Make the CBS.log useable

[whs]

With the great help of Shawn, I was able to figure out how to reduce the massive data amounts of the CBS.log to the records of interest - those that the System file checker fixed and could not fix. With that, I have made a little tutorial about the whole process which I thought might be useful for reference:


If you encounter a strange behavior of your system or if the system sends you a message indicating that some system file is damaged, the System File Checker might be able to help. Here is what you do:
Open an elevated Command Prompt (go to Start > All Programs > Accessories > right click on Command Prompt > Run as Administrator).

Type sfc /scannow into the Command Prompt window – note the blank in front of the slash (/). This will run for a while.

When it is done, you can end up with the following different results:

1. SFC did not find any corrupted files

2. SFC did find corrupted files and was able to fix the files

3. SFC was not able to fix all corrupted files

In the cases 2 and 3, SFC stores the results in the CBS.log which you find in C:\Windows\Logs\CBS\CBS.log. This is a massive file of approximately 5MB and if you care to see it all, you must send CBS.log to one of your own folders from where you can double click on it. It will then open with Notepad. Note: You cannot open it inside the CBS folder. You will get an Access denied message.

But most likely you are only interested in the part that shows the corrupted files that were fixed – or not fixed. For that you need a significant data reduction. You do that as follows:

Open another elevated Command Prompt and paste this command into it:

findstr /c:"[SR]" %windir%\logs\cbs\cbs.log

This will show all the files you want to see in the Command Prompt window.

Since that window is not very practical for a detailed study, you want to paste the content into a Notepad, Wordpad or Word file.


For that you right click on the Command Prompt window (any place is good) and click Select all. Then you click on the selected text in the window. Now this whole text is stored on the clipboard and you can paste it into a document file where you can analyze it.

A word of warning: If you have tweaked your system and modified system files, the System File Checker may undo your tweaks.

 

[seekermeister]

This is good, as far as you went, but now how about an extension of the tutorial as to how to interpet the results?

I know that using "mark" is the customary way of copying the Command Prompt, but I find it less clumsy to click select all, then just click the prompt window and it automatically gets copied.

 

[Tepid]

I don't have a CBS.log to test this with,,

but can you try

findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > c:\test.txt

See if that will throw the results into the text file.

 

[whs]

This is good, as far as you went, but now how about an extension of the tutorial as to how to interpet the results?

I know that using "mark" is the customary way of copying the Command Prompt, but I find it less clumsy to click select all, then just click the prompt window and it automatically gets copied.

Good point on the "select all". I changed the post acccordingly - forgot all about it.. Thanks.
As far as the interpretation of the results goes, that's another story. I did not want to venture into all the cases and possible permutations. But if you have a proposal for some generic text, i would be grateful.

 

[seekermeister]

Not me. I was looking for the light that I don't have.

 

[Tepid]

findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > c:\test.txt

This does work by the way,, so you don't have to copy paste from the command window

This will also work,,,
Open Notepad and paste this to it and save as whatever.cmd

findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > c:\test.txt

test.txt

This will run the string, and save then open the results in notepad.

You can then change "[SR]" to whatever you want to search for in that particular file.

 

[robertpri]

I am so glad to find this! After running SFC., it makes a log that I could not open.

Okay, that is solved, but I am having a hard time reading the results:

There appears to be four errors, but autochk.exe seems bad.

Cannot repair member file [l:22{11}]"autochk.exe" of Microsoft-Windows-Autochk, Version = 6.1.76 00.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2010-10-18 19:05:55, Info CSI 000002f4 [SR]

Cannot repair member file [l:22{11}]"autochk.exe" of Microsoft-Windows-Autochk, Version = 6.1.76 00.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
2010-10-18 19:05:55, Info CSI 000002f5 [SR]

This component was referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.WindowsFoundationDelivery"
2010-10-18 19:05:55, Info CSI 000002f8 [SR]

Could not reproject corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:22{11}]"autochk.exe"; source file in store is also corrupted

 

[CarlTR6]

Excellent thread. Thank you, Wolfgang. I can't rep you...

 

[cjb4]

Great post! Now next steps?

Thanks great post.
Question: At what point do you run a repair on Windows 7 Pro sp1 64bit. I have had some random shut-downs which I attributed to my Wildfire SSD and blank screens which are related to my GPU.
Of course my original install disk is not sp1.
Reviewing the log, many files were repaired but many we un-repairable. Most seemed to be associated with speech recognition which I don't use.
I've uploaded the filtered CBS file (using the excellent command by tepid and whs).
Any advice?

 

[ChrisProphet]

Hey I followed your guide, very good! Now that i found corrupted data how do i fix it. Im assuming the PAGE_FAULT BSOD errors im getting are related to these prossessor errors.

Here is what i got,

2012-03-17 11:50:29, Info CSI 000002e7 [SR] Cannot repair me
mber file [l:24{12}]"perfdisk.dll" of Microsoft-Windows-PerformanceBaseCounters,
Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutra
l, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neut
ral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-03-17 11:50:29, Info CSI 000002e8 [SR] Cannot repair me
mber file [l:24{12}]"perfctrs.dll" of Microsoft-Windows-PerformanceBaseCounters,
Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutra
l, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neut
ral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-03-17 11:50:29, Info CSI 000002e9 [SR] Cannot repair me
mber file [l:34{17}]"PerfCenterCpl.ico" of Microsoft-Windows-PerfCenterCPL, Vers
ion = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, Ve
rsionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral,
TypeName neutral, PublicKey neutral in the store, file is missing
2012-03-17 11:50:29, Info CSI 000002ea [SR] Cannot repair me
mber file [l:24{12}]"perfdisk.dll" of Microsoft-Windows-PerformanceBaseCounters,
Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutra
l, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neut
ral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-03-17 11:50:29, Info CSI 000002eb [SR] This component w
as referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364
e35~amd64~~6.1.7601.17514.WindowsFoundationDelivery"
2012-03-17 11:50:29, Info CSI 000002ec [SR] Cannot repair me
mber file [l:24{12}]"perfctrs.dll" of Microsoft-Windows-PerformanceBaseCounters,
Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutra
l, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neut
ral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-03-17 11:50:29, Info CSI 000002ed [SR] This component w
as referenced by [l:202{101}]"Microsoft-Windows-Foundation-Package~31bf3856ad364
e35~amd64~~6.1.7601.17514.WindowsFoundationDelivery"
2012-03-17 11:50:29, Info CSI 000002ee [SR] Could not reproj
ect corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"pe
rfdisk.dll"; source file in store is also corrupted
2012-03-17 11:50:29, Info CSI 000002ef [SR] Could not reproj
ect corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"pe
rfctrs.dll"; source file in store is also corrupted
2012-03-17 11:50:29, Info CSI 000002f0 [SR] Cannot repair me
mber file [l:34{17}]"PerfCenterCpl.ico" of Microsoft-Windows-PerfCenterCPL, Vers
ion = 6.1.7601.17514, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, Ve
rsionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral,
TypeName neutral, PublicKey neutral in the store, file is missing
2012-03-17 11:50:29, Info CSI 000002f1 [SR] This component w
as referenced by [l:242{121}]"Microsoft-Windows-Client-Features-Package~31bf3856
ad364e35~amd64~~6.1.7601.17514.Microsoft-Windows-Client-Features-Update"
2012-03-17 11:50:29, Info CSI 000002f2 [SR] Could not reproj
ect corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:34{17}]"Pe
rfCenterCpl.ico"; source file in store is also corrupted
2012-03-17 11:50:29, Info CSI 000002f4 [SR] Repair complete
2012-03-17 11:50:29, Info CSI 000002f5 [SR] Committing trans
action
2012-03-17 11:50:29, Info CSI 000002f9 [SR] Verify and Repai
r Transaction completed. All files and registry keys listed in this transaction