Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Windows Updates Fail and cause Corruption in the CBS log. How to Repair and Analyze

Summary: Windows Updates Fail and cause Corruption in the CBS log. How to Repair and Analyze

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Windows Updates Repair and Choices in troubleshooting
 
Windows updates can fail and ultimately show System Corruption. Be on the lookout and try to fix these problems earlier rather than later. The windows updates may not complete perfectly. Check the CBS log after ever update and mitigate with Interweb searches of the errors.

The article provides some guidance on diving into the waters of repair. Each Microsoft KB has specific guidance. See those documents as primary documentation.

This guidance is a summary of recently experienced issues. This is meant to be used as a reference to how to proceed in a general way. Official Microsoft documentation is the primary reference: Windows Update issues troubleshooting - Windows Client | Microsoft Learn

Before beginning, try some basic things to work around: 
   

#1 look for missing or corruption files.

The tools used for this work include: 
C:\windows\logs\cbs\cbs.log
Dism /online /cleanup-image /checkhealth
Dism /online /cleanup-image /restorehealth

 

Try to match errors of the CBS log to specific Updates. It is possible to supply the missing update files add keep the OS in repair. 

#2 Other messages that show the update client is having problems.

  • Follow this guide for other issues and resolution: Client Repair Guide
  • Try running this and check the CBS log after for results.
  • Then run the same repair commands
Dism /online /cleanup-image /checkhealth
Dism /online /cleanup-image /restorehealth
Example repair commands: 
#outside the OS
sfc /scannow /offbootdir=d:\ /offwindir=d:\windows
dism /Online /Cleanup-Image /restorehealth /source:wim:C:\Users\*\Desktop\install.wim:1 /limitaccess

 
#3 Additional precipitators
Corruption may be due to anti-virus or Defender. These causes can result in a permanent failure condition. A repair install or a clean install of windows may be less labor intensive.
 
Decide about how much time to spend. Be forewarned steps below may be tedious and may have a diminishing return on success.

The expected path forward is to do several small incremental changes and then do the same repair steps. The repair install is recommended if:
  • The server is not a domain controller
  • And if the shares can be readily re-created.  
  • And if the Steps do not resolve in a reasonable time.


Fltmc shows the filter drivers and how many instances are running. More than 10 would be suspicious. Open a command windows cmd -> fltmc. Remove defender or anti-virus and try steps 1 to 3 again.

Install defender again after the procedure is complete.

#4 Advanced and Microsoft recommended steps


Perform steps which make sense for what is perceived and not damaging to the OS or Data.
Steps 1 to 3 may be repeated after any of the advanced steps. Run any of the steps from the links below.
And keep checking the CBS log for results. Go back to steps 1 to 3 to complete any repair. 
 

#5 Corruption Hidden and public locations  

This section covers the locations where the corruption exists. This is educational only. See the following section for ideas about troubleshooting.
  • Component Hive
  • Component Store
  • Component Manifest
Component Hive
Corruption can result from a window update failure.  Issues may be resolved by checking the components are correct and match. This section explains what the locations are repaired.  
Logical replacement of bad data in these locations could correct the updates issue. Changes to the registry could result in a broken machine. Dell Technologies does not recommend making changes. This is explained for educational purposes only.
Take ownership of the loaded hive and ensuring permissions to this component hive is sufficient to show process monitor results on where a failure is occurring.

The Hive can be mounted and steps 1 to 3 can be run. It may be possible to see where changes occur. 

The Component Hive is in C:\Windows\System32\config.
  • Ensure Permissions to the Components file in this folder.
  • Open Regedit as Administrator
  • Choose HKLM
  • File -> Load Hive
  • Open the Component file
  • Use an alternate name like comp1 (see figure 1.)


Figure 1. Component store in registry

Run this command from an admin prompt and load the hive. Then perform steps 1-3 again.
  
reg load HKLM\COMPONENTS C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS

This loads the hive and perhaps makes it accessible to the repair. Document changes and use PERFMON to document failures. A manual edit would be possible.

Other Options such as replacing the Components with a working components would be possible. It would be best to merge only corrupt folders. Keep a backup and restore if any undesired affects result.

Component Manifest The Goal is to compare the Hive, Manifest, and Store. Try to find differences. Try to make them match. Try to eliminate corruption from the three logical components.
Component Store
  • Windows update component store is in c:\Windows\WinSxS
 

#6 Fix cases for Corrupt Updates

The following fix examples proceed in order of less to more impactful. Any of the A-E steps can be mixed with the 1 to 6 steps. Removing updates is the last resort, but it is the last step in these instructions. 

The order presented below is in the most conservative order.  Remove a bad KB first, followed by a cleanup. This may or may not be the needed order. Analysis of the three stores to find the best steps.
  
Winsxs is cleaned by Dism. SSU is checked for integrity by SFC. But SSU and LCU are not cleaned out by either.


The component store is missing something is most likely. This is true because only the WINSXS is cleared. The corruption is likely reported against a mismatch in the component manifest or the component Hive. The Hive and manifest data may be called corrupt because the component store does not updates installed, but not reflected in that store. The ability to remove a KB depends on the data being "called corrupt."

Only if the removal is not possible, the Hive and Component manifest truly become corrupt and require removal. Remove the KB, followed by the Component manifest. 

The plan is to set the update to removable and do a cleanup after removal. That is the documented solution below.  IT is at the end as a last resort step.

The Steps here move from least obtrusive to most complexity. 

A. Free Tool available
Synative is a company which seems to be keeping up with the issues. This tool is not a perfect fix.
It does cover some of the complexity. It can be run under the admin’s own responsibility. Dell Technologies does not recommend using anything besides Official Microsoft Tools for repair.
Synative is a Microsoft MVP. Contact them for support.
SFCFix Official Download - Repair Windows Update | Sysnative Forums
 

B. Try Defender repair. 

  
"%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -RemoveDefinitions -All
 "%PROGRAMFILES%\Windows Defender\MPCMDRUN.exe" -SignatureUpdate
Uninstall-WindowsFeature -Name Windows-Defender
Uninstall-WindowsFeature -Name Windows-Defender-Gui

install-WindowsFeature -Name Windows-Defender
install-WindowsFeature -Name Windows-Defender-Gui

C. Component Cleanup 
To clean out the WINSXS folder run component cleanup. This may work after steps A and B.  
dism /online /cleanup-image /startcomponentcleanup

D. Remove Last update. 
If success has been avoided, it may be fair to just remove the last working update. This is generally a good way to get back to when updates worked. You may still use a script or manually remove any offending updates.
Here is an example:  
 wusa /uninstall /kb:3177467 /quiet /norestart


 
E. Language issues 

Language issues may cause a repair install to fail. Verify that the language settings are correct for the default language of the install. 

If you find language pack errors in the CBS log. Use the steps to remove the language pack and then go back to the top of the article and perform steps 1-3. Keep moving to the advanced steps if the repair fails. 
  
bcdedit /set {current} locale en-US
bcdedit /set {bootmgr} locale en-US

The install language key below should also be checked. Use the proper code for your language.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/70feba9f-294e-491e-b6eb-56532684c37f
  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
InstallLanguage

It is still possible to use the media creation tool and do a repair install. This may or may not work with any given version of the OS. Check the OS-specific documentation.

Download the official MediaCreationTool and run it. Choose the Upgrade this PC option:

Other language links are available. Here are some examples: 

Walkthrough: Create a Windows RE Image.

http://technet.microsoft.com/en-us/library/dd744525(v =ws.10).aspx

Adding Languages

http://technet.microsoft.com/en-us/library/hh825125.aspx#BKMK_AddLanguagePacks

Language pack showing as problem in CBS log Remove Language Pack
Cannot remove language pack after April 2018 Update - Microsoft Community.


F. Updates that will not remove.
Editing the MUM file in the C:\Windows\servicing\Packages folder can allow an update to be removed. This case would be when the update was suspect to be the problem.
Considerations:
  • Cross-check the Manifest, Component Hive and Component store first.
  • Consider adding a missing update instead if appropriate.
  • The Manifest and component store would be the last place to delete a KB.
    1. If a kb is deleted, and is installed, it will not be removable any longer.
The order of operations should be:
1. Find CBS log referencing specific KB.
2. Add references to locations, if possible, to attempt to correct corruption.
3. If an update must be removed, export registry and backup OS first.
4. Remove a KB as a last resort.


Process to remove update
Based from this document 
https://docs.microsoft.com/en-us/answers/questions/283013/how-to-uninstall-kb5001078.html

To uninstall the unremovable updates- use the Manifest file and change  (powershell example) 
# as admin
Notepad.exe 
#Open C:\Windows\servicing\Packages - find here your update (name or/and kb number) 
# need .mum file
#Example : C:\Windows\servicing\Packages\Package_for_KB5001078~randomnubmers~.mum || or can contain name without kb number)

Find and replace | permanence="permanent" | TO -> | permanence="removable" | in all files with your update name/numbers
Do | wusa /uninstall /kb:5001078 | in powershell.
 
IN conclusion, The goal is to look at the three components and cause them to match. Using edit find to locate. 
Errors in the logs may help zero in on a corrupt item. Search the mounted Component Hive, The Component Store and Manifest. Correct, delete, or change the needed items.  

The article is laid out with 6 major sections and five letter A-E sections. Run the repair in sections 1 to 6 as each of the A-E sections are reviewed. The steps can be run in perpetuity until the corruption is resolved. If the shorter path of repair install makes more sense, then begin that process. 

For a repair install, Back up any print server, Be prepared to re-create shares. Do not perform on a domain controller of SQL or Exchange Server. 

To perform the repair install, Insert the Original Media and see the screen below. If this screen does not show, then a repair install is not possible. Proceed with a regular install of Windows. 
image.png
Figure 2. Repair Install  
 

Affected Products

Converged Infrastructure, Data Center Infrastructure, Alienware, Inspiron, Legacy Desktop Models, OptiPlex, Vostro, XPS, G Series, Gateways & Embedded PCs, Electronics & Accessories, G Series, Alienware, Inspiron, Latitude, Vostro, XPS , Legacy Laptop Models, Networking, Security, Servers ...

Products

Converged Infrastructure, Data Center Infrastructure, Gateways & Embedded PCs, Electronics & Accessories, Networking, Security, Servers, Software, Solutions, Storage, Thin Clients, Workstations
Article Properties
Article Number: 000210219
Article Type: How To
Last Modified: 23 Oct 2024
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.