5/8/2024 11:23:44 AM    TiWorker.exe    RegQueryValue    HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18\\Device\HarddiskVolume2\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1610_none_16d8d2032a45b189\TiWorker.exe    NAME NOT FOUND    Length: 40

Do you recognize the hightlighted SID? Please do also the following:

Export registry key as hive file.

• Open the Start menu of Windows and type CMD.
• When you see Command Prompt on the list, select the option Run as administrator.
• Copy and paste the following command into the command prompt and press enter.

reg save "HKLM\System\CurrentControlSet\Services\bam" "%userprofile%\Desktop\bam.hiv"

• Once done, a file will appear on your desktop, called bam.hiv.
• ZIP this file and attach it to your next reply.

 

[FluffyOne]

ProcMon trace

5/8/2024 11:23:44 AM    dismhost.exe    RegQueryValue    HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2930768224-1664396922-908808448-1106\\Device\HarddiskVolume2\Users\AINET~1.CAL\AppData\Local\Temp\2B0AC3EB-326C-4BF4-84C1-6CF8634B2A81\DismHost.exe    NAME NOT FOUND    Length: 40
5/8/2024 11:23:44 AM    Dism.exe    RegQueryValue    HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2930768224-1664396922-908808448-1106\\Device\HarddiskVolume2\Windows\System32\Dism.exe    NAME NOT FOUND    Length: 40
5/8/2024 11:23:44 AM    TiWorker.exe    RegQueryValue    HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-18\\Device\HarddiskVolume2\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.18362.1610_none_16d8d2032a45b189\TiWorker.exe    NAME NOT FOUND    Length: 40

Do you recognize the hightlighted SID? Please do also the following:

Yes, that SID is a domain admin user "ainet". That's the user I'm generally logged in as.

Export registry key as hive file.

• Open the Start menu of Windows and type CMD.
• When you see Command Prompt on the list, select the option Run as administrator.
• Copy and paste the following command into the command prompt and press enter.

reg save "HKLM\System\CurrentControlSet\Services\bam" "%userprofile%\Desktop\bam.hiv"

• Once done, a file will appear on your desktop, called bam.hiv.
• ZIP this file and attach it to your next reply.

Attached.

Thanks.

 

[Maxstar]

Thanks, please login with the following account and try to run DISM again.

localadmin (S-1-5-21-2146681988-3394040164-2527588245-1001 - Administrator - Enabled)

 

[FluffyOne]

DISM reports the same error:

C:\Windows\system32>DISM /online /cleanup-image /RestoreHealth

Deployment Image Servicing and Management tool
Version: 10.0.18362.1379

Image Version: 10.0.18363.1556

[==                         3.8%                           ]
Error: 1726

The remote procedure call failed.

The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

C:\Windows\system32>

 

[Maxstar]

Hmmm, please attach the latest CBS logs as well as the event logs.

Upload the Event Viewer logs.

• Click the Start button and in the search box, type Command Prompt
• When you see Command Prompt on the list, right-click on it and select Run as administrator.
  Copy and paste the following commands one at a time into the command prompt and press enter after each.
  

  wevtutil epl SYSTEM "%userprofile%\Desktop\System.evt"
  wevtutil epl APPLICATION "%userprofile%\Desktop\Application.evt"
  PowerShell Compress-Archive -Path "%userprofile%\Desktop\*.evt" -DestinationPath "%UserProfile%\Desktop\EventLogs.zip"

• These commands will collect the System and Application logs and create EventsLogs.zip on your Desktop.
• Attach this file in your next reply.

 

[FluffyOne]

Bear with me on this; I've noticed an issue with local users picking up the roaming profile GPO which means Windows can't find the profile when logging in as a local user. I'll respond to your last post once I figure out how to not apply the GPO setting to local users. Sigh.

 

[Maxstar]

No problem at all, and I already had a suspicion that this could be a possible cause seeing the earlier excerpts I've posted.

 

[FluffyOne]

This is the only computer with the issue so there's that factor too...

I'm hoping that if I get the profile issue fixed, it will at least allow the DISM repair to complete.

I might not get back to this until after the weekend as I have a couple of other pressing things to attend to. Thanks for all your help so far. .

 

[Maxstar]

You're welcome, I will see the result then! Have a nice weekend.