[SOLVED] Windows update fails insalling new images, DISM and SFC fail, SFXFIX detects NO error

verdyp

verdyp

Member
Joined
Aug 10, 2016
Posts
10
I'm locked trying to install a Windows update. Apparently this is an issus with NTFS compression on some existing files that can be read from normal Windows boot, but not from PE while installing a new image.


Running "SFC /SCANNOW" stops at 16% :

Code: 
Microsoft Windows [version 10.0.18342.1]
(c) 2018 Microsoft Corporation. Tous droits réservés.

C:\WINDOWS\system32>sfc /scannow

Début de l’analyse du système. Cette opération peut nécessiter un certain temps.

Démarrage de la phase de vérification de l’analyse du système.
La vérification est à 16% terminée.

La protection des ressources Windows n’a pas réussi à effectuer l’opération demandée.

C:\WINDOWS\system32>


Running "DISM /ONLINE /CLEANUP-IMAGE /ANALYZECOMPONENTSTORE" detects no error :

Code: 
C:\WINDOWS\system32>dism /online /cleanup-image /analyzecomponentstore

Outil Gestion et maintenance des images de déploiement
Version : 10.0.18342.1

Version de l’image : 10.0.18342.1

[==========================100.0%==========================]

Informations sur le magasin de composants (WinSxS) :

L’Explorateur Windows a signalé la taille du magasin de composants. : 4.60 GB

Taille réelle du magasin de composants : 4.58 GB

    Partagé avec Windows : 4.45 GB
    Sauvegardes et fonctionnalités désactivées : 132.11 MB
    Cache et données temporaires :  0 bytes

Date du dernier nettoyage : 2019-03-08 16:39:26

Nombre de packages récupérables : 0
Nettoyage du magasin de composants recommandé : Non

L’opération a réussi.

C:\WINDOWS\system32>


Running "DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH" detects no error:

Code: 
C:\WINDOWS\system32>DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH

Outil Gestion et maintenance des images de déploiement
Version : 10.0.18342.1

Version de l’image : 10.0.18342.1

Aucun endommagement du magasin de composants n’a été détecté.
L’opération a réussi.

C:\WINDOWS\system32>

Running "DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH" stops at 35.2% with an internal WOF error 4448:

Code: 
C:\WINDOWS\system32>DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH

Outil Gestion et maintenance des images de déploiement
Version : 10.0.18342.1

Version de l’image : 10.0.18342.1

[====================       35.2%                          ]
Erreur : 4448

Le pilote WOF a rencontré une défaillance dans la Table des ressources du fichier compressé.

Le fichier journal DISM se trouve à l’emplacement C:\WINDOWS\Logs\DISM\dism.log

C:\WINDOWS\system32>


Running "DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH" stops at 26.1% with an internal WOF error 4448:

Code: 
C:\WINDOWS\system32>DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH

Outil Gestion et maintenance des images de déploiement
Version : 10.0.18342.1

Version de l’image : 10.0.18342.1

[===============            26.1%                          ]
Erreur : 4448

Le pilote WOF a rencontré une défaillance dans la Table des ressources du fichier compressé.

Le fichier journal DISM se trouve à l’emplacement C:\WINDOWS\Logs\DISM\dism.log

C:\WINDOWS\system32>


But SFCFIX does not find any error :

Code: 
C:\WINDOWS\system32> SFCFIX
Checking for updates . . .
No new update is available at this time.

Processing directive 1 of 1 (AutoAnalysis::)
Checking store directories . . .
Checking CBS.log . . .
Checking CheckSUR.log . . .
Checking CheckSUR.persist.log . . .

Attempting repair . . .
Stage 1
Stage 2
Stage 3

Due to the nature of your corruptions, scan times have been extended by
approximately 15-20 minutes. Please be patient and allow the operation to
complete.


Outil Gestion et maintenance des images de déploiement
Version : 10.0.18342.1

Version de l’image : 10.0.18342.1

[===============            26.1%                          ]
Erreur : 4448

Le pilote WOF a rencontré une défaillance dans la Table des ressources du fichier compressé.

Le fichier journal DISM se trouve à l’emplacement C:\WINDOWS\Logs\DISM\dism.log

SUMMARY:
   CBS & SFC total detected corruption count:     0
   CBS & SFC total unimportant corruption count:  0
   CBS & SFC total fixed corruption count:        0
   SURT total detected corruption count:          0
   SURT total unimportant corruption count:       0
   SURT total fixed corruption count:             0

Press any key to continue to explanation of summary . . .  
                       ---  Displaying Message 1 of 1  ---

No corruptions have been detected on this computer. Whilst this is a good thing,be aware that not all types of corruption can be detected by this tool.
Therefore, if you are currently experiencing continued problems with your
computer it is likely that you are going to need the assistance of a human
analyst in order to find and fix them.

If your problems persist, and you are currently being instructed by a helper,
you should let them know about this development by sending them the logfile
which will soon be generated and opened so that they can perform a manual fix.

If you are not currently being instructed by a helper but still need assistance,you should seek free advice from your favourite forum or sysnative.com. Create anew thread and provide this logfile in the first post of that thread along with
a complete description of the problems you were experiencing which led you to
run this tool.


   * Press any key to continue . . .
Successfully processed all directives.

C:\WINDOWS\system32>


and gives this log:

Code: 
SFCFix version 120.105.0.0 by niemiro.
Start time: 2019-03-08 18:08:39.856
Microsoft Windows 10 Insider Fast, Build 18342 - amd64
Not using a script file.




AutoAnalysis::
SUMMARY: No corruptions were detected.
AutoAnalysis:: directive completed successfully.




Successfully processed all directives.
SFCFix version 120.105.0.0 by niemiro has completed.
Currently storing 0 datablocks.
Finish time: 2019-03-08 18:11:48.428
----------------------EOF-----------------------


Windows\Logs\DISM\DISM.LOG contains only these errors:

Code: 
...(snipped)...
2019-03-08 18:08:47, Info                  DISM   DISM.EXE: Succesfully registered commands for the provider: SetupPlatformManager.
2019-03-08 18:08:47, Info                  DISM   DISM Package Manager: PID=14020 TID=5820 Processing the top level command token(cleanup-image). - CPackageManagerCLIHandler::Private_ValidateCmdLine
2019-03-08 18:08:47, Info                  DISM   DISM Package Manager: PID=14020 TID=5820 Attempting to route to appropriate command handler. - CPackageManagerCLIHandler::ExecuteCmdLine
2019-03-08 18:08:47, Info                  DISM   DISM Package Manager: PID=14020 TID=5820 Routing the command... - CPackageManagerCLIHandler::ExecuteCmdLine
2019-03-08 18:08:47, Info                  DISM   DISM Package Manager: PID=14020 TID=5820 CBS session options=0x40100! - CDISMPackageManager::Internal_Finalize
2019-03-08 18:09:28, Info                  DISM   DISM Package Manager: PID=14020 TID=15992  Error in operation: (null) (CBS HRESULT=0x80071160) - CCbsConUIHandler::Error
2019-03-08 18:09:28, Error                 DISM   DISM Package Manager: PID=14020 TID=5820 Failed finalizing changes. - CDISMPackageManager::Internal_Finalize(hr:0x80071160)
2019-03-08 18:09:28, Error                 DISM   DISM Package Manager: PID=14020 TID=5820 Failed processing package changes with session option CbsSessionOptionRepairStoreCorruption - CDISMPackageManager::RestoreHealth(hr:0x80071160)
2019-03-08 18:09:28, Error                 DISM   DISM Package Manager: PID=14020 TID=5820 Failed to restore the image health. - CPackageManagerCLIHandler::ProcessCmdLine_CleanupImage(hr:0x80071160)
2019-03-08 18:09:28, Error                 DISM   DISM Package Manager: PID=14020 TID=5820 Failed while processing command cleanup-image. - CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x80071160)
2019-03-08 18:09:28, Info                  DISM   DISM Package Manager: PID=14020 TID=5820 Further logs for online package and feature related operations can be found at %WINDIR%\logs\CBS\cbs.log - CPackageManagerCLIHandler::ExecuteCmdLine
2019-03-08 18:09:28, Error                 DISM   DISM.EXE: DISM Package Manager processed the command line but failed. HRESULT=80071160
2019-03-08 18:09:28, Info                  DISM   DISM Provider Store: PID=14020 TID=5820 Found the OSServices.  Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
...


Windows\Logs\CBS\CBS.LOG terminates only with these messages:

Code: 
...(snipped)...
2019-03-08 18:08:54, Info                  CSI    00000db8 Direct SIL provider: Number of files opened: 2.
2019-03-08 18:08:54, Info                  CBS    Registry Root 8 not found, skip checking
2019-03-08 18:08:54, Info                  CBS    Repr: CBS Store check completes
2019-03-08 18:08:54, Info                  CSI    00000002 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x7e9167d980
2019-03-08 18:08:54, Info                  CSI    00000003 Poqexec successfully registered in [l:12 ml:13]'SetupExecute'
2019-03-08 18:08:54, Info                  CSI    00000004 CSI Store 2682683071568 initialized
2019-03-08 18:08:54, Info                  CSI    00000005 StoreCorruptionRepair transaction begun. WcpVersion: [l:35]'10.0.18342.1 (WinBuild.160101.0800)'.
2019-03-08 18:08:54, Info                  CSI    00000006@2019/3/8:17:08:54.811 Starting corruption detection (InnerFlags=2)
2019-03-08 18:08:54, Info                  CBS    FLOW: Entering stage: CheckCsi
2019-03-08 18:09:28, Error                 CSI    00000007@2019/3/8:17:09:28.016 (F) onecore\base\wcp\sil\ntsystem.cpp(3556): Error c000a2a7 [Error,Facility=(system),Code=41639 (0xa2a7)] originated in function Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile expression: (null)
[gle=0x80004005]
2019-03-08 18:09:28, Info                  CBS    Added C:\WINDOWS\Logs\CBS\CBS.log to WER report.
2019-03-08 18:09:28, Info                  CBS    Not able to add current session file to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2019-03-08 18:09:28, Info                  CBS    Not able to add pending.xml to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2019-03-08 18:09:28, Info                  CBS    Not able to add pending.xml.bad to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2019-03-08 18:09:28, Info                  CBS    Not able to add poqexec.log to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2019-03-08 18:09:28, Info                  CBS    Not able to add SCM.EVM to Windows Error Report. [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2019-03-08 18:09:28, Error                 CSI    00000008 (F) c000a2a7 [Error,Facility=(system),Code=41639 (0xa2a7)] #777478# from Windows::Rtl::SystemImplementation::DirectFileSystemProvider::SysReadFile(h = 4154 ('\Device\HarddiskVolume3\WINDOWS\WinSxS\amd64_netfx-normalization_dll_b03f5f7f11d50a3a_10.0.18342.1_none_53193016adf7f600\normalization.dll'), evt = 0, apcr = NULL, apcc = NULL, iosb = @0x7e9167bb10, data = {l:0 b:}, byteoffset = 0, key = (null))
[gle=0xd000a2a7]
2019-03-08 18:09:28, Error                 CSI    00000009 (F) c000a2a7 [Error,Facility=(system),Code=41639 (0xa2a7)] #777477# from Windows::Rtl::SystemImplementation::CFile::ReadFile(Flags = 3, Buffer = {l:0 ml:25240 b:}, Offset = 0, Disposition = 0)[gle=0xd000a2a7]
2019-03-08 18:09:28, Info                  CSI    0000000a Direct SIL provider: Number of files opened: 21070.
2019-03-08 18:09:28, Error                 CSI    0000000b (F) c000a2a7 [Error,Facility=(system),Code=41639 (0xa2a7)] #233# from CCSDirect::EnumStoreCorruptions(...)[gle=0xd000a2a7]
2019-03-08 18:09:28, Error                 CSI    0000000c (F) HRESULT_FROM_WIN32(4448) #232# from Windows::COM::CStorePendingStoreRepairTxn_IStorePendingStoreRepairTransaction::Detect(Flags = 4, cancelEvt = 420 (''), disp = 0)[gle=0x80071160]
2019-03-08 18:09:28, Error                 CBS    Rept: Failed to call CSI detect. [HRESULT = 0x80071160 - Unknown Error]
2019-03-08 18:09:28, Info                  CBS    Failed to check CSI store. [HRESULT = 0x80071160 - Unknown Error]
2019-03-08 18:09:28, Info                  CBS   
2019-03-08 18:09:28, Info                  CBS    =================================
2019-03-08 18:09:28, Info                  CBS    Checking System Update Readiness.
2019-03-08 18:09:28, Info                  CBS   
2019-03-08 18:09:28, Info                  CBS   
2019-03-08 18:09:28, Info                  CBS    Summary:
2019-03-08 18:09:28, Info                  CBS    Operation: Detect and Repair
2019-03-08 18:09:28, Info                  CBS    Operation result: 0x80071160
2019-03-08 18:09:28, Info                  CBS    Last Successful Step: CBS store detection completes.
2019-03-08 18:09:28, Info                  CBS    Total Detected Corruption:    0
2019-03-08 18:09:28, Info                  CBS        CBS Manifest Corruption:    0
2019-03-08 18:09:28, Info                  CBS        CBS Metadata Corruption:    0
2019-03-08 18:09:28, Info                  CBS        CSI Manifest Corruption:    0
2019-03-08 18:09:28, Info                  CBS        CSI Metadata Corruption:    0
2019-03-08 18:09:28, Info                  CBS        CSI Payload Corruption:    0
2019-03-08 18:09:28, Info                  CBS    Total Repaired Corruption:    0
2019-03-08 18:09:28, Info                  CBS        CBS Manifest Repaired:    0
2019-03-08 18:09:28, Info                  CBS        CSI Manifest Repaired:    0
2019-03-08 18:09:28, Info                  CBS        CSI Payload Repaired:    0
2019-03-08 18:09:28, Info                  CBS        CSI Store Metadata refreshed:    False
2019-03-08 18:09:28, Info                  CBS   
2019-03-08 18:09:28, Info                  CBS    Total Operation Time: 41 seconds.
2019-03-08 18:09:28, Info                  CBS    Ensure CBS corruption flag is clear
2019-03-08 18:09:28, Info                  CBS    Ensure WCP corruption flag is clear
2019-03-08 18:09:28, Info                  CBS    All CSI corruption was fixed, ensure CorruptionDetectedDuringAcr is clear
2019-03-08 18:09:28, Info                  CBS    Failed to clear CorruptionDetectedDuringAcr store corrupt flag (slow mode trigger). [HRESULT = 0x80070002 - ERROR_FILE_NOT_FOUND]
2019-03-08 18:09:28, Info                  CBS    CheckSur: hrStatus: 0x80071160 [Unknown Error], download Result: 0x0 [S_OK]
2019-03-08 18:09:28, Info                  CBS    Count of times corruption detected: 0
2019-03-08 18:09:28, Info                  CBS    Seconds between initial corruption detections: -1
2019-03-08 18:09:28, Info                  CBS    Seconds between corruption and repair: -1
2019-03-08 18:09:28, Info                  CBS    Failed to run Detect and repair. [HRESULT = 0x80071160 - Unknown Error]
2019-03-08 18:09:28, Info                  CBS    Reboot mark cleared
2019-03-08 18:09:28, Info                  CBS    Winlogon: Simplifying Winlogon CreateSession notifications
2019-03-08 18:09:28, Info                  CBS    Winlogon: Deregistering for CreateSession notifications
2019-03-08 18:09:28, Info                  CBS    Exec: Processing complete, session(Corruption Repairing): 30725585_2546440391 [HRESULT = 0x80071160 - Unknown Error]
2019-03-08 18:09:28, Error                 CBS    Session: 30725585_2546440391 failed to perform store corruption detect and repair operation. [HRESULT = 0x80071160 - Unknown Error]
2019-03-08 18:09:28, Info                  CBS    Session: 30725585_2546440391 finalized. Reboot required: no [HRESULT = 0x80071160 - Unknown Error]
2019-03-08 18:09:28, Info                  CBS    Failed to FinalizeEx using worker session [HRESULT = 0x80071160]
2019-03-08 18:11:28, Info                  CBS    Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
2019-03-08 18:11:28, Info                  CBS    Maint: idle processing paused
2019-03-08 18:11:28, Info                  CBS    TiWorker signaled for shutdown, going to exit.
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: ExecutionEngineFinalize
2019-03-08 18:11:28, Info                  CBS    Execution Engine Finalize
2019-03-08 18:11:28, Info                  CBS    Execution Engine Finalize
2019-03-08 18:11:28, Info                  CBS    Lock: Lock removed: TiWorkerClassFactory, level: 30, total lock:3
2019-03-08 18:11:28, Info                  CBS    Lock: Lock removed: CCbsWorker, level: 5, total lock:2
2019-03-08 18:11:28, Info                  CBS    Ending the TiWorker main loop.
2019-03-08 18:11:28, Info                  CBS    Starting TiWorker finalization.
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: ExecutionEngineFinalize
2019-03-08 18:11:28, Info                  CBS    CBS Engine already deactivated
2019-03-08 18:11:28, Info                  CBS    CBS Engine already deactivated
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: ComponentAnalyzerFinalize
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: PackageTrackerFinalize
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: CoreResourcesUnload
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: SessionManagerFinalize
2019-03-08 18:11:28, Info                  CBS    Lock: Lock removed: CSIInventoryCriticalSection, level: 64, total lock:9
2019-03-08 18:11:28, Info                  CBS    Lock: Lock removed: CCbsSessionManager, level: 11, total lock:8
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: CapabilityManagerFinalize
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: PublicObjectMonitorFinalize
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: Enter vCoreInitializeLock
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: WcpUnload
2019-03-08 18:11:28, Info                  CSI    0000000d Direct SIL provider: Number of files opened: 3860.
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: DrupUnload
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: CfgMgr32Unload
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: DpxUnload
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: SrUnload
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: CbsEsdUnload
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: CbsTraceInfoUninitialize
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: CbsEventUnregister
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: AppContainerUnload
2019-03-08 18:11:28, Info                  CBS    CbsCoreFinalize: WdsUnload, logging from cbscore will end.
2019-03-08 18:11:28, Info                  CBS    Ending TiWorker finalization.
2019-03-08 18:11:28, Info                  CBS    Ending the TrustedInstaller main loop.
2019-03-08 18:11:28, Info                  CBS    Starting TrustedInstaller finalization.
2019-03-08 18:11:28, Info                  CBS    Winlogon: Stopping notify server
2019-03-08 18:11:28, Info                  CBS    Winlogon: Unloading SysNotify DLL
2019-03-08 18:11:28, Info                  CBS    Lock: Lock removed: WinlogonNotifyLock, level: 8, total lock:6
2019-03-08 18:11:28, Info                  CBS    Ending TrustedInstaller finalization.


So this is an internal error in WOF compression of one DLL:

"WINDOWS\WinSxS\amd64_netfx-normalization_dll_b03f5f7f11d50a3a_10.0.18342.1_none_53193016adf7f600\normalization.dll"

How can this be possible when the component store is OK andDISM checkhealth is OK ? most probably only a sign that a transaction (made by Windows Update) was completed successfully prematurely, before this file was finalized during WOF compression on NTFS, and the compression left some internal garbage in the storage, even if that garbage is normally unused.

Note that I can successfully read this DLL and and copy it elsewhere. I can sucessfully COMPACT and uncompact it from that copy, but not on its existing location. But I cannot remove this DLL (which is system protected).
The DLL content also show no incorrent format. That DLL fails on digital signature test, but this is not the case for any copy I make from it. So most probably this DLL is "virtualized" by the Windows kernel (possibly for the Hyper-V hypervisor or by Microsoft AntiMalware for by some of the new "containers" that appeared with recent builds): the in-memory image we get from the virtualized content does not match what is really on disk (the image is possibly "patched" by a SHIM or some other drivers once it is loaded.)


Note: I already performed several other system checks which detected no error:
  • CPU stress
  • GPU stress
  • memory test (at boot time, using windows utility or from a Linux live DVD)
  • disk tests (including SMART, using Smartmontools)
  • partitions structure test
  • volume tests
  • NTFS filesystem checks (CHKDSK on Windows, including at boot time).
 
Note: I don't know if this is that bug that causes more recent images of Windows failing to install repeatedly since a couple of weeks over current build 18342:
builds 18344, 18344, 18646, and today build 18351...
Each time the installation copies files, then reboots several times (at 9%, then at 30%, then it stays for a moment at 48% while installing the display driver, and finally foes to 60% for a couple of minutes, then to 68% at whic times it crashes, reboots and rollbacks to build 18342).
It's very curious because I do not see any error in .Net applications including those performing Unicode normalization.

It seems that build 18342 just was compiled with an incorrect version of some recent components (probably related to the recent update to Unicode 12.0 or in Unicode CLDR data), and used an incorrectlyt computed file compression containing garbage data, or the installer of build 18342 incorrectly computed the WOF compression and did not finalize correctly the installed file (possibly it rebooted too early before the WOF compression structures were finalized and synced to disk; but it did not cause any NTFS structure error; I suspect there was an incorrect transaction isolation in the installer for build 18342, which was the first one to use "reserved storage space" and using an 8GB VHDX store for the "PortableBaseImage" now virtually mounted on top of existing NTFS). I suspect this is caused by the new virtualization scheme which was not perfectly isolated or synchronized with the NTFS filesystem driver or its WOFADK compression extension (unordered asynchronous disk I/O or too early I/O completion events, causing a newer data version being overwriten by older temporary data version).

Anyway I've not found any way to restore a working installation of this DLL (which is still needed in its current state even for the WinPE environment while installing a new version of the OS)...
May be I'll have to reinstall the system and reapply all the updates (but this build 18342 has NO available ISO: I must rollback to a much older version and then I'll need to reinstall lot of softwares and preferences).
 
Last edited:
Also note that I have run the latest version of FRST64, and like SFCFIX, it finds nothing to fix...
As well, no corruption in the BCD store (no garbage left in the result of "BCDEDIT /ENUM all", no "unknown" partition/disk/volume, no "phantom" boot entries.
And "ReAgentc /info" correctly states that the recovery is enabled, and its image can be found. I checked as well the WINPE.WIM image by mounting it in readonly mode, it has no incoherence.
I do not experience any software issue in this build 18342. Any antivirus/antimalwares/antirootkits are reporting no issue.
Also no error when running a registry check (in all hives), or windows events check (the events viewer and registry editor are working correctly).
No error found in settings for the Windows firewall and ICS.

What is stale is only the possibility to upgrade to a new Windows image version, and SFC /SCANNOW reporting an "unknown error".
 
Last edited:
In summary, I'm desesperately looking for a safe reinstallable version of
"WINDOWS\WinSxS\amd64_netfx-normalization_dll_b03f5f7f11d50a3a_10.0.18342.1_none_53193016adf7f600\normalization.dll"
(including its secure catalog entry)
to repair it.

Unfortunately, Microsoft does not keep any trace of individual components on its download servers for intermediate builds: they are immediately flused and made unavailable when Microsoft releases a new build, even if these files are needed and must be repaired before applying the new build.

This poses serious questions about the effective reliability of the Insider program, which is distributed without providing us any reinstallable ISO and no way to download them later if there's a installation problem any such build, detected only a few days or weeks later (and there's no way to rollback after that...)

Looking for the DLL version on the web from third party is very risky (and those that have created online sources for those builds have repeatedly received DMCA notices to remove them!). Microsoft shoulf then keep these versions on their servers, and not delete them irresponsably and prematurely from their servers:

ALL builds published to insiders should be kept available for at least 1 year on their servers, even if this is just to upgrade immediately to another active version. We need them to repair our systems, but Microsoft does not given enough time to fix our systems when these versions are just available for a few days (a very much shorter time than the time to diagnose and fix installation problems).
 
I have finally found a solution:
using the CBS.LOG file, I located the corrupted files detected with WOF reading errors.

  • "TAKEOWN /F ." (in the parent folder of filename) and "TAKEOWN /F filename"
  • "ICACLS . /GRANT:myusername:F on their parent folder and on the corrupted file
  • until I could perform a "MOVE filename C:\" to the root directory (to delete it from its original location).

Then I ran "DISM /ONLINE /CLEANUP-IMAGE /RESTORE-HEALTH": the scan performed up to 100%, and then it downloaded safe copies from Windows Update to restore the missing files at their original location.

What is strange is that the files I had moved to the root directory could successfully be opened and read completely (e.g. in notepad), and their digital signatures were intact ! But they had garbage in an alternate data stream (not in their main content), not checked by their digital signatures, plus some garbage appended at end of their embedded XML signature. Their reported filesizes were also correct (filesizes are ignoring the alternate datastreams).

I performing a second run of "DISM /ONLINE /CLEANUP-IMAGE /RESTORE-HEALTH" which was succesful up to 100%.

But a strange thing was still happening : "SFC /SCANNOW" was still not going to completion and now was reporting the location of the two files that were moved to the root directory, instead of the location where they were restored from Windows Update (probably an internal cache still referencing these files internally)

I had to reboot so that the system started to use the new restored copies from their original location and not from the root directory. And this time SFC /SCANNOW was correct.

Now It's time to see if I can update Windows version !
 
For this kind of error, SFCFIX did not provide any help.

Really Windows has a missing tool for NTFS: a "WOFADK compression checker" which can report corrupted compression in executable files that have been compressed with "COMPACT /EXE" or "/CompactOS" (using one of the four supported methods XPRESS4K, XPRESS8K, XPRESS16K or LZX). I've searched on the Internet if such tool existed, and I have found none !
Such check is not performed by CHKDSK. And I found no such tool either in the Windows ADK or DDK.

Such check should be integrated in DISM /RestoreHealth (which should not stop on WOF error, and should then act as if the file was missing, in order to download a safe copy to replace the corrupted file). As well the SFC tool should not stop on WOF errors but should contiunue scanning the remaining files.

Typically, WOF data structures corruption occur in several files at the same time on the same volume. Most of them occur in "WinSxS".
 
Hi!

It seems that this thread has inadvertently fallen through the cracks. Please accept our sincere apologies!

Do you still need assistance updating Windows to the latest version?
 
I had a problem and it was hard to fix. I have exposed above the solution I finally found myself.
This is still a bug in the WOFADK compression of NTFS: data corruption in compressed files can cause the system to be non reparable with existing tools.
Only a manual cleanup of the corrupted files works (and it's not easy at all when the corruption occurs in WinSxS files).

It's a fact that SFC or DISM does not detect correctly the corruption of WOFADK compressed files, and cannot repair them, it bugs and stops unexpectedly any further analysis without performing any correction.
You need to inspect logs and try deleting the corrupted files manually, so that SFC can finally detect these files are missing (after that deletion) and can restore them.

And windows still does not have any WOFADK compression checker tool. It's a missing part of the SFC (or DISM) tool.
 
Note: this bug has also been sent to Microsoft in his comment hub. Until now there's not been any fix. It's still pending a correction in NTFS/WOFADK.
That bug can occur notably after some Windows Update fails to reboot (and crashes): corrupted compressed files are created at that step, and are not restored when Windows reverts back to the previous build. Such crash can occur when there's been some driver issues in a recent build (I suspect this was caused by nVidia display drivers, which were incomplete in one build)
Then the system becomes non-reparable with existing tools, and no longer upgradable (even if the ComponentStore seems OK for DISM, with all valid data signatures, the compressed fioles themselves are NOT really read and cannot even be read successfully). Data corruption in the internal structure of WOFADK compressed files is not checked at all.

And I've not found on the web any tool that can detect these corruptions. This is missing in SFC, missing on CHKDSK. That part of NTFS is unstable and never checked, as the check is only superficial (it just looks to see if NTFS file extents are correctly allocated and linked, but the actual compressed data is not checked. You just experiment the unexpected error 4448 in WOFADK and you are left without any solution.

Other users have experimented this error, and all they could do was to reinstall Windows completely (i.e. by reformating the whole NTFS volume, after backing up the files they could read successfully). Note that conventional backup systems also fail to perform the backup, they also stop in the middle when they attempt to read the WOFADK-corrupted files.

So the easiest way to solve this problem without loosing all data you must use a partition tool (or secondary volume on another disk) where you'll reinstall Windows; then when booting from that new volume, you'll restore the missing files that you can still read from the damaged volume. And when this is done, you can delete or reformat the old volume to reuse its storage space
 
Note that I did not have to reformat the system, but to fix the problem, I had to find a way to delete the corrupted files (and it was not easy at all, as these two files were part of WinSXS and highly protected: I had to boot from another system disk, then mount the damaged disk, and clear security settings to take owner ship, and remove the blocking ACL's: the files could still not be read (still the same WOFADK error 4448), but then could be deleted.

On next reboot on the damaged volume, the missing files were detected, and could be repaired (they were not essential for booting Windows, so I could run SFC and DISM that detected the missing files and restored them correctly, and this time these two tools got 100% complete without error and could repair the system.

Today, there's still not any tool that will check the internal data structure of WOFADK-compressed files and will help cleanup them (if there's a corruption, as these files cannot be read at all, such tool should propose to deallocate the damaged file extents, keeping possibly only the readable parts, or could propose to delete these files completely when we know that this is a system file that can be repaired from an online source)

How can a WOFADK corruption occur ? Generally this is caused by another system driver corrupting the memory (most frequently this can occur because of HDaudio or video drivers: Windows 10 itself has constantly installed old and very buggy version of nVidia drivers that never worked correctly and had to be updated immediately using the nVidia Geforce Experience tool (and each time windows 10 updates its own image, it reverts the working drivers and installs the antique driver which is even incomplete with missing critical components, and does not support correctly PCs with some Intel CPU with more than 4 logical cores or more than 4GB or memory, or does not work correctly with some internal management buses, or does not work if there are two different video drivers such as Intel GPU + nVidia...).
 
There's also been various issues in WOFADK.SYS itself in past builds of Windows 10 (it changed its own internal data structures for supported compression algorithms and modified some internal limits on page sizes; NTFS itself was changed in its supported limits; this caused inconsistencies with some very large volumes, notably with hardware RAID volumes

(note that I no longer recommend using any "hardware RAID" with Windows: software RAID in Windows 10, is now far superior and much faster, and much easier to deploy; most hardware RAID are crappy, because they have limited internal memory/cache and too slow CPU, and they offer lower I/O throughput and are really painful in case of problem to remount volumes; it's quite frequent that even RAID6 cannot be repaired at all, because two disks are damaged simultaneously by a system crash, or during the very long recovery, such errors on RAID are frequent, even if they were not at all hardware disk errors but only errors caused by logical system crashes; the Windows software RAID, aka "Storage Spaces" is much safer and much faster to recover after a system crash).
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top